What is threat hunting?

Somebody using a red-backlit keyboard on their laptop
(Image credit: Getty Images)

When it comes to cyber security defences, organisations need to take a proactive stance. Simply relying on automated security systems or artificial intelligence (AI) powered tools isn’t good enough, and businesses need to actively seek out the threats that endanger them. This is where threat hunting comes into play.

Cyber security threat hunting involves organisations proactively discovering advanced threats that are hard to detect using automated security software. This type of activity is used to find the higher level hackers, such as state-backed ransomware gangs.

The types of threats businesses need to seek out themselves are also more covert and persistent. These threats will secure a far stronger grip in corporate networks for longer periods, too, so as not to cause substantial disruption that automatic security systems can detect. Threat hunting is the answer – with cyber security experts across the world manually seeking out the most notorious cyber security risks.

Why does threat hunting matter?

On average, companies take roughly 197 days to find cyber security threats, and approximately 69 days to contain a breach, according to IBM. Such delays can be highly costly to businesses. According to the company’s research, a data breach could cost a company almost $4 million. Hunting for cyber threats is important because, while many threats are caught by an organisation’s automated security defences, the more sophisticated threats will inevitably pass through.

Automated tools and analysts working in security operations centres can deal with the great majority of normal threats. This leaves a significant chunk of threats, though, that still might give chief information security officers (CISOs) or other c-suite level tech leaders a reason to stay up at night.

An effective threat hunting strategy can cut down on the time between intrusion and discovery, which alleviates the pressure while adding an additional layer of protection

How does threat hunting work?

Cyber security threat hunting works on the assumption that an organisation is already breached and that hackers are inside the network, monitoring it and moving around.

To combat this, cyber threat hunters monitor the average activities and traffic that run across a network to find malicious activities that could lead to a full-scale breach.

To achieve this, an organisation must have a full-time approach to threat hunting. Just doing it “as and when” will not yield significant results and can be self-defeating.

Technology also plays a part in the form of data collection. Enterprises will have security systems that collect data and threat intelligence. This is a crucial part of threat hunting as, without it, such activities can be ineffective.

What are the leading threat hunting methodologies?

Many threat hunters assume a hacker has already infiltrated the IT infrastructure. Investigations, therefore, begin in order to figure out where they might be lurking by looking for strange behaviour that may imply the incidence of malicious activity. When threat hunting in this proactive manner, these investigations fall into three categories.

Hypothesis-driven probes

This type of investigation is frequently prompted by a newly identified threat being brought to the surface from a large array of crowdsourced attack data, giving insights into a hacker’s latest tactics, techniques, and procedures (TTP). Once this has been acknowledged, threat hunters will then look to ascertain if the hackers’ particular behaviours are found in their own infrastructure.

Known markers of compromise or attack

This threat hunting method involves using tactical threat intelligence to list indicators of compromise (IoCs) and indicators of attack (IoAs) related to new threats. This can activate an investigation by a threat hunter to unearth possible covert attacks or continuing malicious activity.

Advanced analytics and machine learning

This method brings together data analytics and machine learning to trawl through huge amounts of data to spot anomalies that may imply possible malicious activity. These irregularities can help in starting off investigations that information security analysts can make to find surreptitious threats.

Threat hunting best practices

There are several recommendations that threat hunters normally follow to ensure they’re as successful as possible when seeking out threats.

Set a baseline standard of normal activity: Threat hunters can only find anomalies when they know what is normal. Thus, hunters must know all aspects of the organisation’s infrastructure. This includes architecture, communication flows, and user rights. If few users normally use a specific function in an organisation but there is a lot of traffic to this function, this could signify an attack.


An analysis of the European cyber threat landscape

Human risk review 2022


Make sure threat sources are up to data: Obvious threats will already be blocked by existing security solutions. Threat hunters should be looking for zero-day exploits and attacks that combine several tactics, such as an injection attack coupled with account compromise.

Use automation and existing tools to be more effective: Threat hunting needs people to be creative in their thinking but automation and existing security tools can cut out a lot of manual work, leaving analysts to concentrate on the less prosaic threats.

Using feedback to improve future hunting outcomes: Whether or not a hunter finds a threat, the process should be documented, and evidence collected. This can help enhance the organisation’s security systems and practices. It can also be used to improve security protocols. Hunting processes should be assessed and developed to ensure better success rates in future hunts.

Who are cyber threat hunters?

Threat hunters are typically cyber security professionals that know an organisation’s operations and systems and can trawl through security data to protect infrastructure. They look for hidden malware attacks, backdoors and malicious actors as well as search for dodgy patterns and activities within the organisation’s daily functions to identify all types of threats. When a threat is identified, threat hunters can help in patching systems to prevent similar attacks in the future from happening.

What qualifications do threat hunters need?

Cyber threat hunters are much in demand, and suitable qualified personnel are few and far between. To become a cyber threat hunter, people need a background in cyber security and have hands-on experience in such areas as forensic science, data analysis, intelligence analysis, malware reversing, network and endpoint security, adversary tracking, and other security-related skills.

They need to understand the makeup of the cyber security landscape and have a deep knowledge of current and past malware methods, attack methodologies, and TTPs. They also need a good knowledge of operating systems, including Windows and Linux systems, as well as a solid understanding of how different network protocols work, such as TCP/IP. Finally, threat hunters should be fluent in a scripting language, such as Python.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.