What is Threat Hunting? Overview With Real-World Example
Discover the essentials of threat hunting, including methodologies, types, techniques, and common tools, with insights into best practices and tips on integrating a proactive threat hunting program into your security strategy
UPDATE: This post, originally published on September 21, 2021, has been updated to reflect the most current information available about threat hunting.
Threat hunting is a proactive cybersecurity practice in which experts called threat hunters actively search for signs of malicious activity, from external sources to insider threats, within an organization’s environment. Threat hunting is about staying ahead of attackers by continuously monitoring and analyzing for signs of compromise. The goal is to detect and stop threats before they cause harm by searching through data like network traffic, endpoints, and logs.
Unfortunately, many efforts in cybersecurity still focus on being reactive, which leaves opportunities for attackers to infiltrate systems and wreak havoc.
It’s easy to see what happens when organizations don’t prioritize proactive security measures like threat hunting programs when they make headlines for massive data breaches or ransomware attacks.
[Read also: 5 ways your company can avoid becoming a headline]
In this post, we’ll delve into the world of threat hunting, starting with its definition and the essential skills hunters should have to be successful. We’ll also explore whether all threat hunting is proactive, review common methodologies, and differentiate between types of threat hunting.
You’ll learn about the key steps threat hunters take, their techniques, and the tools that support their efforts. We’ll also share best practices to enhance your threat hunting process, provide a real-world example of a threat hunt, and offer guidance on integrating a proactive threat hunting program into your security strategy.
- Threat hunting defined
- What is the difference between threat hunting and threat intelligence?
- Top threat hunter skills
- Are all types of threat hunting proactive?
- Threat hunting methodologies
- Types of threat hunting
- What does a cyber threat hunter do? How threat hunting works in 5 steps
- Common threat hunting techniques with examples
- What tools are used for threat hunting?
- How AI is transforming threat hunting
- How can you improve the threat hunting process?
- What is an example of threat hunting? Real-world demo
- Where does proactive threat hunting fit in with your security strategy?
Threat hunting defined
Threat hunting is emerging as a meaningful cybersecurity method that entails continuously looking for threats across an organization’s environment. This often involves searching for “unknown unknowns” — previously undetected anomalies, unusual activity, or malicious code — that might open the door to a cyberattack.
Threat hunts begin with a hypothesis or a statement about the hunter’s ideas of what threats might be in the environment and how to find them. Threat hunters can use threat intelligence, environmental knowledge, and their own experience and creativity to build a logical path to detection.
With threat hunting, organizations move their cybersecurity efforts from reactive damage control to proactive damage prevention.
When your tools or third-party provider alerts you to an in-progress data breach, or you receive a ransom demand, the damage to your systems and the remediation cost can be severe. Threat hunting allows you to mitigate vulnerabilities proactively before they lead to disaster.
One way to think of threat hunting is that it’s like your body’s immune system. Your T cells don’t wait for you to feel bad. They constantly seek out and kill invading germs and cells that exhibit abnormal behavior. In many instances, your immune system prevents you from getting sick.
Of course, like attacks on the immune system, cyberattacks can sometimes slip through, even in organizations with robust and ongoing cybersecurity operations. However, in many cases, threat hunting allows you to catch breaches earlier, saving your company’s reputation and protecting its data.
[Read also: Why it pays for leaders to imagine the “unknown unknowns”]
As you begin to better understand threat hunting, you’ll frequently encounter the term threat intelligence. It’s important to understand the difference between threat hunting and threat intelligence, as both are crucial components of a robust cybersecurity strategy but serve different purposes and involve distinct processes.
What is the difference between threat hunting and threat intelligence?
Threat hunting is about actively seeking out threats within an environment.
Threat intelligence involves collecting, analyzing, and disseminating information about potential or current threats gathered from various sources, including open-source data, social media, dark web monitoring, and other shared sources of threat information.
Not only do threat hunters operate under the assumption that adversaries are already lurking within the system, but they don’t rely on intelligence to inform them about already-known attacks — effectively up-leveling efforts from threat detection to threat hunting.
Ideally, hunters want to stay ahead by searching for new and emerging threats yet to be documented by cyber threat intelligence. However, published intelligence still offers significant value to threat hunting by providing foundational knowledge that threat hunters can build upon, including insights about the threat landscape, patterns, and lessons learned from past incidents to recognize patterns and indicators of compromise more quickly and accurately.
Effective threat hunters play a crucial role in safeguarding organizations from potential threats in the ever-evolving cybersecurity landscape. However, to excel in this field, threat hunters must possess a unique set of traits we’ll explore in the next section.
Top threat hunter skills
As frontline defenders against the latest threats and attacks, threat hunters need to cultivate specific traits to stay ahead of adversaries continually.
By mastering these skills, threat hunters can significantly enhance their ability to detect, investigate, and mitigate potential threats to strengthen their organization’s security posture. Threat hunters must be:
Lifelong learners
Continuous learning and self-education are essential for threat hunters. With new threats and attack techniques emerging regularly, threat hunters must read extensively, attend training sessions, and participate in cybersecurity communities to help them stay informed about the latest trends and best practices.
Data scientists/analysts
Threat hunters must incorporate data science and analysis when gathering data from different sources, including network traffic, system logs, endpoint data, threat intelligence feeds, and more, to process and derive meaningful insights that inform their decision making.
By analyzing this information, threat hunters can identify patterns, uncover anomalies, and investigate those anomalous behaviors to determine whether they may indicate malicious activity.
Intuitive
Threat hunters must also rely on their intuition to analyze data, spot suspicious activity, and investigate anomalies to find hidden malware or threat actors potentially missed using other efforts. This intuition is often built on years of experience and a deep understanding of the systems they protect.
By combining their intuition with data-driven analysis, experienced threat hunters develop a keen sense of what to look for and where to identify and mitigate potential threats more effectively.
Technically proficient
Threat hunters must understand and utilize the appropriate tools, technologies, and methodologies to perform tasks efficiently and effectively. This includes selecting the right tools for specific tasks, staying updated with the latest technological advancements, and applying this knowledge to improve performance.
Leveraging tools that support a threat hunter’s ability to monitor activity in real time, investigate incidents without straining the network, and pivot seamlessly between threat hunting and response is essential to enhancing visibility into activities and user behaviors to identify and mitigate threats that might otherwise go unnoticed.
Like threat hunters working to stay ahead of threats, in the next section, we’ll explore the proactive nature of different types of threat hunting and clarify whether every approach fits this description. This will help us understand the varying hunting strategies and their roles in maintaining robust cybersecurity defenses.
Are all types of threat hunting proactive?
No, not all types of threat hunting are proactive. In fact, threat hunting is often categorized into two approaches — proactive and reactive:
- Proactive threat hunting: A proactive approach to threat hunting involves actively searching for potential threats before they cause harm by looking for signs of compromise or intrusion.
With proactive hunting, hunters aim to find and isolate advanced threats that evade existing security tools, focusing on threats without specific indicators. This approach supports early detection, reduces dwell time, and prevents significant damage by allowing organizations to identify and address vulnerabilities proactively. - Reactive threat hunting: In contrast, reactive threat hunting occurs after a security incident has been detected or your security system alerts you of an anomaly.
Since the threat may have already caused harm, such as data breaches, financial losses, and reputational damage, reactive threat hunting can lead to significant damage if relied on as the primary security strategy. Reactive threat hunting also often lacks the timeliness and insight to help organizations prevent future attacks, focusing on immediate threats rather than underlying vulnerabilities.
While reactive threat hunting is essential to quickly address the threats that make it past your cyber defense, it should not replace proactive security measures like continuously searching for potential threats before they cause harm.
Think of the lessons learned gained from proactive threat hunting as starting with, “The threat could have…” compared to the reactive hunting retrospectives that begin with,
“The threat did…”
With this understanding of the key distinctions and benefits between proactive and reactive threat hunting, we can now delve into the more nuanced threat hunting methodologies.
Threat hunting methodologies
Threat hunting generally falls into three main approaches:
- Hypothesis-based hunting: This proactive hunting approach starts with threat hunters creating a hypothesis based on available data, trends, or security events, including indicators of attack (IoA) and the tactics, techniques, and procedures (TTPs) of attackers. Threat hunters will test and use their hypotheses to guide their search for unusual behavior.
A hypothesis-based hunt can include studying global threat intelligence to determine the kinds of cyber threats most likely to be present. For example, threat hunters can gain insights from studying behavioral analytics, intelligence feeds, and threat hunting libraries, such as the MITRE ATT&CK framework that provides an open-source knowledge base of the latest cybercrime techniques. These libraries allow hunters to develop hypotheses about what kinds of attacks an organization may face and the best defense tactics.
A hypothesis hunt is preferred because it lets you detect developing threats early and proactively. - Investigation-based hunting: This approach involves a deep dive into the data to manually uncover any signs of malicious activity that other security solutions may not have identified. This method relies heavily on the threat hunter’s knowledge and experience to anticipate possible threats.
For investigation-based hunting, threat hunters use various tools, such as endpoint management, security monitoring, forensic analysis, and other analytical tools, to gather and analyze real-time and historical data to identify and investigate potential threats.
Investigation-based hunting can be either proactive or reactive. Proactive hunts investigate potential threats, while reactive hunts are triggered by alerts or anomalies detected by automated systems. - Intelligence-based hunting: While threat hunting ideally looks for malicious behavior in environments not covered by the latest threat intelligence, intelligence-driven hunting, also known as intel-based hunting, is informed by it.
Threat hunters use intelligence-driven hunting to gain valuable information about current or potential threats, including indicators of compromise (IoC) and IoA. This information helps threat hunters focus their efforts and develop hypotheses about potential threats within their organization’s environment.
Intelligence-based threat hunting is generally considered proactive, as threat hunters can anticipate and mitigate threats before they occur, addressing known vulnerabilities and threat vectors by using this intelligence. However, in some cases, you will have no choice but to react to a situation that has already developed.
Intelligence-based hunting can also be reactive when threat hunters use existing intelligence to identify known indicators of incoming or ongoing threats. For example, if you start hunting with an IoC, threat hunters will structure their hunt to find its root cause and mitigate the damage without knowing whether the attack has already breached the environment.
In the following section, we’ll delve deeper into how different threat hunting types leverage these methodologies to understand what makes each an essential component of a comprehensive threat hunting strategy.
Types of threat hunting
While the hypothesis-based, investigation-based, and intelligence-based methodologies provide structured approaches and processes for identifying threats, several types of threat hunting use these methodologies to help hunters focus on specific areas within an organization’s infrastructure.
Common types of threat hunting include:
- Situational threat hunting: Situational or entity-driven hunting focuses on specific events, entities, or situations that may pose a heightened risk to an organization’s security. This approach is targeted and often based on knowledge about current threat trends or specific intelligence about a potential threat.
While situational threat hunting can be reactive or proactive, it is distinct in its focus on specific situations or entities at higher risk. - Unstructured threat hunting: Unstructured threat hunting starts from a trigger or an indicator of compromise. The hunter searches the network for malicious patterns before and after the trigger or IoC. This type of hunting is more freestyle, allowing threat hunters to be guided by their curiosity and work off hunches.
Unstructured threat hunting can also be reactive or proactive and differs from other hunt types due to its exploratory nature. - Structured threat hunting: Structured threat hunting involves an organized and systematic approach. It typically begins with a hypothesis about a potential threat or anomaly, followed by a rigorous investigation to prove or disprove the hypothesis.
Structured threat hunting differs slightly from other threat hunting types because it is more hypothesis-driven and not reactive. - Hybrid threat hunting: Hybrid threat hunting combines multiple methodologies to identify and mitigate threats within an organization’s network. It can integrate investigation-based, hypothesis-based, and intelligence-based methods to create a more robust detection strategy.
A primary reason for using hybrid threat hunting is its ability to provide a comprehensive view of potential threats and its adaptability to different scenarios.
As you can see, each practice serves different purposes to support an organization’s ability to defend against potential threats before they can cause damage, quickly react to threats as they happen, and provide valuable insights for refining future threat detection, remediation, and security measures.
In the next section, we’ll outline five steps threat hunters commonly use to conduct successful threat hunts. These steps can provide a clear roadmap to guide your efforts in identifying and mitigating potential threats.
[Watch on-demand webinar: How Tanium transforms cyber incident response]
What does a cyber threat hunter do? How threat hunting works in 5 steps
The threat hunting process typically involves these essential five steps to guide threat hunters from research to resolution:
- Researching and hypothesis creation: The first step for a threat hunt is to study and develop a hypothesis the hunt will test.
These hypotheses tend to be narrow but should include theories about the potential threats lurking in the environment and the strategies that will be used to uncover them. For example, if the threat hunter knows that attackers commonly install services remotely, they might decide to focus the search on those services.
This phase can include reading about the latest threats and cyber threat intelligence from open-source intelligence feeds and even social media to develop a hypothesis. - Data gathering: Now that there’s a hypothesis, the next step is to gather and identify the data, such as system logs, network traffic, and endpoint telemetry. Threat hunters will then use this data to look for anomalies and outliers pointing to potential threats.
- Identifying the trigger: Using the collected data, hunters will determine the “trigger” or the starting point for further analysis.
Triggers can be anything that could indicate a potential threat, such as an unusual level of network activity in a particular node, an app installed on the endpoint device of a user who shouldn’t need that software, or a user whose device has characteristics not shared by the devices of others who fill similar roles in the organization.
A trigger also doesn’t have to originate from an analysis of the environment. Even a hypothesis about a new threat can trigger proactive hunting. - Investigating: Investigation is the point in the threat hunting process where you discover whether your hypothesis is correct. Further examination of the trigger will determine if it is a true positive or if there is an innocent explanation for the anomaly.
Even if the anomalies are part of standard business practice in some departments, they could point to flawed procedures that may inadvertently create cybersecurity vulnerabilities. - Resolving: Once the investigation is complete, threat hunts must take the appropriate actions to respond to and resolve the identified threat. This may include containing the threat, eradicating it, and implementing measures to prevent future occurrences.
Common threat hunting techniques with examples
Threat hunters don’t mindlessly sort through mountains of data, hoping to spot an anomaly.
Threat hunting is essentially a search for patterns and deviations at its core. To achieve this, common threat hunting techniques used to determine anomalies include:
- Clustering: The clustering threat hunting technique starts by cataloging common features. From there, hunters use statistical analysis to detect anomalies within those features.
For example, if an otherwise normal behavior, like a hash value, follows an unusual pattern, it may indicate a threat. A hash value is the unique numeric ID generated from the contents of an electronic file. Hash values change when someone alters the file contents, so unexpected changes in hash values may be a potential threat signal. Hash values are often used to search in intelligence-based hunting. - Frequency: Analyzing frequency focuses on the rate at which specific events or activities occur to identify unusual patterns. A process that repeats more frequently than expected can be a key indicator of a potential threat.
By analyzing the frequency of these events, the threat hunter can identify and investigate potential threats that deviate from normal behavior. For instance, a threat hunter might examine the frequency of login attempts to a particular server. If they notice an unusually high number of login attempts within a short period, it could indicate a brute-force attack. - Grouping: Grouping is a refinement of clustering emphasizing a subset of network features.
If you have identified potentially malicious behavior, you can use grouping to better focus your hunt on areas with concentrated levels of suspicious activity. By grouping and analyzing similar types of network traffic, a threat hunter can uncover hidden threats that might not be apparent when looking at individual events in isolation.
An example of grouping in threat hunting involves categorizing network traffic based on the type of protocol used. For instance, a threat hunter might group all traffic using the HTTP protocol and then analyze these grouped events to identify unusual patterns. If they notice significant HTTP traffic to an unfamiliar or suspicious domain, it could indicate a potential threat, such as command-and-control communication. - Stacking: One of the characteristics that can point to malicious activity is the presence of more (or fewer) occurrences of an otherwise benign type of data. Stacking, or stack counting, tabulates occurrences and identifies anomalies for in-depth review.
For example, a threat hunter might use a tool to query all endpoint devices in the network and look for a small number of hosts running specific software that is not commonly used. By stacking the data and sorting the results, a hunter can identify these unique systems, which may have been recently patched, misconfigured, or infected with malware, to pinpoint potential threats that stand out from the norm and require further investigation. - Volume: Volumetric analysis examines the volume of data sent outside the network or other anomalous quantity-related characteristics.
For instance, a threat hunter might analyze network traffic to determine what endpoint sent the most data over a specific period. By comparing the data volumes, a hunter can identify anomalies, such as an endpoint or IP address connected to infected devices that suddenly start transmitting a large amount of data, which could indicate data exfiltration or other malicious activities.
While this list covers many key elements that threat hunters look for, it is not exhaustive. The techniques hunters use can be as diverse as the threat hunters themselves, as each threat hunt can involve new indicators and patterns unique to evolving threats and environments.
What tools are used for threat hunting?
Tools play a vital role in threat hunting, allowing hunters to gain comprehensive visibility and real-time data essential for effectively detecting, investigating, and mitigating threats.
Like the range of techniques that can be used, threat hunters must also be proficient in various tools and technologies for threat detection and analysis, as different threat hunts can require different capabilities to address unique needs and objectives.
Tools threat hunters commonly use include:
- Endpoint management solutions: Endpoints are often the primary targets for cyberattacks. They represent the attack surface where threats can infiltrate an organization’s network. By managing and monitoring endpoints, organizations can detect and respond to threats immediately, preventing them from spreading and causing more significant damage.
Visibility into endpoints allows organizations to see every device connected to the network, understand their configurations, and identify any associated risks. This comprehensive view is essential because, as the saying goes, “You can’t secure what you can’t see.” Detecting anomalies or suspicious activities that may indicate a potential threat is challenging without visibility.
Many endpoint solutions are available today, from Endpoint Detection and Response (EDR) to converged endpoint management. You can learn more about the differences between popular endpoint management solutions to help determine the best tool to support your threat hunting needs. - Network Traffic Analysis (NTA): NTA tools monitor network traffic for signs of malicious activity. They analyze network flows and detect anomalies that may indicate a potential threat.
- Security Information and Event Management (SIEM): SIEM systems collect and analyze log data from various sources within an organization’s IT infrastructure. They analyze security alerts generated by apps and network hardware. SIEM tools help identify and respond to potential threats by correlating events and providing a centralized view of security incidents.
- Threat Intelligence Platforms (TIPs): TIPs aggregate and analyze threat data from various sources to provide actionable intelligence. They help teams stay informed about the latest threats and vulnerabilities, enabling proactive threat hunting and mitigation.
[Read also: AI vs. humans: Why SecOps may (not) be the next battleground]
How AI is transforming threat hunting
An integral part of threat hunting involves distilling insights from large datasets. However, the traditionally manual efforts to review and analyze vast amounts of data are no longer feasible for modern threat hunters due to the overwhelming volume of data generated by various sources. Analyzing this data manually is time-consuming and prone to human error, which can lead to missed threats and delayed responses. Additionally, the complexity of modern cyber threats makes it difficult for human analysts to detect and respond to them effectively.
What does this mean for threat hunting? Next-gen security tools are evolving to use automation that leverages AI and machine learning, showing promising results in addressing these challenges. These tools can quickly process and analyze vast amounts of data to identify patterns and anomalies that may indicate threats.
For example, machine learning algorithms can be trained to recognize the behavior of known threats and detect deviations from normal activity, which can help identify new and unknown threats. AI-powered tools can also automate repetitive tasks, such as data collection, correlation, and initial analysis, freeing human analysts to focus on more complex and strategic tasks.
AI and machine learning can also continuously learn and adapt to new threats, improving their detection capabilities. This dynamic approach is crucial in the ever-evolving landscape of cyber threats, where new attack vectors and techniques constantly emerge. By leveraging these advanced technologies, today’s threat hunters can enhance their detection and response capabilities, reduce the time it takes to detect and mitigate threats, and improve overall security posture.
[Read also: The ultimate guide to AI cybersecurity: Benefits, risks, and rewards]
Now that you know the tools threat hunters rely on, let’s examine some best practices you can use to elevate threat hunting.
How can you improve the threat hunting process?
Effective threat hunting doesn’t happen by chance. Like most cybersecurity operations, it requires continuous innovation and improvement.
By adhering to these best practices, you can enhance your ability to proactively defend against emerging threats and empower you to become a more proficient and confident threat hunter.
Prioritize preparation
Understanding where to start the hunt is one of the most significant challenges in threat hunting. You often begin with a wide-open field that you’ll need to narrow down into a hypothesis you can confirm or invalidate.
Giving yourself ample time in this initial phase will increase the success rate of your threat hunts. If you plan a weeklong hunt, spend the first two or three days researching the correct artifacts and the proper data you must collect. This provides a solid foundation for the hunt, so you aren’t simply casting around in the dark.
Remember, even if a threat hunting hypothesis doesn’t lead you to uncover an active threat, it can unearth actionable security data your organization can use to improve its defenses.
Create a baseline to understand the environment
Before you begin any threat hunting operation, you should know your environment. Threat hunting is easier when you understand what normal endpoint operations look like. The baseline can be informed by policy or understood by collecting data from your environment over time.
Examples of baseline data to collect include a list of approved:
- Software
- Network ports
- Running services
- Autoruns
This preparation allows you to form accurate hypotheses and helps you focus on relevant areas to distinguish between normal and suspicious activity more easily. Once this foundation is set, leveraging real-time data becomes essential to detect deviations and anomalies swiftly.
Use real-time endpoint data
Real-time endpoint data involves gathering and analyzing data from all endpoints to understand their current state. Without real-time information, threat hunters might miss new threats and fail to detect anomalies promptly.
Since outdated data doesn’t reflect the latest security measures, it can also lead to incomplete risk assessments and potentially false positives. Additionally, old data hinders the ability to correlate events across the network, making it harder to identify and respond to threats effectively.
Real-time data is essential for swift and accurate threat detection and incident response for many reasons, including:
- The constant flow of real-time device information creates a holistic view across endpoints, allowing threat hunters to detect anomalies and suspicious activities as they happen rather than relying on periodic scans or delayed reports. This immediacy is crucial for catching threats that might slip through the cracks.
- Comprehensive visibility also helps hunters identify patterns and correlations that might indicate a sophisticated attack. For example, subtle signs of lateral movement or advanced persistent threats that attempt to stay undetected within the network can be detected more easily when all endpoints are monitored continuously.
- Real-time data provides context essential for understanding the nature of a threat. For instance, knowing the exact sequence of events leading to a suspicious activity can help threat hunters determine whether it is part of a more significant, sophisticated attack. This context is often missing in traditional security solutions that rely on isolated data points.
- Real-time endpoint data enables quick action when a potential threat is detected. Threat hunters can immediately isolate compromised endpoints, deploy patches, or take other remedial actions to prevent the threat from spreading. This rapid response capability is vital for mitigating the impact of threats.
- Insights into real-time endpoint data also support enforcing security policies, as threat hunters can ensure that all devices are up to date with the latest security measures, reducing vulnerabilities that attackers could exploit.
Overall, real-time endpoint data supports both proactive and reactive threat hunting approaches by providing the continuous visibility, immediate detection, enhanced context, and rapid response capabilities needed to strengthen the overall security posture and help organizations stay ahead of potential attackers.
Assemble an effective threat hunting team
It’s crucial to assemble a team with the proper skill sets. For example, an effective team of hunters will include people with forensic skills to determine root causes, data analysis capabilities to pinpoint anomalies, and theoretical brainpower to generate threat hypotheses and organize the hunt.
Ideally, the team needs members who bring different perspectives to the hunt, represent various areas of expertise, and have varying levels of experience, including:
- Seasoned security professionals with experience around many cybersecurity threats the organization could face are essential to threat hunting. Many threat hunters start their careers as security analysts or gain experience with threats by working in related cybersecurity roles or teams, such as security operations centers (SOCs). Lean on them to help steer the process and develop a plan.
- However, professionals immersed in cybercrime rarely use technology like average users, sometimes leading to overlooking common security threats. To overcome this challenge, include junior associates, perhaps a team member who is newly out of school, in the hunt’s planning and execution.
- It’s best practice to include someone who has recently joined the company. Their fresh perspective can identify potential threats based on typical user behavior and adds tremendous value in detecting novel types of threats.
- The threat hunting team should also include at least one member with deep and broad institutional knowledge. This internal intelligence will help determine whether an unusual pattern is genuinely anomalous or part of the regular business practices of a particular department, which can save you a lot of time following up on dead ends.
Listen to the podcast: How to lead a threat intelligence team
Set a duration for the hunt
Setting a time duration for threat hunting offers several benefits. Firstly, it helps structure the threat hunting process, making it easier to build the team needed, allocate resources more effectively, and ensure that each hunt is comprehensive and well-documented.
Defining a specific time frame also helps maintain consistent and repeatable processes that aid in refining techniques and strategies, leading to more efficient and effective threat detection over time. With better tracking of progress and results, teams can more easily identify patterns and improvement areas, enabling them to compare results over different periods and providing valuable insights into the effectiveness of their threat hunting efforts.
Measure success
Having a defined time for the search is also crucial in organizations driven by metrics. The number of threats found doesn’t always determine the success of a threat hunt, so an ongoing and ad hoc search might yield disappointing metrics.
Instead, when the goal is to spend a set amount of time on each hunt, the success is determined by execution rather than the number of threats discovered. This shift in defining success can deliver the positive metrics you need to maintain management support for threat hunting as an essential cybercrime deterrent.
Additionally, there’s a number of other key metrics you can use to measure the success of a threat hunting program:
- One important metric is the number of detections created or updated, which shows the number of new or improved threat detections developed.
- Organizations should measure the mean time to detect threats and mean time to repair once a threat is identified to inform efforts to improve the efficiency of their detection and response efforts.
- Tracking the number of incidents triggered by threat hunting efforts can help demonstrate the added value of human-led threat hunting.
- A reduction in dwell time, which indicates how quickly threats are detected and neutralized, is also a crucial metric.
While, collectively, these metrics can help evaluate the effectiveness and impact of threat hunting activities, they are only helpful for informing part of the success of your efforts. For success metrics to tell the full story, threat hunters must align their efforts with overall business goals.
For instance, various use cases for threat hunting may require tailored approaches, such as focusing on fraud detection for financial institutions or protecting patient data for healthcare organizations, so measuring the success of these threat hunts will likely be different.
Determining what a successful threat hunt should look like must occur during the planning and research phase to ensure that the strategies used and metrics captured specifically address the organization’s needs and objectives. This will allow the hunt outcomes to be quantifiable, trackable, and more meaningful in helping enhance an organization’s unique cybersecurity efforts.
What is an example of threat hunting? Real-world demo
Sometimes, you have to see it to really understand how it works. All these theoretical methodologies and techniques for threat hunting can be challenging to imagine without seeing what it may actually look like in the wild.
To help you better understand what to look for and practical applications of this guide’s best practices, we’ll walk through a reactive, unstructured threat hunting scenario with Matt, a seasoned threat hunter who received an alert about a process that’s recently been disabled on an endpoint.
Let’s follow along as he uses Tanium Threat Response to identify, investigate, and contain the threat in under 5 minutes, as shared in Threat Response In Real Life – Tanium Tech Talks #66. The timestamps below highlight the relevant areas within the demo video.
- 3:17 — Matt receives an alert about anomalous behavior on an endpoint.
- 3:59 — Using Tanium, he looks through the endpoint details, which include the event information, to learn what’s happened. He can see the process executed in the command line, the process ID (PID), and the process name, in addition to timestamps and user information involved.
- 4:37 — He sees that
firewall set opmode mode=disable
has disabled the Microsoft Windows Firewall across all profiles. - 5:10 — Matt looks through the process ancestry to understand what’s been executed and from where.
- 5:39 — He uses Tanium to pivot to the MITRE ATT&CK framework to understand that the threat maps to the Impair Defenses: Disable or Modify System Firewall technique.
- 6:18 — Matt continues the investigation to understand the type of attack occurring and how it’s impacting the environment.
- 7:05 — He determines the command that’s overriding the default firewall policy.
With this command identified, Matt can locate the PowerShell script file and uncover where the threat originated, including what user downloaded it and where. He also takes action to contain the threat while saving artifacts about the threat hunt for later forensics.
Where does proactive threat hunting fit in with your security strategy?
If your organization isn’t proactively hunting for cyber threats, it should be. Proactive threat hunting is essential to the health of your environment. The best time to start threat hunting was years ago. The next best time is right now.
As organizations grow increasingly aware of the benefits of proactive threat detection and tailored intelligence, integrating sophisticated threat hunting strategies into broader cybersecurity frameworks is not only recommended but essential.
Cybersecurity threats evolve constantly, and threat hunters need the flexibility to customize tools to fit their needs. Fortunately, advanced cybersecurity tools are available to help threat hunters quickly develop the features they need to seek out novel threats.
Tanium’s unified platform enhances security and the effectiveness of threat hunting by enabling automated hunting, early detection, and rapid incident response, making it a powerful tool for maintaining a secure environment.
With real-time visibility, granular data collection, comprehensive control, and integrations with essential security tools like Microsoft Sentinel, ServiceNow, and other key partners, Tanium combines endpoint data with broader threat intelligence to help organizations better understand the threat landscape and improve their ability to detect and mitigate threats early and at scale.
Tanium autonomous endpoint management (AEM) keeps organizations secure by leveraging real-time data and AI to streamline endpoint management tasks. By automating time-consuming activities such as scanning, monitoring, patching, reporting, and responding to incidents, AEM also reduces the burden of manual effort and minimizes human error. This allows IT and SecOps teams to make more informed and efficient decisions about creating a solid security posture that reduces the attack surface and prevents potential breaches.
Schedule a free personalized demo of Tanium today to see how our approach to AEM can benefit your threat hunting efforts.