What is Threat Hunting?

Threat hunting is the proactive search for cyber threats hiding in an organization's environment that have evaded existing automated detection mechanisms like SIEM and EDR.

What is threat hunting?

Threat hunting is the proactive, analyst-driven process of searching for malicious activity that has evaded automated security controls. Unlike reactive alerting, hunters develop hypotheses about adversary behavior and systematically investigate telemetry data to discover hidden threats, compromised systems, and previously unknown attack techniques.

How does threat hunting differ from incident response?

Incident response is triggered by detected alerts or reported incidents. Threat hunting proactively searches for threats before alerts fire, operating on the assumption that adversaries may already be present but undetected. Hunting finds threats that automated tools miss, while incident response handles known detections.

What is hypothesis-driven threat hunting?

Hypothesis-driven hunting starts with a theory about potential adversary behavior based on threat intelligence, ATT&CK techniques, or environmental knowledge. Hunters formulate testable hypotheses like 'an adversary is using PowerShell for lateral movement,' then systematically query data to confirm or refute the hypothesis.

What data sources support threat hunting?

Key data sources include EDR telemetry (process execution, file activity, network connections), SIEM logs, DNS query logs, authentication logs, network flow data, proxy logs, email gateway logs, cloud audit trails, firewall logs, and threat intelligence feeds. Comprehensive data coverage is essential for effective hunting.

What skills do threat hunters need?

Threat hunters need deep knowledge of attacker TTPs, strong analytical and investigative skills, proficiency in query languages (KQL, SPL, SQL), understanding of operating system internals, network protocol analysis capabilities, familiarity with MITRE ATT&CK, scripting abilities (Python, PowerShell), and creative thinking to anticipate adversary behavior.

What tools are used for threat hunting?

Hunters use EDR platforms for endpoint telemetry, SIEM systems for log analysis, threat intelligence platforms for context, Jupyter notebooks for data analysis, YARA rules for pattern matching, Sigma rules for cross-platform detection, network analysis tools, and custom scripts for automated data collection and correlation.

How do you build a threat hunting program?

Building a program requires establishing data collection coverage, defining hunting cadences and focus areas, creating hypothesis libraries based on threat intelligence, developing repeatable hunting playbooks, training analysts in hunting methodology, measuring outcomes through detected threats and new detection rules, and integrating findings into defensive improvements.

What are the outputs of threat hunting?

Hunting outputs include discovered threats and compromised systems, new detection rules and SIEM alerts for previously undetected techniques, refined threat intelligence, identified logging gaps requiring improved data collection, updated incident response procedures, and enhanced understanding of the organization's environment and normal baseline behavior.