Threat Hunting
Threat hunting is a proactive cybersecurity approach that involves actively searching for threats in an environment that haven't been detected by automated tools. Threat hunters use hypotheses, TTP knowledge, and data analysis to identify advanced attackers.
What is Threat Hunting?
Threat Hunting Definition
Threat hunting is a proactive and iterative process of searching for threats that have evaded existing security controls. Unlike reactive monitoring (waiting for alerts), threat hunting assumes that threats may already exist in the environment and actively seeks them out using advanced analysis and hypotheses.
Threat Hunting vs Monitoring
| Aspect | Monitoring/SOC | Threat Hunting |
|---|---|---|
| Approach | Reactive | Proactive |
| Trigger | Alert | Hypothesis |
| Goal | Incident response | Finding unknown threats |
| Automation | High | Low (human-driven) |
Threat Hunting Process
1. Hypothesis:
- Creating a theory about potential threats
- Based on TI, TTPs, industry knowledge
- Example: “Attacker may be using PowerShell for persistence”
2. Data collection:
- Identifying relevant data sources
- Logs, telemetry, network traffic
- Ensuring data availability
3. Investigation:
- Data analysis
- Anomaly search
- Correlation
4. Resolution:
- Confirming or rejecting hypothesis
- Documenting findings
- Detection improvement
Hunting Methodologies
Intelligence-driven:
- IOCs from threat intelligence
- Known TTPs of APT groups
- Current campaigns
Hypothesis-driven:
- Based on attacker knowledge
- “If I were an attacker…”
- MITRE ATT&CK as a base
Data-driven:
- Anomaly analysis
- Statistical baselines
- Machine learning
Data Sources for Hunting
- EDR telemetry
- SIEM logs
- Network traffic (NDR)
- Cloud logs
- DNS queries
- Authentication data
Threat Hunting Tools
- EDR: CrowdStrike, Microsoft Defender, SentinelOne
- SIEM: Splunk, Elastic, Microsoft Sentinel
- Analysis: Jupyter notebooks, Python
- Visualization: Kibana, Grafana
Threat Hunting Maturity
Level 0: No hunting capability Level 1: Minimal - IOC-based searches Level 2: Procedural - Regular hunts Level 3: Innovative - Custom hypothesis development Level 4: Leading - Automated, continuous hunting
Benefits of Threat Hunting
- Detection of advanced threats (APT)
- Dwell time reduction
- Detection improvement
- Team competency building
- Security posture understanding
Threat hunting is an advanced SOC capability that enables detection of threats that evade automated systems.