Threat Hunting
Threat Hunting
One-liner: Proactive search for cyber threats within an environment before they trigger automated detections or cause damage.
🎯 What Is It?
Threat Hunting is a proactive cybersecurity approach where security analysts actively search for signs of malicious activity that may have evaded existing detection mechanisms. Unlike reactive Incident Response, threat hunting assumes that threats are already present and seeks to discover them through intelligence-driven investigation.
Threat hunting bridges the gap between automated detection systems and sophisticated adversaries who know how to evade them.
🤔 Why It Matters
- Reduces Dwell Time: Minimizes how long attackers remain undetected in your environment
- Discovers Unknown Threats: Finds sophisticated attacks that bypass automated defenses
- Improves Detection: Findings feed back into detection rules, strengthening future monitoring
- Validates Security Posture: Tests whether existing controls are actually effective
- Stays Ahead of Adversaries: Proactive rather than waiting for alerts
🔬 How It Works
Core Principles
- Assume Breach: Operate under the assumption that threats already exist in your environment
- Intelligence-Driven: Use Cyber Threat Intelligence (CTI) to guide where and what to hunt for
- Hypothesis-Based: Develop testable theories about potential adversary presence
- Iterative: Continuously refine detection based on findings
Threat Hunting vs Incident Response
| Aspect | Threat Hunting | Incident Response |
|---|---|---|
| Approach | Proactive | Reactive |
| Trigger | Intelligence-driven hypothesis | Alert or notification |
| Goal | Find hidden threats | Contain active incident |
| Guidance | Cyber Threat Intelligence (CTI) | Incident scope |
| Mindset | "There might be a threat we don't know yet" | "There's a threat that needs to be dealt with now" |
| Timing | Continuous/scheduled | Event-triggered |
The Threat Hunting Process
1. What to Hunt For
- Known Relevant Malware: Malware used by threat actors targeting your industry
- Attack Residues: Traces left by attackers (IOCs, IOAs)
- Known Vulnerabilities: CVEs and zero-days affecting your environment
- TTPs: Adversary behavior patterns mapped to MITRE ATT&CK
2. How to Hunt
- Attack Signatures & IOCs: Search for specific artifacts (hashes, IPs, domains)
- Logical Queries: Filter logs for suspicious patterns (e.g., vulnerable software versions)
- Behavioral Analysis: Look for patterns of activity (e.g., MITRE ATT&CK techniques)
3. When to Stop
- Threat hunting doesn't always find something—and that's okay
- Follow your process and intelligence-driven plan
- Document findings (or lack thereof) to inform future hunts
- Unlike CTFs, there's no guaranteed "flag" at the end
Technical Deep-Dive
Threat Hunting Workflow:
1. Develop Hypothesis (based on CTI)
↓
2. Collect Data (logs, network traffic, endpoint telemetry)
↓
3. Analyze & Investigate
↓
4. Find Threat?
├─ YES → Trigger Incident Response
└─ NO → Document & Refine Detection
↓
5. Feedback Loop → Update Detection Rules
🛡️ Detection & Prevention
Tools for Threat Hunting
- SIEM: Centralized log analysis (Splunk, Elastic)
- Endpoint detection and response (EDR): Endpoint visibility (CrowdStrike, Carbon Black)
- MITRE ATT&CK Navigator: Visualize adversary TTPs
- Threat Intelligence Platforms: MISP, OpenCTI
- Network Analysis: Zeek, Wireshark
How to Detect Gaps in Detection
- Review MITRE ATT&CK coverage gaps
- Analyze historical incidents that weren't detected
- Red team findings
- Threat intelligence reports
📊 Types/Categories
| Hunt Type | Description | Example |
|---|---|---|
| Intelligence-Driven | Based on CTI about specific threats | Hunt for APT29 TTPs |
| Hypothesis-Driven | Test a theory about potential threats | "Are there signs of lateral movement?" |
| Situational Awareness | Baseline normal, look for deviations | Unusual outbound traffic patterns |
| Custom Hunt | Organization-specific based on assets | Hunt for access to crown jewel data |
🎤 Interview Angles
Common Questions
-
"What is Threat Hunting and how does it differ from Incident Response?"
- "Threat hunting is proactive—we search for threats based on intelligence and hypotheses before they trigger alerts. Incident Response is reactive, triggered by an alert or notification. Hunting feeds findings to IR and helps improve detection."
-
"Walk me through your threat hunting process"
- "I start with threat intelligence to develop a hypothesis—for example, if APT groups targeting our industry use a specific TTP. I query logs and endpoint data for indicators of that activity. If found, I escalate to IR. If not, I document the hunt and consider whether new detection rules are needed."
-
"How do you decide when to stop a threat hunt?"
- "Unlike CTFs, hunts don't always find something. I stop when I've exhausted my hypothesis following a structured process. Even negative results provide value—they validate our controls work or identify blind spots."
STAR Story
Situation: Our SOC was detecting incidents but only after significant Dwell Time—attackers were present for weeks before discovery.
Task: Implement proactive threat hunting to discover threats earlier and improve detection coverage.
Action: Developed an intelligence-driven hunting program. Used MITRE ATT&CK Navigator to map relevant APT TTPs to our environment. Created hunting playbooks for high-risk techniques like Lateral Movement and Data Exfiltration. Conducted weekly hunts in SIEM and EDR platforms.
Result: Discovered two active compromises within the first month that had evaded detection for 30+ days. Created 15 new detection rules from findings. Reduced average dwell time from 32 days to 8 days over 6 months.
✅ Best Practices
- Start with Threat Intelligence: Don't hunt blindly—use CTI to guide focus
- Document Everything: Record hypotheses, queries, findings, and lessons learned
- Create Detection Rules: Every hunt should improve automated detection
- Know Your Environment: Understand normal behavior to spot anomalies
- Collaborate: Work closely with Incident Response, Detection Engineering, and CTI teams
- Use MITRE ATT&CK: Map hunts to adversary TTPs for comprehensive coverage
- Measure Success: Track metrics like dwell time reduction, new detections created
❌ Common Misconceptions
- "Threat hunting always finds threats": Many hunts return negative results—that's still valuable validation
- "It replaces automated detection": Hunting complements detection; findings improve automation
- "Only advanced teams can hunt": Basic hunting (e.g., IOC searches) is accessible to all SOCs
- "It's ad-hoc searching": Effective hunting is structured, hypothesis-driven, and repeatable
🔗 Related Concepts
- Incident Response
- Cyber Threat Intelligence (CTI)
- Detection Engineering
- Indicator of Compromise (IOC)
- Indicator of Attack (IOA)
- MITRE ATT&CK
- Dwell Time
- Attack Residues
- Attack Signatures
- Tactics, Techniques, and Procedures (TTP)
- SIEM
- Endpoint detection and response (EDR)
📚 References
- TryHackMe: Introduction to Threat Hunting
- SANS: Introduction to Threat Hunting
- Sqrrl (now Amazon): Threat Hunting Reference Model
- MITRE ATT&CK for Threat Hunting