What Is Threat Hunting?

Threat hunting is when computer security experts actively look for and root out cyber threats that have secretly penetrated their computer network. Threat hunting involves looking beyond the known alerts or malicious threats to discover new potential threats and vulnerabilities.

How does threat hunting work?

Threat hunting is an active IT security exercise with the intent of finding and rooting out cyber attacks that have penetrated your environment without raising any alarms. This is in contrast to traditional cybersecurity investigations and responses, which stem from system alerts, and occur after potentially malicious activity has been detected.

Threat hunting involves going beyond what you already know or have been alerted to. Security software alerts users to the risks and behaviors connected to common threats, such as malware. Threat hunting is about venturing into the unknown to discover new cyber threats.

Why is threat hunting important?

Organized, skilled, and well-funded attackers exist. They will work diligently looking for a weakness to exploit if you become their target. You can't possibly uncover everything, even with the best security tools. This is where threat hunting comes in. Its primary mandate is to find just these types of attackers.

Who should be involved in threat hunting?

To carry out a threat hunting campaign, a mix of core skills is needed in a team. These skills include:

  • Familiarity with endpoint and network security. You will need seasoned members of your SOC or IT team who have an extensive breadth and depth of knowledge around security issues and best practices.
  • Understanding of data analytics. Threat intelligence often involves teasing patterns out of raw data. An understanding of statistical analysis will help to identify patterns in the data.
  • Innate curiosity. Threat hunting can sometimes be likened to an artistic pursuit. It requires a certain amount of creative thinking to connect seemingly unrelated items or ask, "I wonder what would happen if…"
  • When should you do threat hunting?

    You may wish to undertake a threat hunting exercise when you suspect risky behavior has occurred. Ultimately, the most successful hunts are those that are planned. You need to set a scope for the hunt, identify clear goals, and set aside a block of time to perform the exercise. When you are done, you need to assess steps to improve your security posture, establishing threat prevention playbooks to address the results moving forward.

    Where should you hunt for threats?

    Ultimately, data is key to any successful threat hunt. Before you can do anything related to threat hunting, you need to ensure you have adequate logging capability to carry out the hunt. If you can't see what is happening on your systems, then you can't respond in kind. Choosing which systems to pull data from will often depend on the scope of the hunt. In some cases, you may want to install tools to monitor particular types of traffic. The logs pulled by these temporary systems will then be utilized in the hunt.

Dive into incident investigation and customer interaction with Cisco Secure Endpoint Product Marketing Manager Truman Coburn and Security Consulting Engineer David Needleman.