What Is Cyber Threat Hunting?

Cyber threat hunting involves proactively searching for threats on an organization’s network that are unknown to (or missed by) traditional cybersecurity solutions. A recent report from Armis found that cyber attack attempts increased by 104% in 2023, underscoring the need for pre-emptive threat detection to prevent breaches.

In this article, we take a look at what cyber threat hunting is, how it works, and what types of tools or services you can avail to protect your business.

What is cyber threat hunting?

Cyber threat hunting is a proactive security strategy wherein threat hunters seek out, identify, and eliminate undetected threats on the network.

Threat hunters achieve this in a variety of ways, such as looking at indicators of compromise or indicators of attacks; developing a hypothesis-based hunt in relation to new cybersecurity threats that emerge; or utilizing internal risk assessment data or direct customer requirements to proactively concentrate on high-risk areas in an organization.

SEE: Top 7 Cyber Threat Hunting Tools for 2024 (TechRepublic)

This is in contrast to traditional security methods, where it’s more reactive and only takes action after the threat has been detected and infiltrated the system. More traditional methods often do this by comparing threat indicators (like the execution of unknown code or an unauthorized registry change) to a signature database of known threats.

How does cyber threat hunting work

Threat hunting happens through the joint effort between threat hunters and various advanced detection tools and techniques. In cyber threat hunting, security analysts combine their critical-thinking, intuition, and creative problem-solving skills with advanced monitoring and security analytics tools to track down hidden threats in a company’s network.

Threat hunters employ a variety of threat hunting techniques to do this. Examples of these techniques include:

• Searching for insider threats, such as employees, contractors, or vendors.
• Proactively identifying and patching vulnerabilities on the network.
• Hunting for known threats, such as high-profile advanced persistent threats (APTs).
• Establishing and executing security incident response plans to neutralize cyber threats.

Benefits of cyber threat hunting

Traditional, reactive cybersecurity strategies focus primarily on creating a perimeter of automated threat detection tools, assuming that anything that makes it through these defenses is safe. If an attacker slips through this perimeter unnoticed, perhaps by stealing authorized user credentials through social engineering, they could spend months moving around the network and exfiltrating data. Unless their suspicious activity matches a known threat signature, reactive threat detection tools like antivirus software and firewalls won’t detect them.

Proactive threat hunting attempts to identify and patch vulnerabilities before they’re exploited by cyber criminals, reducing the number of successful breaches. It also carefully analyzes all the data generated by applications, systems, devices, and users to spot anomalies that indicate a breach is taking place, limiting the duration of — and damage caused by — successful attacks. Plus, cyber threat hunting techniques typically involve unifying security measures such as monitoring, detection, and response with a centralized platform, providing greater visibility and improving efficiency.

Pros of threat hunting

• Proactively identifies and patches vulnerabilities before they’re exploited.
• Limits the duration and impact of successful breaches.
• Provides greater visibility into security operations on the network.
• Improves the efficiency of security monitoring, detection, and response.

Cons of threat hunting

• Purchasing the necessary tools and hiring qualified cybersecurity talent requires a heavy up-front investment.

SEE: Hiring Kit: Cyber Threat Hunter (TechRepublic Premium)

Types of cyber threat hunting

While all threat hunting involves a proactive search of threats, there are different ways such investigations can go down. Here are the three main types:

Hypothesis-driven or structured hunting

Structured hunting has threat hunters assume that an advanced threat has already infiltrated the network. In this situation, they look at indicators of attack and recent attack tactics, techniques, and procedures that could be employed by a threat actor.

From this data, they form a hypothesis about a threat actor’s process and method of attack. In addition, threat hunters also look at patterns or anomalies in an effort to stop the threat before it makes any real damage.

SEE: 4 Threat Hunting Techniques to Prevent Bad Actors in 2024 (TechRepublic)

Unstructured hunting

In contrast to structured hunting where a hunter starts with a hypothesis, unstructured hunting begins through exploration and a more open-ended approach. Hunters start by looking for indicators of compromise or triggers in a system. These can come in the form of unusual user behavior, peculiar network traffic, suspicious sign-in activity, strange DNS requests, and the like.

Hunters then counter-check these incidents with historical data and cyber threat intelligence to look for patterns or trends that could lead to a potential threat. Often, unstructured hunting can find previously hidden or even emerging threats.

Situational hunting

Lastly, situational threat hunting focuses on specific resources, employees, events, or entities within an organization in the search for potential threats. This is usually based on an internal risk assessment and takes prime consideration of high-risk items or people that are more likely to be attacked at a given point in time.

In this method, threat hunters are at times explicitly directed to focus on these high-profile areas to find adversaries, malicious actors, or advanced threats.

What is the cyber threat hunting process?

While the step-by-step process in a cyber threat hunt can vary depending on the investigation type, there are fundamental points that almost all threat hunting investigations go through.

1. Hypothesis setting or trigger stage: Threat hunters formulate a hypothesis to proactively search for undetected threats based on emerging security trends, environmental data, or their own knowledge and/or experience. This stage can also begin with a trigger, usually in the form of indicators of attack or indicators of compromise. These triggers can point hunters in the general area or direction of their proactive search.
2. Investigation proper: At this point, hunters will use their security expertise in conjunction with security tools such as extended detection and response solutions or integrated security information and event management tools to track down vulnerabilities or malicious areas in a system.
3. Resolution and response phase: Once a threat is found, the same advanced technologies are used to remediate the threats and mitigate any damage done to the network. At this stage, automated response is employed to strengthen the security posture and reduce human intervention in the future.

Threat hunting tools and techniques

Below are some of the most commonly used types of tools for proactive threat hunting.

Security monitoring

Security monitoring tools include antivirus scanners, endpoint security software, and firewalls. These solutions monitor users, devices, and traffic on the network to detect signs of compromise or breach. Both proactive and reactive cybersecurity strategies use security monitoring tools.

Advanced analytical input and output

Security analytics solutions use machine learning and artificial intelligence (AI) to analyze data collected from monitoring tools, devices, and applications on the network. These tools provide a more accurate picture of a company’s security posture — its overall cybersecurity status—than traditional security monitoring solutions. AI is also better at spotting abnormal activity on a network and identifying novel threats than signature-based detection tools.

SEE: Top 5 Threat Hunting Myths (TechRepublic)

Integrated security information and event management (SIEM)

A security information and event management solution collects, monitors, and analyzes security data in real-time to aid in threat detection, investigation, and response. SIEM tools integrate with other security systems like firewalls and endpoint security solutions and aggregate their monitoring data in one place to streamline threat hunting and remediation.

Extended detection and response (XDR) solutions

XDR extends the capabilities of traditional endpoint detection and response (EDR) solutions by integrating other threat detection tools like identity and access management (IAM), email security, patch management, and cloud application security. XDR also provides enhanced security data analytics and automated security response.

Managed detection and response (MDR) systems

MDR combines automatic threat detection software with human-managed proactive threat hunting. MDR is a managed service that gives companies 24/7 access to a team of threat-hunting experts who find, triage, and respond to threats using EDR tools, threat intelligence, advanced analytics, and human experience.

Security orchestration, automation, and response (SOAR) systems

SOAR solutions unify security monitoring, detection, and response integrations and automate many of the tasks involved with each. SOAR systems allow teams to orchestrate security management processes and automation workflows from a single platform for efficient, full-coverage threat hunting and remediation capabilities.

Penetration testing

Penetration testing (a.k.a. pen testing) is essentially a simulated cyber attack. Security analysts and experts use specialized software and tools to probe an organization’s network, applications, security architecture, and users to identify vulnerabilities that cybercriminals could exploit. Pen testing proactively finds weak points, such as unpatched software or negligent password protection practices, in the hope that companies can fix these security holes before real attackers find them.

Popular threat hunting solutions

Many different threat hunting solutions are available for each type of tool mentioned above, with options targeting startups, small-medium businesses (SMBs), larger businesses, and enterprises.

CrowdStrike

CrowdStrike offers a range of effective threat hunting tools like SIEM and XDR that can be purchased individually or as a bundle, with packages optimized for SMBs ($4.99/device/month), large businesses, and enterprises. The CrowdStrike Falcon platform unifies these tools and other security integrations for a streamlined experience.

ESET

ESET provides a threat hunting platform that scales its services and capabilities depending on the size of the business and the protection required. For example, startups and SMBs can get advanced EDR and full-disk encryption for $275 per year for 5 devices; larger businesses and enterprises can add cloud application protection, email security, and patch management for $338.50 per year for 5 devices. Plus, companies can add MDR services to any pricing tier for an additional fee.

Splunk

Splunk is a cyber observability and security platform offering SIEM and SOAR solutions for enterprise customers. Splunk is a robust platform with over 2,300 integrations, powerful data collection and analytics capabilities and granular, customizable controls. Pricing is flexible, allowing customers to pay based on workload, data ingestion, number of hosts, or quantity of monitoring activities.

Cyber threat hunting is a proactive security strategy that identifies and remediates threats that traditional detection methods miss. Investing in threat hunting tools and services helps companies reduce the frequency, duration, and business impact of cyber attacks.