Skip to content

Threat Hunting Techniques

Learn about the foundations of threat hunting, how it is leveraged in security operations centers, and 4 techniques to improve effectiveness of threat hunting teams.

What is threat hunting?

Threat hunting is a proactive, exploratory activity designed to identify unknown threats in an environment. The process is an investigative method of testing an evolving set of hypotheses using threat hunting toolkits that both enable creative detective work and drive workflows based on new findings. Threat hunting techniques shift enterprises from reactive response to proactive identification, enabling them to get ahead in the fight against adversaries.

The difference between threat hunting and investigation

Threat hunting and threat investigation are two different functions within a SOC. Threat hunting is a proactive approach to identifying unknown threats, while threat investigation is a reactive approach to validating and understanding a known threat.

Top 5 Challenges Threat Hunting Teams Face

Data Growth

SOCs are plagued with high rates of data growth and organizational silos – both of which impact visibility. This is further aggravated by a constantly growing attack surface with new applications and services constantly being added.

High Cost

For most SOCs, license costs and data storage make it too expensive to collect and store all security data for real-time and historical analysis.

Slow Queries

Running queries against large volumes of data can slow response times. Some traditional solutions can take hours to run a query due to scalability and performance issues, threatening an organization’s ability to identify and respond to threats.

Lack of Context

Threat hunting requires relevant context to accurately identify a sign of compromise, but it can be difficult and time-consuming to connect the dots across petabytes of data and multiple point products.

Threat Complexity

Modern threats are complex, multi-faceted beasts. Threat actors can now morph attacks on the fly, requiring analysts to hunt dynamically for tactics, techniques, and procedures (TTP).

Technique #1

Test evolving hypotheses across all data

Missing data can lead to a missed cyber threat, and if left undetected for too long, a potentially high-profile, expensive breach. SOCs leading the charge on threat hunting recognize the need for a single line of sight into all real-time and historical data for comprehensive analysis. This requires collecting, storing, and analyzing all security data in one place, regardless of type, source, or time-horizon, to test evolving hypotheses.

Technique #2

Conduct a historical analysis

Threats run deep in an environment, remaining undetected for months, even years. Modern SecOps combines the analysis of live, hot data with historical analytics to accurately establish the threat path, tactics, and impact to the business. This requires a powerful data platform that can collect and store event data, always hot, for as long as necessary. The ability to easily look back and drill down into petabytes of data to identify patterns is critical for threat hunting.

Technique #3

Support creativity with agile search

Threat hunting does not always lead to a positive outcome. Hunters may test multiple hypotheses throughout the discovery process. As a result, they need agile querying capabilities to pivot, filter, and iterate on their analyses. Threat hunting platforms support creative detective work by enabling simple, fast queries at scale. This allows threat hunters to collect, analyze, and connect various data sets for richer context, without having to wait hours to see the query results.

Technique #4

Integrate threat intelligence

The cyber threat hunting process for campaigns like advanced persistent threats, or APTs, is difficult in the absence of threat intelligence. Threat hunters tap into high confidence, high fidelity threat intelligence feeds curated by practitioners and indicators of compromise (IoCs) to inform their analyses. This includes integrating proprietary, third-party, and open-source intelligence, or OSINT, feeds in a single threat hunting platform. and automatically enriching hunts with relevant context.