Threat hunting

Threat Hunting: Detecting Threats

Fakhar Imam
November 26, 2018 by
Fakhar Imam


There has been a recent colossal surge in targeted attacks, including complex penetration techniques, compromise of users’ credentials, fileless malware, use of legitimate rights, legitimate software usage such as Microsoft PowerShell, and exploitation of companies’ security policy and misconfigurations. This has led enterprise organizations to acknowledge the significance of detecting threats and remediation on a timely fashion.

According to the latest Enterprise Risk Index Report published by the endpoint security organization SentinelOne, the first half of 2018 saw a 94% rise in fileless malware attacks. The report also added that PowerShell attacks compromised 5.2 out 1,000 endpoints.

Become a certified threat hunter

Become a certified threat hunter

Learn how to find, assess and remove threats from your organization — and become a Certified Cyber Threat Hunting Professional, guaranteed!

Do you think that old-fashioned techniques such as antivirus and firewalls are enough to protect your corporate IT infrastructure? Did they witness the prevention or even a reduction in the frequency of cyber-attacks over the past many years? Very likely not. Modern cybersecurity must be proactive in nature rather than reactive and alert-driven, such as with SIEM, antivirus and firewalls.

That is why threat hunting represents the next jump in cyber-warfare. Nowadays, companies deploy threat hunting in their Security Operation Center (SOC) for detecting threats, which is the crucial need in a new cybersecurity paradigm. Threat hunting helps in detecting threats hiding within the company, employing proactive threat-search capability and conducted by highly experienced and qualified security professionals known as threat hunters.

In this article, you will see how effective threat hunting is performed.

What Are Your Detection Possibilities?

There are various situations that can be analyzed to determine whether some abnormal activity is taking place in your IT environment. For example, you need to test your operating systems, applications, firewall and other critical devices in the face of a baseline of what is normal for each of the applications or systems. Track down changes occurring at endpoints and correlate them with application logs and system events. These changes can be detected in:

  • Open ports
  • Communication activity
  • Running processes
  • User behavior
  • The registry
  • Installed software
  • User account information and privileges

As a result of the threat, various types of effects or changes occur. You should also anticipate this if and when these threats take up residence in your corporate network. Several methods of detection are used to track down changes in your safe environment, including:

Policy Violations

Policy violations may provide an indication of a threat. For instance, system changes such as upgrades or periodic maintenance, new software installations, account changes or addition of new users may demonstrate an adversary in your corporate network.

Anomaly Detection

Anomaly detection is a two-step approach whereby analysts train a system with data to develop some notion of normality and then utilize the established profile on the real data to flag deviations. For example, analysts can set some features of a benign URLs such as their character distribution, length and so forth, to define what a normal URL should look like. By developing this notion of normality, analysts will be able to flag URLs that have various abnormal characters or length which is much different than the normal one. Anomalies are also known as outliers.

The anomaly detection technique is typically used to detect fraud in credit card transactions and identify odd patterns in network traffic that could be a subtle sign to hack. Anomaly detection is primarily a data-mining process used to identify the types of anomalies occur in a given dataset.

Anomalies usually fall into three categories:

  1. Point Anomaly: In this situation, a single instance of data is anomalous if it is too far away from the standard. For example, detecting a debit card fraud based on amount spent.
  2. Collective Anomaly: In this scenario, several data instances collectively help in anomaly detection. For instance, the anomaly would indicate a potential threat if a threat actor tries to copy data from a remote machine to a local host unexpectedly.
  3. Contextual Anomaly: In this type of anomaly, the abnormality is context-specific. In this case, the contextual anomaly is prevalent in time-series data; for example, login attempts by employees on workdays are normal but are certainly odd when detected on the weekend.

Hunters use several anomaly detection techniques including Simple Statistical Methods, Density-Based Anomaly Detection, Clustering-Based Anomaly Detection and Support Vector Machine-Based Anomaly Detection.

Behavior Detection

Unlike anomaly detection where analysts develop a notion of normality, behavior detection involves identification of adversaries by investigating artifacts produced by their behavior when interacting with the environment. For example, hunters may detect a number of attempts for an authentication from a remote place. These attempts can be an identification of odd, bad or illicit behavior.

Adversaries often obfuscate malicious code to compromise your static detection technologies. They may aim at deleting shadow copies or original files, encrypting critical files and finding necessary files on a targeted system. However, the best behavior detection technique identifies its malicious nature before the execution stage by flagging the alarm, terminating the process and, finally, performing a rollback of all changes.

Behavior detection assists in preventing fileless malware, detecting unknown malicious patterns, and implementing a “Memory Protection” mechanism.

Investigate Spikes in Different Activities

A spike is an unusual increase in a specific type of activity; for instance, too many login attempts by a specific account or an exponential number of file modifications could be the indication of a threat. It is imperative to look for spikes in activities. If any spike is detected, the analysts should investigate whether such spike was an actual threat or not.

Detection: Automated Engines Versus Manual Hunting

Threat detection can be performed both through automated engines such as Endpoint Detection and Response (EDR) tools and manual hunting techniques. No matter what technique you use, the first priority should be to detect intrusion at the earliest stages in order to minimize disruption and lower the financial impact. Therefore, effectiveness and speed are of paramount importance. In fact, manual hunting alone is not typically the most effective or fastest approach.

On the other hand, an automated engine can help you to discover threats in the network by using your aggregated data. An automated engine involves multi-layered and multi-dimensional analysis that continuously provide not just new incidents but also actionable intelligence. These features help analysts in making the right decisions and avoid spending time on unnecessary events.

The use of multiple detection technologies steps up analysts’ chances of detecting intrusions and attacks more rapidly before they become a really big nightmare. Modern EDR tools should incorporate various detection engines in order to ensure advanced threat detection by combining static, behavior-based, and dynamic analysis, as well as real-time access to machine learning technologies and global threat intelligence.


Cyber-threats are accelerating significantly faster than the enhancements and protections that businesses are utilizing. Due to poor or outdated security defenses, companies have to bear the brunt of data security regulations such as GDPR and PCI DSS, which involve a compliance penalty, financial loss, and reputational damage. Therefore, organizations must have a strong security posture in place. To prevent information security threats, companies must protect their network perimeter. SOC that incorporates threat-hunting facilities, incident response teams and various other analysts can help enterprises in detecting threats and enhancing their security posture.

Become a certified threat hunter

Become a certified threat hunter

Learn how to find, assess and remove threats from your organization — and become a Certified Cyber Threat Hunting Professional, guaranteed!



  1. Fileless malware attacks rise 94 percent in 2018, Beta News
  2. Endpoint Detection and Response for Dummies, Tripwire Special Edition
  3. A Buyer’s Guide to Investing in Endpoint Detection & Response for Enterprise 2017-2018, Kaspersky
  4. Behavior-based Protection, Kaspersky
  5. Introduction to Anomaly Detection, Oracle + Datascience
Fakhar Imam
Fakhar Imam

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.