What is threat hunting?

Threat hunting is important because it helps organizations strengthen their security postures against ransomware, insider threats and other cyberattacks that might otherwise go unnoticed.

While automated security tools and vigilant security operations center (SOC) analysts can detect most cybersecurity threats before they do major damage, some sophisticated threats can slip past these defenses.

When a malicious actor makes it into a system, they can lurk for weeks or even months before they’re discovered. According to IBM’s Cost of a Data Breach Report, it takes an average of 181 days to identify that a data breach has occurred. All the while, attackers are siphoning off data and stealing credentials to unlock further access. 

How much damage can these potential threats do? According to the Cost of a Data Breach Report, the average breach costs a company USD 4.88 million. The longer the time between initial access and containment, the more it can cost an organization.  

Effective threat hunting involves security teams proactively searching for these hidden threats. As a result, organizations can discover intrusions and deploy mitigations much more quickly, reducing the damage attackers can do.

Cyberthreat hunters are skilled cybersecurity professionals. They are usually security analysts from within a company's IT department who know the organization’s operations well, but sometimes they're outside analysts. Threat hunting teams use security automation to help search, log, monitor and neutralize threats before they can cause serious problems.

Threat hunting programs are grounded in data—specifically, the datasets gathered by an organization’s threat detection systems and other enterprise security solutions.  

During the threat hunting process, threat hunters comb through this security data, searching for hidden malware, stealth attackers and any other signs of suspicious activity that automated systems might have missed.  

When threat hunters find something, they spring into action, eradicating the threat and shoring up defenses to make sure that it doesn’t happen again.

Hunters begin with a hypothesis based on their observations, security data or some other trigger. The hypothesis serves as a springboard for a more in-depth investigation into potential threats.  

Investigations usually take 1 of 3 forms: structured hunting, unstructured hunting or situational hunting.

Intel-based hunting is based on IoCs from threat intelligence sources. Threat hunters use tools such as security information and event management (SIEM) systems to monitor for known IoCs, such as hash values, IP addresses, domain names and host artifacts. When IoCs are discovered, hunters investigate potential malicious activity by examining the network’s status before and after the alert.

Hypothesis-based hunting is guided by the known IoAs recorded in frameworks such as MITRE ATT&CK. Hypothesis-based hunts explore whether attackers can use certain TTPs to gain access to a particular network. When a behavior is identified, threat hunters can monitor activity patterns to detect, identify and isolate any threats that use that behavior.  

Because of their proactive nature, hypothesis-based hunts can help identify and stop advanced persistent threats (APT) before they do extensive damage.

Custom hunting is based on an organization’s context: previous security incidents, geopolitical issues, targeted attacks, alerts from security systems and other factors. Custom hunts can combine the qualities of intel-based and hypothesis-based hunting methodologies.  

Security teams use various tools to assist in threat hunts. Some of the most common include:

SIEM is a security solution that helps organizations recognize and address threats and vulnerabilities before they have a chance to disrupt business operations. SIEMs can help detect attacks earlier and reduce the number of false positives that threat hunters must investigate.

EDR software uses real-time analytics and AI-driven automation to protect an organization's end users, endpoint devices and IT assets against cyberthreats that get past traditional endpoint security tools.

MDR is a cybersecurity service that monitors, detects and responds to threats in real-time. It combines advanced technology and expert analysis to drive proactive threat hunting, enable effective incident responses and perform swift threat remediation.

These systems offer deeper insights into security data by combining big data with sophisticated machine learning and artificial intelligence tools. Security analytics can accelerate cyberthreat hunting by providing detailed observability data.

Threat intelligence, also called “cyberthreat intelligence,” is detailed, actionable information that organizations can use to prevent and fight cybersecurity threats.

Threat intelligence offers organizations insights into both the latest threats targeting their networks and the broader threat landscape. 

Threat hunters use threat intelligence to conduct thorough, system-wide searches for bad actors. In other words, threat hunting begins where threat intelligence ends. It turns the insights of threat intelligence into concrete actions necessary to eradicate existing threats and prevent future attacks.