What is Threat Hunting? A Definition for MSPs and Channel Partners


Threat hunting can be defined in different ways. Most would define threat hunting as the proactive approach of using threat intelligence, alerts and log data, or even technical experience, to create and define testable hypotheses to find threats. unknowns, security vulnerabilities and potential security vulnerabilities.

Author: Anthony Smith, threat hunter, Huntress

I like to think of threat hunting as a science experiment with theories and data that need testing. It joins both human analysis and data analysis in an effort to read between the lines. More often than not, threat hunting is a proactive approach to cybersecurity and is an important addition to any security strategy.

The Evolution of Threat Hunting

While we’ve seen threat actors working around the clock to cause trouble, we’ve also seen threat hunting become a more popular practice in recent years. If you think about it, attackers have the first-hit advantage in most scenarios – their victims aren’t even aware of their presence until it’s too late. Threat hunting aims to solve this problem. Threat hunting is all about being proactive— it combines technical and behavioral analysis to help businesses stay ahead of the latest threats and detect them before they cause greater damage.

Dwell times have always been an issue. Threat actors have the ability to sneak into an environment unnoticed and maintain their perseverance for more than 200 days. Over the years we have brought this number up to ~70 days through the wider adoption of detection and response technology. But 70 days is still too much – it is in this gap between detection technology and adversary dwell time that we conduct our threat hunting operations.

Who are threat hunters?

Generally speaking, the job of a threat hunter is to proactively seek out threats before they can cause exponential damage to an organization. They analyze data to detect discrepancies and outliers, read and interpret threat intelligence feeds, develop and test hypotheses, look for patterns of suspicious activity, and seek to improve an organization’s security posture by identifying what is benign versus what is malicious. And because Threat Hunters try to find the needle in the haystack, they are often inherently curious, persistent, and like to solve problems and think outside the box.

Just as threat hunting hasn’t changed much since its inception, the “mindset” of a threat hunter hasn’t really changed. We’re always on the lookout for things out of the ordinary and chasing leads that almost always end up being red herrings…but we still love the hunt and we love our jobs.

If anything has changed, it’s the growing community of hunters and seekers helping each other and the concept of the ‘purple team’. But that’s a topic for another blog. 😉

Today, threat hunting consists of tons of research, finding information, and testing theories and ideas. And the community is always kicking off information and ideas that other researchers can use, test, and refine themselves and end up sharing the refinement or new leads with the community.

Threat Hunting Types

Everyone has their own approach or way of thinking about things, and that goes for researchers too. For my part, I like to think that there are four types of hunts: hunts based on intelligence, data, knowledge and of course, hybrid hunts.

Intelligence Driven Hunts consist of collecting and analyzing information from various sources in order to execute the hunting mission. Intel can consist of filenames, hashes, IP addresses, campaigns, IOCs, email addresses, domains, etc. Using the information collected, we can create hypotheses that we can test against our data sources.

Data Driven Hunts rely on internal data that may indicate malicious behavior. The types of data we might use for data-driven hunts are low priority alerts and detections and aggregated analytics data. This data doesn’t give us our “irrefutable weapon”, nor does it mean that anything bad is going on, but it does give us a good starting point to create hypotheses about what we’re seeing.

Knowledge-Based Hunts rely on our knowledge of available datasets, client networks, and adversary tactics, techniques, and procedures (TTPs). Knowing the opponent’s TTPs lets us know How? ‘Or’ What to check for malicious behavior. Use frameworks like TAB AT&CTwe can create hypotheses based on threat actor TTPs that have been observed in the wild.

Hybrid hunts combine two or more types of hunts that could help us create hypotheses with a narrower scope. For example, if the data shows that certain events occur on endpoints and the information suggests that these events could be part of a campaign by adversaries, we can create a hypothesis that combines hunting methods based on the data and on intelligence.

The phases of any type of hunt are generally the same:

  • First, we plan by determining the type of hunt we are going to conduct. During this phase, we develop the hypothesis and determine the data sources we will need to be successful.
  • We then move to the execution phase where we analyze the data from the appropriate sources and refine it. It is important to constantly evaluate and refine the data during this process.
  • Finally, we have the report phase, which is perhaps the most important phase of the three. This phase is different depending on the results returned. If there is something we have determined to be malicious, this is where we report it to the appropriate channels and trigger an incident response. Regardless of whether our hunt yielded anything, it’s important to determine lessons learned and potentially share valuable information or create detections that could better protect our network.

Why We Need Threat Hunting

Ultimately, software cannot match human intelligence. Machine learning and automation have their place, but they still require humans to make the last minute decision to contain and respond accurately. Moreover, modern cybercriminals are smart and know how to exploit these blind spots. They have entire teams that spend their days identifying ways to abuse, exploit, or circumvent IT security tools. How can you expect to beat that with automation alone?

We need hunters on the front lines. A threat hunter with a well-trained eye is more likely to detect TTPs and suspicious activity and can actually help software tools be more accurate. Overall, threat hunting enables security teams to identify unknown threats and detect them before they cause major damage and disruption. It’s this proactive protection against the unknown that makes threat hunting unique and incredibly important to cybersecurity today.

Anthony Smith is a Cyber ​​Threat Hunter at Huntress. Read more Huntress guest blogs here. Regularly contributed guest blogging are part of MSSP Alert Sponsorship Program.


Comments are closed.