Threat Hunting

Threat hunting is a proactive approach in cybersecurity where skilled analysts search for hidden threats within an organization’s network that may not be detected by automated security tools. Unlike traditional detection methods that rely on predefined signatures and alerts, threat hunting involves a more hands-on, investigative approach to identifying sophisticated threats, including zero-day vulnerabilities, advanced persistent threats (APTs), and malicious insiders.

The SANS institute’s 2020 threat hunting survey showed that 65% of organizations have threat hunting programs and that 29% of organizations plan to implement threat hunting practices over the next year.1

Many companies support effective malware analysis programs with threat hunting programs, ensuring that they consistently identify active and benign threats across their environment.

For example, in 2020, SolarWinds used ReversingLabs threat hunting tools. It located the active threats behind the supply chain attack that had targeted it and that had impacted 18,000 organizations and generated $40 million in damages.2

With malware analysis tools, this attack would have remained undetected for the foreseeable future, targeting more users and causing more damages to victims’ systems.

To maximize the effectiveness of a threat hunting program, organizations should adhere to several best practices related to methodologies, tools, team composition, and the integration of threat intelligence:

Three popular threat hunting methodologies include the hypothesis-driven approach, the review of attack indicators, and the use of ML- and AI-based tools.

Adopt Diverse Threat Hunting Methodologies

Hypothesis-driven

This includes spotting abnormalities, formulating an educated guess about what caused them, and reviewing data to validate whether potential threats should be investigated.

Review of attack indicators

Threat intelligence platforms are used to find indicators of compromise or attack that should then be researched further.

ML- and AI-based assessments

With machine learning and artificial intelligence, data is automatically reviewed and abnormal behaviors can be identified.

Threat hunting tools complement existing endpoint detection and response (EDR) tools by offering more complex and detailed analysis to discover suspicious behaviors and patterns that EDR tools cannot detect.

Utilize Specialized Threat Hunting Tools

Threat hunting tools go beyond traditional endpoint detection and response (EDR) solutions by providing deeper analysis of suspicious behaviors and patterns that automated tools might miss. These tools help hunters detect advanced threats that evade conventional defenses.

Build a Dedicated Threat Hunting Team

A specialized team focused solely on threat hunting is essential. These teams require a unique skill set, including expertise in using advanced tools, understanding the latest threat landscapes, and creatively thinking about potential attack vectors. Dedicated threat hunters can operate with a proactive mindset, continuously searching for threats rather than waiting for alerts.

Leverage Threat Intelligence:

Threat intelligence is crucial for informing and guiding threat hunting efforts. It provides context on the severity of threats, relevant IOCs, and the tactics, techniques, and procedures (TTPs) used by adversaries. By integrating threat intelligence, hunters can prioritize their efforts and focus on the most significant risks to their organization.

Faster response times: By reviewing anomalies and assessing threats proactively, teams understand the behaviors and location of malware and are able to formulate remediation strategies and respond faster.

Efficient investigations: When threats emerge, high levels of urgency and stress may lead teams to inefficiently address and resolve issues. By preemptively reviewing issues, organizations can take a calm, measured, and methodical approach toward remediating problems.

Greater visibility: When hunting for threats, analysts must review their environments’ composition and understand what typical behaviors are, providing greater visibility into how their systems function on a day-to-day basis.

Fewer false positives: False positives lead to inefficient security practices because teams must spend too much time responding to alerts and issues that do not impact their security integrity. By implementing threat hunting, teams review data and how it is reported to create rules which suppress certain alerts and limit false positives.

Reduced risk: Proactively addressing security issues before they emerge in production prevents enterprises’ environments from being damaged by latent threats and reduces the cost to run their systems.4

Create protocols to investigate threats: Develop a checklist when assessing hidden threats to create consistent security measures and ensure that proper investigative steps are taken.

Prioritize threats and weaknesses based on severity: This helps SOC teams to understand which problems should be solved first.

Think like an attacker: Locate areas where malware is unlikely to be discovered and learn about how your organization’s specific systems could be exploited by malicious actors to uncover potential attack vectors.

• How is threat hunting different from threat detection? Threat detection is a reactive, alert-based approach that relies primarily on automated tools to identify threats and alert security teams, while threat hunting is a proactive, human-driven approach to actively search for unknown or stealthy threats.
• Why is threat hunting important for modern security teams? It helps uncover advanced threats earlier, reducing dwell time and improving overall security posture.
• Who performs threat hunting in an organization? Threat hunting is primarily performed by senior-level SOC analysts (Tier 3). 
• What data sources are used in threat hunting? Threat hunters leverage a variety of data sources to detect anomalies and hidden threats, including endpoint telemetry, system & application logs, cloud audit trails, and network traffic.