Threat hunting is a core function of security teams.

No organization is completely bulletproof - you’ll always have holes. And if an attacker finds just one, they can slip through undetected and either lie low or wreak havoc.

So, what exactly is threat hunting, and how does it help fight persistent threats in your network?

At its core, threat hunting is a proactive approach to security, focused on uncovering threats that may have evaded defenses like detections and endpoint protections.

These threats can come in many forms like insider threats, external attackers, nation-state adversaries, or even completely unknown exploits.

Once inside, an attacker can linger for weeks, months, or even years, stealthily gathering intel, searching for sensitive data, attempting to move laterally by stealing credentials, or even just waiting for the perfect moment to disrupt operations..

Let’s break down how threat hunting works, and how you can start doing it.

What Do I Need to Threat Hunt?

There are three main requirements you’ll need to get started:

1. Time - Threat hunting isn’t something you can fully automate. If it was, we’d just turn everything into detections from the start. Threats are constantly evolving and we have to keep up, so get ready to get your hands dirty.

2. Data - You can’t hunt without something to sift through. The more logs, the better. Choose your platform that makes searching easy and has historical context to give you the visibility you need (most SIEMs have options to retain logs for 13-15 months).

3. Threat Intelligence (Optional) - A good, focused threat hunt needs a lead. While you can start without one, going in blind is like searching for a needle in a haystack. Staying up to date with popular threat intelligence feeds can help inspire your threat hunts and point you in the right direction.

If you’ve checked at least the top two boxes, you’re ready to start hunting.

Common Triggers

While you can certainly threat hunt just for the joy of threat hunting, most hunts are focused efforts. Having a clear goal makes it easier to measure and also helps confirm whether a real threat exists.

Here are three common triggers that can kick off a threat hunt:

1. Hypothesis Driven - These hunts start when new threats emerge, revealing attacker tactics, techniques, and procedures (TTPs). Once a TTP is identified, the door opens for threat hunters to search for similar behaviors in their own environment. To maximize efficiency and effectiveness, these hunts should be conducted by team members who have a deep understanding of the business context of the systems in question.

2. Indicators of Compromise (IOCs) - IOCs are published signs of a newly discovered threat. While these will generally be turned into detections, they should first be used to hunt for past compromises. It’s important to leverage any open source intelligence and playbooks here, because once a threat actor knows their attack vector has just been publicly exposed, they’ll likely be racing to exploit their foothold before you can shut them down.

3. Analytics Based - These hunts leverage data analysis and machine learning to detect irregularities and anomalous activities in logs. Suspicious activities might be linked to known IOCs or indicate a threat actor’s movements. Either way, these irregularities can provide a solid starting point to dig deeper.

- Today’s Sponsor -

Strop struggling with complex queries. Selecty is a database-agnostic query assistant that integrates seamlessly into your workflow. Easily generate, explain, optimize, format, and validate queries - all in one place. Write better queries, faster than ever, and make your data work for you. Check it out!

Learn More

Methodology

Now, once a threat hunt kicks off, what exactly are we looking for?

Threat hunting methodology functions very similarly to my methodology I’ve covered in my WWWWWH series (if you’ve been here a while, you know the drill):

• Who are the suspicious users or accounts?

• What exactly happened in our environment?

• When did this activity take place?

• Where did these IOCs occur? (Systems, devices, applications, etc.)

• Why are they in the environment? What are they after?

• How did the threat actor gain access?

There’s no bulletproof way to answer all of these questions, but by following a methodology, we can structure our hunt to uncover critical details along the way.

My Structured Approach

A structured threat hunt starts with a lead. We need some form of threat intelligence.

It could be an IP address, a hash, a domain, an action… you really never know what you’ll be working with. But the first order of business is to determine the blast radius.

This means identifying what system, software, and versions are in scope. If that system exists in your environment, then the next move is to pinpoint where the logs are located and start searching for any leading indicators.

How this plays out entirely depends on your environment. If you’ve worked in security operations before, you know storing logs all in one place isn’t always practical (or cheap). This is where quality documentation comes into play. Make it easy on yourself to pinpoint where the information you need is located.

I’ve had my own threat hunts span across multiple platforms: my SIEM, WAF logs in AWS Athena, and Elastic Search for application logs.

That’s THREE different query languages in one session.

The last thing you want during a threat hunt is friction. So, I generally like to leverage my homegrown tool, Selecty, which lets me switch between query languages and contexts effortlessly. It's unrealistic to be fluent in every query language out there, so any chance I have to make my life easier, I’ll take (but if you’re a query language master, more power to you!).

During hunts, I like to focus on IOCs, actions, and entities - essentially anything that paints a contextual image of the threat. You need to gain an understanding of how your assets interact and how a potential attacker might be traversing your environment.

Focus on:

• Accounts - Who’s involved?

• Suspicious Actions - What’s being done?

• Context - Is this behavior normal?

A lot of malicious actors are smart, and they don’t always act all at once. So you may need to zoom out and widen your time range to see patterns unfold.

And when something feels off, trust your instinct and drill down further. Become obsessed. Try to learn everything about that one indicator as quickly as possible.

I like to keep notes during my hunts. Keeping track of your findings without relying on memory helps to free up mental bandwidth for solving problems, not recalling artifacts. It can also help you to take a step back and see how the pieces of the puzzle fit together.

While these structured threat hunts are more black and white - you either find something, or you don’t, it’s important to still stay detail oriented. The small details can add up to something big.

My Unstructured Approach

While the core methodology remains the same, an unstructured threat hunt is more open-ended, and you’ll often be forming hypotheses as you go.

I like to think of this approach as freestyling. You’re constantly adjusting your direction based on the evidence you uncover, letting the ideas that pop into your head guide you. It’s much more creative than you might think.

Since unstructured hunts can often be like trying to find a needle in a haystack, I like to focus on business-critical systems. Platforms that handle sensitive data that malicious actors would target first.

Any chance you have to narrow your scope, take it. You’ll increase your chances of finding something meaningful rather than chasing ghosts in low-value areas.

Again, I use Selecty as my sidecar assistant here, helping me instantly turn wild ideas into actionable queries.

They key here is gaining a sense for what is regular and what is not.

Irregularities are the juicy parts. Start by understanding what’s normal on the platform. How do users typically interact with the system? Then hunt for activity that breaks the pattern.

Real-time research can also drastically improve your unstructured hunts. Along the way, you’ll come across artifacts that don’t make sense. Learning to skim documentation quickly, searching for relevant IOCs, or scanning recent news for CVEs can significantly impact your threat hunting session, positively or negatively. The faster you connect the dots, the better.

These unstructured hunts are less cut and dry. It can be difficult to know when to walk away because there’s no clear stopping point. Recognizing that you’re lost down a rabbit hole is a skill - if you can’t find tangible evidence to support your hypothesis, move on.

How Does Threat Hunting Fit into Security Teams?

While some well-funded security teams may have dedicated Threat Hunting & Intelligence teams, threat hunting is often a complementary process within Detection Engineering and Incident Response Teams.

The synergy just makes sense.

These teams already live and breathe the data in their day-to-day. They know the schemas, understand what’s normal in the environment, and have the technical skills to make that data work for them.

Plus, they’re not starting from scratch.

Most Detection and IR teams already have prebuilt tooling that can seamlessly support threat hunting efforts - saved queries, automated scripts, jupyter notebooks, and custom tools built for investigations.

That crossover makes it easy to integrate threat hunting as a proactive habit rather than an isolated function.

What Makes a Great Threat Hunter?

Threat hunting is more than just technical chops, environmental awareness, or experience. Even though those are important, the best threat hunters bring a unique mindset and tangible skills that set them apart.

Great Threat Hunters:

• Pivot on the Fly - They adapt their methodology based on the evidence in front of them.

• Commit to the Hunt - They dedicate time weekly to hunt for threats, whether structured or unstructured.

• Never Turn Their Mind Off - They constantly mull over ideas and data in their head.

• Think like an Attacker - They put themselves in the shoes of the adversaries.

• Communicate Clearly - They know how to articulate their findings so response actions can be taken.

• Document Their Hunts - A great hunt is useless unless there are takeaways.

• Identify Areas for Improvement - Every hunt can be used as an opportunity to refine security controls.

• Leverage Automation - They use their programming skills to build automated scripts and frameworks to simplify repetitive tasks.

• Have Deep Interdisciplinary Knowledge - They understand operations, infrastructure, networking, and application security (because threats don’t limit themselves to just one domain).

Threat Hunters - what did I miss? What makes you great at what you do?

Leave a comment

Securely Yours,

Ryan G. Cox

Just a heads up, The Cybersec Cafe's got a pretty cool weekly cadence.

Every week, expect to dive into the hacker’s mindset in our Methodology Walkthroughs or explore Deep Dive articles on various cybersecurity topics.

. . .

Oh, and if you want even more content and updates, hop over to Ryan G. Cox on Twitter/X or my Website. Can't wait to keep sharing and learning together!