Threat hunting

The Ultimate Guide to Threat Hunting

Claudio Dodt
July 13, 2018 by
Claudio Dodt


At its essence, cyberthreat hunting can be quite similar to real-world hunting. It requires a uniquely skilled professional possessed of considerable patience, critical thinking, creativity and a keen eye for spotting prey, usually in the form of network behavior abnormalities.

“But what exactly is the hunter looking for? And why do we need them?” asks the CEO. “Shouldn’t our systems be sufficiently protected, since we already implemented the most recent cybersecurity solutions?” That’s an easy question: the central pillar of threat hunting is understanding the simple fact that no system can be considered 100% protected. Even with the best and most current technology, there is always the chance that some advanced threat will be able to evade the several security layers protecting a company, and that is what we are looking for.

Become a certified threat hunter

Become a certified threat hunter

Learn how to find, assess and remove threats from your organization — and become a Certified Cyber Threat Hunting Professional, guaranteed!

Historically speaking, most companies have adopted an approach where once a security solution is deployed, it is focused on protecting against the majority of attacks – for example, in the case of an anti-malware solution, it’s usually quite efficient against malicious codes that have already been analyzed and mapped to a pattern. If it is a completely new piece of code, even the most recent, artificial-intelligence-based solutions may have a hard time detecting it.


That is where threat hunting comes in and creates a new security paradigm: it assumes that since it is not possible to prevent every attack, the company network will be compromised, and this will leave a trail leading to the prey.

So are you interested in joining the hunt? Here are a few essential points you should understand for creating an effective Cyber threat hunting program:

What is a Threat Hunter?

This information security professional also goes by the (not so cool) name of cybersecurity threat analyst. Usually working from a Managed Security Service Provider (MSSP) or the company’s own Security Operations Center (SOC), they employ both manual and software-assisted techniques to detect possible ongoing threats/incidents that have already eluded security systems.

This is by no means a simple task and it will require a highly skilled professional — not only in cybersecurity terms, but also in business knowledge and enterprise operations. For example, detecting a network behavior abnormality may be as simple as discovering an increased amount of traffic to a country that the company does not have any sort of business with. Unfortunately, not every attack uses this blunt approach.

Advanced threats can be quite subtle; in fact, they usually are! For instance, many data exfiltration techniques make use of encryption or a covert channel, such as DNS tunneling. In this case, data is encoded in DNS queries and responses and, at first glance, it will look pretty much the same of a normal connection. Yet a good hunter will quickly notice anomalies such as the size of request and response or the volume of DNS traffic per IP address or domain.

What Tools Does a Threat Hunter Need?

As mentioned before, hunting a cyber threat is not an easy task, and even an experienced hunter will most likely fail without the proper tools. Some essential items include:

  • Data: A hunter will need access to the logs of any meaningful device on your network: this includes servers, network devices (i.e. firewalls, switches, routers), databases, and endpoints. If this sounds like a lot of data, that’s because it is! A very important point is having a centralized location to assemble this data for analysis, including critical steps such as data collection, correlation, and normalization from the several different data points we just mentioned. In this case, a good SIEM solution is a hunter’s best friend.
  • Baselines: If the hunter is supposed to detect abnormalities, having a baseline of the network’s traffic behavior can be of immense value. In broader terms, a baseline will define what events are expected and authorized, making it easier to spot anomalies that must be investigated.
  • Threat Intelligence: It is not unusual for cyber-criminals to cooperate with each other, sharing information, codes and malicious artifacts. As more and more attacks with similar techniques occur, it increases the chance of a group or company having spotted it before. Threat intelligence (also commonly referred as cyber threat intelligence) is the process of acquiring, through multiple sources, actionable knowledge about threats to an environment.

A hunter with intel on a new attack may be able to quickly spot IOCs (Indicators of Compromise) or IOAs (Indicators of Attacks) within a network and act on this information.

What Should a Threat Hunter be Looking for?

This point goes back to the original CEO question: “what is the hunter looking for?” In fact, a very important starting point for threat hunting is defining prioritized intelligence requirements (PIR). In essence, PIR are high-level questions that – once answered – will provide the elements for a strategic cybersecurity response.

For example, PIR may be based on a set of speculations, such as: where does a threat come from? Are cyberthreats hiding in the noise, the multitude of logs and alerts that are handled every day? What is a vital company asset/information that is the most tempting to a potential threat, and how would they try to gain access to it? This sort of high-level questioning will allow the threat hunter to look more specific information. Are there a number of low-level alerts connected to a single indicator? Does the new threat intelligence information match our logs for the last 30 or 60 days? Are there any anomalies in remote sessions, such as using commands that were not seen before?

The answers to these questions form the trail a hunter will follow. This is accomplished by collecting data and interpreting the results based on whatever information/tools are available, spotting abnormalities and taking the necessary action to stopping active threats.

How to Define the Ideal Hunting Maturity Level

It is important to understand that there are several levels of maturity for a threat-hunting program. There are three essential factors that must be considered:

  • The quality of data collected
  • The tools used to collect and analyze the data
  • The skill and experience of the threat hunter

At the Initial maturity level (see chart below), an organization will primarily rely on automated alerting, with little or no routine for data collection – the human effort will basically be focused on alert resolution. At this point, even with the help of an experienced hunter, an organization will not be considered capable of threat hunting.

Reaching a higher maturity level takes some effort but, as expected, there is a huge difference in results. For example, an organization that has reached its Procedural maturity level (the most common amongst organizations that have active hunting programs) will be able to regularly apply adapted procedures for collecting/analyzing data, thus enabling threat hunting to become a reality.

As the gap between each maturity level can be significant, as well as the hunting results, it is very important to assess and determine the ideal level for a threat-hunting program.

How to Create a Threat Hunting Process

Once all elements of the threat hunting program are understood, it is not difficult to create a simple, yet very effective, process. The basic steps are:

  1. Collect and process data: Again, it is not possible to hunt for threats without quality data. It is essential to plan ahead and define what data must be collected and where it will be centralized and processed. As mentioned before, a SIEM solution is a hunter’s best friend.
  2. Establish a hypothesis: It is very important to know what you are hunting for, and it all begins with a business-oriented hypothesis based on the actual company context. The best approach is starting with simple, high-level questions that are meaningful for the company’s cybersecurity strategy. Again, this will allow the hunter to focus on real situations, resulting in a much more effective threat-hunting program.
  3. Hunt: Now for the fun part! Well, maybe not so fun. At times, threat hunting may be no more than crunching data and interpreting results for several hours, only to find a hypothesis has not been confirmed.As previously mentioned, a hunter must excel in technical expertise, combining areas such as information security, forensic science and intelligence analysis, but must also have a lot of patience.
  4. Identify threats: As expected, at some point your hypothesis will be proven to be valid and a threat will be identified. Now it’s time to understand how it affects the company. Is it a major ongoing security incident? Is it a cyberattack that’s just started? Is there a chance it is a false alert?All those questions must be answered by the hunter before defining the best course of action.
  5. Respond: After a threat is confirmed and the extent of the attack is known, the next step is creating a proper response. Of course, it is necessary to stop the current attack, remove eventual malware files and restore altered/deleted files to their original state, but it doesn’t stop there. It is also essential to understand what happened in order to improve security and prevent similar attacks in the future.For instance, it may be necessary to take actions such as updating firewall/IPS rules, develop new SIEM alerts, deploy security patches, and/or change system configurations. In other words: take every necessary step to ensure another breach is not likely to happen.


Concluding Thoughts

Threat hunting can provide significant value to a cybersecurity strategy. Based on the simple premise that no system is 100% secure, an experienced threat hunter can proactively detect and prevent even the most furtive attacker.

As expected, creating an effective threat-hunting program will take some effort: it’s essential to have the right professional and the necessary tools before committing to a specific strategy. A good approach is first defining what maturity level will provide the company with actual value, confirm if existing resources are sufficient, and create the right mix of experienced professionals, data collecting/processing tools and actionable intelligence. Let the hunt begin! No cyber threat will remain undetected, and no business will remain unprotected!

Become a certified threat hunter

Become a certified threat hunter

Learn how to find, assess and remove threats from your organization — and become a Certified Cyber Threat Hunting Professional, guaranteed!


A Simple Threat Hunting Maturity Model, Enterprise Detection & Response

Claudio Dodt
Claudio Dodt

Cláudio Dodt is an Information Security Evangelist, consultant, trainer, speaker and blogger. He has more than ten years worth of experience working with Information Security, IT Service Management, IT Corporate Governance and Risk Management.