Threat Hunting

Threat hunting is that the human-driven, proactive[i] and repetitious search through networks, endpoints, or datasets to observe malicious, suspicious, or risky activities that have evaded detection by existing machine-controlled tools. Threat hunting is that the method of associate degree knowledge about cybersecurity analysts proactively exploiting manual or machine-based techniques to spot security incidents or threats that presently deployed machine-controlled detection strategies didn’t catch. To achieve success with Threat hunting, analysts ought to knowledge to coax their toolsets into finding the foremost dangerous threats. They conjointly need ample data on various styles of malware, exploits, and network protocols to navigate the big volume of information consisting of logs, information, and packet capture (PCAP) information.


Threat hunting has been around for a moment, but it’s solely recently become a spotlight of contemporary enterprise Security Operation Centers (SOCs). searching will revolutionize the threat detection efforts of a corporation, and lots of have already recognized that proactive searching has to play a task in their overall detection practices (a common mantra one usually hears is “prevention is right however detection may be a must”). per a recent survey on Threat hunting conducted by the SANS institute, ninety-one of organizations report enhancements in speed and accuracy of response because of Threat hunting. It’s value some time, however, it’s conjointly value knowing what precisely you’re financing in. Before going from now on, let’s take a glance at three common myths concerning searching that may facilitate clarify what it’s.

3 Common Myths concerning searching

1. Hunting is machine-controlled Hunting isn’t a reactive activity. If the most human input in a very hunt is remediating the results of one thing that a tool mechanically found, you’re being reactive and not proactive. you’re resolution associate degree known potential incident, that may be a critically vital observe in a very SOC[ii], however not searching.

Hunting needs the input of a person’s analyst and is concerning proactive, hypothesis-based investigations. the aim of searching is specifically to seek out what’s lost by your machine-controlled reactive alerting systems. associate degree alert from an automatic tool will offer you a start line for associate degree investigation[iii] or inform a hypothesis[iv], however, associate degree associate degreealyst ought to work an investigation to know and expand on the context of what was found to get the complete worth of searching. to place this differently, hunters square measure the network security equivalent of beat cops; they explore for anomalies by patrolling through information, instead of work a decision in from dispatch.

2 searching will solely be applied with Brobdingnagian quantities of information and

a stack of advanced tools Though it should look like a replacement term, security analysts across a range of sectors are attempting to find years. Basic searching techniques will still be helpful and effective in serving to you discover the unhealthy guys (e.g. you’ll be able to perform basic outlier analysis, or “stack counting”, in Microsoft Excel). associate degree analyst United Nations agency needs to start Threat hunting mustn’t hesitate to dive into a number of the fundamental techniques [v]with simply straightforward information sets and tools. the benefit of low hanging fruit!

Of course, having purpose-made tools sort of a Threat hunting Platform will assist you to hunt at scale and modify a lot of advanced hunt procedures. Sqrrl’s Threat Hunting Platform has been specially created to create the method of fusing completely different information sets along and investing a lot of advanced techniques considerably a lot of straightforward.

3. searching for elite analysts; only the safety 1 Chronicles with years of expertise will have sex. As you’ll learn, there square measure many various searching techniques that have differing levels of complexness. However, not of these techniques take years to master. several similar analysis techniques used for incident response and alert investigation and sorting may also be leveraged for searching. The key to obtaining started is just knowing what inquiries to raise, and excavation into the datasets associated with them. You learn to hunt by doing it, thus if you’re associate degree analyst United Nations agency has ne’er afraid before, don’t be afraid to dive in.

Key Threat Hunting Characteristics

Threat hunting isn’t reserved just for giant enterprises with in-depth resources. Rather, any organization will use the most effective observation by prioritizing the subsequent key characteristics:

• Being Proactive: instead of watching for associate degree alert from associate degree existing security tool, Threat hunting needs proactively sniffing out potential intruders before any alerts square measure generated.

• Trusting Gut Feelings: the most effective threat hunters avoid relying too heavily on conclusive alerts from tools and rule-based detections. Instead, they give the impression of being for clues and hear their gut and eventually apply those findings to form machine-controlled threat detection rules.

• Following Traces: The conception of Threat hunting assumes there was a compromise in which attackers have left traces in the associate degree organization’s setting. Following all traces and leads is so crucial, regardless of however winding or long the hunt.

• Embracing Creativity: Threat hunting isn’t concerning following established rules. to remain before the foremost competent and creative attackers, Threat hunting needs hold power and any relevant methodologies (established or not).

However, it’s conjointly clear supported these characteristics that several organizations will struggle with establishing a Threat hunting programmed. Instead, it becomes a piece of art that only 1 or 2 people square measure capable of and even for those needs a tremendous investment of your time. This lack of repeatability stems from a scarcity of support for this method at intervals most existing security tools and even the foremost good threat hunters struggle to systematically manufacture valuable results.

Common Threat Hunting Techniques

There square measure four common Threat hunting techniques accustomed pinpoint threats in associate degree organization’s setting, including:

  1. Searching: This involves querying evidentiary information, like full packet information, flow records, logs, alerts, system events, digital pictures, and memory dumps, for specific artifacts exploitation clearly outlined search criteria. Since it’s rare to grasp precisely what to appear for once set out to explore for threats, it’s vital to seek out a balance between not creating search criteria too broad (i.e. changing into swamped by receiving too several results) and not creating the factors too slim (i.e. missing out on threats by receiving too few results).

2. Clustering[vi]: exploitation [vii]machine learning and AI technology, agglomeration involves separating clusters of comparable information points supported specific characteristics from a bigger information set. The observation permits analysts to achieve a wider read of information that’s of the foremost interest, notice similarities and/or unrelated correlations, and weave those insights along to induce a clearer image of what’s happening at intervals in their organization’s network and confirm a way to proceed next.

3. Grouping: this method involves taking multiple distinctive artifacts and characteristics once multiples of them seem along supported the preset search criteria. whereas almost like the agglomeration step, Grouping solely includes looking out a definite set of things that have already been established as suspicious (whereas agglomeration includes looking out giant volumes to spot data sets that require to be investigated further).

4. Stack Counting: usually remarked as Stacking, this observation involves investigating the number of occurrences for values of a specific kind of information and analyzing the outliers of these results. Stacking is handiest with information sets that manufacture a finite variety of results and once inputs square measure rigorously designed. having the ability to arrange, filter and manipulate in question is essential to finding any anomalies in giant data sets, thus investment technology — even one thing as basic as stand out — is vital once Stacking.

  Threat Hunting Method

Once all components of the Threat hunting program square measure understood, it’s not tough to form a straightforward, nevertheless terribly effective, process. the fundamental steps are:

  • Collect and method data:  once more, it’s impossible to rummage around for threats while not quality information. it’s essential to set up ahead and outline what information should be collected and wherever it’ll be centralized and processed. As mentioned before, a SIEM answer may be a hunter’s succor.
  • Establish a hypothesis:  it’s vital to grasp what you’re attempting to find, and it all begins with a business-oriented hypothesis supported by the particular company context. the approach is beginning with simple, high-level queries that square measure meant for the company’s cybersecurity strategy. Again, this may enable constellation to specialize in real things, leading to a way more practical threat-hunting program.
  • Hunt: currently for the fun part! Well, perhaps not thus fun. At times, Threat hunting is also no quite crunching information and decoding results for many hours, solely to seek out a hypothesis has not been confirmed. As antecedently mentioned, a hunter should stand out in technical experience, combining areas like info security, rhetorical science, and intelligence analysis[viii], however, should even have heaps of patience.
  • establish threats:, at some purpose, your hypothesis is verified to be valid and a threat is known. currently, it’s time to know however it affects the corporate. Is it a significant current security incident? Is it a cyber attack that’s simply started? Is there an opportunity it’s a false alert? All those queries should be answered by constellation before process the most effective course of action.
  • Respond: once a threat is confirmed and also the extent of the attack is understood, the consequent step is making a correct response. Of course, it’s necessary to prevent the present attack, take away ultimate malware files, and restore altered/deleted files to their original state, however it doesn’t stop there. it’s conjointly essential to know what happened to enhance security and forestall similar attacks within the future. For instance, it should be necessary to require actions like change firewall/IPS rules, develop new SIEM alerts, deploy security patches, and/or modification system configurations. [ix]In different words: take each necessary step to confirm another breach isn’t probably to happen.


Threat hunting will give vital worth to a cybersecurity strategy[x]. supported the easy premise that no system is 100% secure, associate degree knowledgeable about threat hunter will proactively observe and forestall even the foremost furtive assailant.

As expected, making a good threat-hunting program can take some effort: it’s essential to own the proper skills and also the necessary tools before committing to a particular strategy. a decent approach is a 1st process that maturity level can give the corporate with actual worth, make sure if existing resources square measure spare, and make the proper mixture of knowledge about professionals, information collecting/processing tools, and unjust intelligence. Let the hunt begin! No cyber threat can stay unseen, and no business can stay unprotected!

Frequently Asked Question(/FAQ)

  • Q.1 What is threat hunting?
  • Q.2 why threat hunting come into existence?
  • Q.3 How to produce a Threat hunting method?
  • Q4 what are the square measure for common Threat hunting techniques?


  •   “Cyber threat hunting: How this vulnerability detection strategy gives analysts an edge – TechRepublic”. TechRepublic. Retrieved 2016-06-07.
  •   ^ “MITRE Kill Chain”. Retrieved 2020-08-27.
  •   ^ “Threat Intelligence Platform on War Against Cybercriminals”. Retrieved 2019-02-17.
  •   ^ “Cyber Threat Intelligence (CTI) in a Nutshell”. Retrieved 2020-07-27.
  •   ^ Stillions, Ryan (2014). “The DML Model”. Ryan Stillions security blog. Ryan Stillions.
  •   ^ Bromander, Siri (2016). “Semantic Cyberthreat Modelling” (PDF). Semantic Technology for Intelligence, Defense, and Security (STIDS 2016).
  •   ^ Lee, Robert. “The Who, What, Where, When and How of Effective Threat Hunting”. SANS Institute. SANS Institute. Retrieved 29 May 2018.
  •   ^ “M-Trends Report”. Mandiant. Retrieved 2018-05-28.
  •   ^ “Threat Hunting (TH)” (PDF). one security.
  •   ^ “State of Malware Detection and Prevention”. Ponemon Institute. Ponemon Institute. Retrieved 29 May 2018

  • [i] Of a person or action creating or controlling a situation rather than just responding to it after it has happened.
  • [ii] Security operation centres.
  • [iii] A formal inquiry or systematic study.
  • [iv][iv] A supposition or proposed explanation made on the basis of limited edition as a starting point fur further investigation.
  • [v] It provides a method to settle the financial value of a company, security, or currency.
  • [vi] A group of similar things or people positioned or occurring closely together.
  • [vii] The action or fact of treating someone unfairly in order to benefit from their work.
  • [viii] To invest something.
  • [ix] An arrangement of parts or elements in a particular form, figure, or combination.
  • [x] The body of technologies, processes, and practices designed to protect networks, devices, damages, or unauthorized access.

Leave a Reply

Your email address will not be published. Required fields are marked *