How Does Threat Hunting Work?
Effective threat hunting is all about hands-on investigation, prevention, and risk reduction, but those things can’t happen in a vacuum—instead, it’s an arms race with threat actors who are always working to make their attacks faster, more numerous, and more difficult to detect. You can think of the basic threat hunting process in four parts:
1. Collect and Analyze Data
Threat hunters collect vast amounts of data from inside and outside the organization's network, including logs, traffic and endpoint data, and threat intelligence feeds. Behavioral analytics and machine learning help establish a baseline of normal behavior from this data, any deviation from which could indicate a potential threat.
2. Develop a Hypothesis
Based on the insights gleaned from data analysis, threat hunters formulate hypotheses about potential threats, focusing on identifying anomalies or suspicious activities that could indicate the presence of malware or another looming security incident.
3. Investigate and Validate
Threat hunters search for IOCs, signs of malicious activity, or unusual patterns in the data by examining network traffic, reviewing logs, inspecting endpoint activity, and more. The goal is to validate whether the indicators point to genuine threats or are merely false positives. Validation is critical in enabling organizations to respond to threats more quickly and efficiently.
4. Continuously Improve
To continuously adapt to evolving threats, the hunting process is cyclical: threat hunters apply lessons learned to refine their techniques, update their hypotheses, incorporate new threat intelligence and security solutions, and much more to better inform their next analysis.
Types of Threat Hunting
The approach threat hunters take depends on the information they have upfront. For instance, did a threat feed provide new intel specific to an emerging malware strain, such as signature data? Did the organization notice a sudden spike in outbound traffic?
Lead-driven threat hunting (a.k.a. structured hunting) is hypothesis-driven or based on specific IOCs that guide the investigation. For example, if hunters receive specific intel about emerging malware as mentioned above, they can then search for the known signs of that malware in their environment.
Leadless threat hunting (a.k.a. unstructured hunting) doesn't depend on specific leads or indicators. Instead, threat hunters use data analysis and anomaly detection techniques to uncover things like the aforementioned network traffic spike, and then investigate the cause of the anomaly from there.
These approaches aren’t mutually exclusive—threat hunting teams often need to rely on a combination of both as part of a comprehensive hunting methodology.
Benefits of Automation in Cyberthreat Hunting
Automation is essential to effective threat hunting, paired with human lateral thinking and creativity. Malicious actors will exploit any advantage they can, which today means they’re increasingly using artificial intelligence and automation to fuel their attacks. In other words, it’s a classic example of fighting fire with fire.
Automation speeds up threat detection and response by collecting, correlating, and identifying anomalies in vast amounts of data in real time far more efficiently than humans can. In turn, human analysts have more time and attention to focus on incidents that require nuanced contextual decision-making or lack historical security data for automated tools to make determinations.
Threat Hunting Models and Methodologies
Various threat hunting models and methodologies help hunters identify, investigate, and mitigate threats with a focus on different aspects, based on what suits the nature of their team or the threat itself. Some common models are:
MITRE ATT&CK Framework
A knowledge base of known adversary TTPs, the MITRE ATT&CK framework provides a standardized way to categorize and analyze threat behaviors across various stages of an attack, helping threat hunters align their detection and response efforts.
Lockheed Martin Cyber Kill Chain
This model breaks down seven stages of a cyberattack, from reconnaissance to exfiltration, to help proactive threat hunting efforts by identifying vulnerabilities and the potential mitigation strategies effective at different points in the attack chain.
Cyber Threat Intelligence Life Cycle
This continuous process of collecting, analyzing, and disseminating threat intelligence helps threat hunters integrate timely, relevant threat intel into their detection and response efforts, enabling organizations to stay ahead of emerging threats.
Read more in our dedicated article, What Is Threat Intelligence?
Observe, Orient, Decide, Act (OODA) Loop
This four-step framework originally developed for the US Air Force helps threat hunters contextualize information about evolving threats in order to more quickly adapt to changing situations, make informed decisions, and take effective actions.
Diamond Model of Intrusion Analysis
This cyberthreat attribution framework defines the four core features of intrusion activity—adversary, infrastructure, victim, and capability—and their relationships to help threat hunters understand the who, what, where, and how of an attack.