What Is Threat Hunting?

Why Is Threat Hunting Important?

As data breaches become more frequent and expensive, a threat hunting program is a key piece of a modern enterprise security strategy, offering organizations the benefits of:

• Proactive defense against potential risks and hidden threats, improving overall security posture and helping mitigate risks before they escalate, preventing potential breaches
• Enabling accelerated incident response and reduced threat dwell time by combining automated tools and human expertise for more accurate threat detection
• Reduced risk of financial and reputational harm, data loss, and more in the face of increasingly frequent attacks and more expensive consequences

How Does Threat Hunting Work?

Effective threat hunting is all about hands-on investigation, prevention, and risk reduction, but those things can’t happen in a vacuum—instead, it’s an arms race with threat actors who are always working to make their attacks faster, more numerous, and more difficult to detect. You can think of the basic threat hunting process in four parts:

1. Collect and Analyze Data

Threat hunters collect vast amounts of data from inside and outside the organization's network, including logs, traffic and endpoint data, and threat intelligence feeds. Behavioral analytics and machine learning help establish a baseline of normal behavior from this data, any deviation from which could indicate a potential threat.

2. Develop a Hypothesis

Based on the insights gleaned from data analysis, threat hunters formulate hypotheses about potential threats, focusing on identifying anomalies or suspicious activities that could indicate the presence of malware or another looming security incident.

3. Investigate and Validate

Threat hunters search for IOCs, signs of malicious activity, or unusual patterns in the data by examining network traffic, reviewing logs, inspecting endpoint activity, and more. The goal is to validate whether the indicators point to genuine threats or are merely false positives. Validation is critical in enabling organizations to respond to threats more quickly and efficiently.

4. Continuously Improve

To continuously adapt to evolving threats, the hunting process is cyclical: threat hunters apply lessons learned to refine their techniques, update their hypotheses, incorporate new threat intelligence and security solutions, and much more to better inform their next analysis.

Types of Threat Hunting

The approach threat hunters take depends on the information they have upfront. For instance, did a threat feed provide new intel specific to an emerging malware strain, such as signature data? Did the organization notice a sudden spike in outbound traffic?

Lead-driven threat hunting (a.k.a. structured hunting) is hypothesis-driven or based on specific IOCs that guide the investigation. For example, if hunters receive specific intel about emerging malware as mentioned above, they can then search for the known signs of that malware in their environment.

Leadless threat hunting (a.k.a. unstructured hunting) doesn't depend on specific leads or indicators. Instead, threat hunters use data analysis and anomaly detection techniques to uncover things like the aforementioned network traffic spike, and then investigate the cause of the anomaly from there.

These approaches aren’t mutually exclusive—threat hunting teams often need to rely on a combination of both as part of a comprehensive hunting methodology.

Benefits of Automation in Cyberthreat Hunting

Automation is essential to effective threat hunting, paired with human lateral thinking and creativity. Malicious actors will exploit any advantage they can, which today means they’re increasingly using artificial intelligence and automation to fuel their attacks. In other words, it’s a classic example of fighting fire with fire.

Automation speeds up threat detection and response by collecting, correlating, and identifying anomalies in vast amounts of data in real time far more efficiently than humans can. In turn, human analysts have more time and attention to focus on incidents that require nuanced contextual decision-making or lack historical security data for automated tools to make determinations.

Threat Hunting Models and Methodologies

Various threat hunting models and methodologies help hunters identify, investigate, and mitigate threats with a focus on different aspects, based on what suits the nature of their team or the threat itself. Some common models are:

MITRE ATT&CK Framework

A knowledge base of known adversary TTPs, the MITRE ATT&CK framework provides a standardized way to categorize and analyze threat behaviors across various stages of an attack, helping threat hunters align their detection and response efforts.

Lockheed Martin Cyber Kill Chain

This model breaks down seven stages of a cyberattack, from reconnaissance to exfiltration, to help proactive threat hunting efforts by identifying vulnerabilities and the potential mitigation strategies effective at different points in the attack chain.

Cyber Threat Intelligence Life Cycle

This continuous process of collecting, analyzing, and disseminating threat intelligence helps threat hunters integrate timely, relevant threat intel into their detection and response efforts, enabling organizations to stay ahead of emerging threats.

Read more in our dedicated article, What Is Threat Intelligence?

Observe, Orient, Decide, Act (OODA) Loop

This four-step framework originally developed for the US Air Force helps threat hunters contextualize information about evolving threats in order to more quickly adapt to changing situations, make informed decisions, and take effective actions.

Diamond Model of Intrusion Analysis

This cyberthreat attribution framework defines the four core features of intrusion activity—adversary, infrastructure, victim, and capability—and their relationships to help threat hunters understand the who, what, where, and how of an attack.

Threat Hunting Tools

Just as there are many hunting methodologies, there are many tools in the cyberthreat hunter’s toolkit. Some of the common technologies:

• Security information and event management (SIEM) tools collect and analyze log data from an organization’s network and provide a central monitoring and alerting platform.
• Network traffic analysis (NTA) tools analyze network traffic patterns and behaviors to detect suspicious activity and identify potential threats.
• Endpoint detection and response (EDR) tools monitor and detect suspicious activities on endpoints in real time while providing investigation, threat hunting, triage, and remediation.
• Threat intelligence platforms (TIPs) aggregate, correlate, analyze, and enrich threat intelligence from various sources to help analysts and their tools make informed decisions.
• Security orchestration, automation, and response (SOAR) platforms automate and orchestrate incident response tasks, enabling faster and more efficient threat mitigation.
• Vulnerability scanning tools support patch management and risk assessment by scanning an organization's environments and apps to identify vulnerabilities attackers could exploit.
• Attack surface management (ASM) tools provide visibility into an organization’s attack surface, helping reduce it by identifying, monitoring, and mitigating vulnerabilities and potential attack vectors.
• Malware sandboxes isolate and analyze suspicious files and programs in a controlled environment. They are used to identify malware behavior and assess potential threats.
• Threat emulation and Red-Teaming tools simulate real-world cyberattacks to help organizations assess their security posture and identify vulnerabilities.
• Deception technology deploys decoys in a network alongside real assets to lure attackers and generate high-fidelity alerts that reduce dwell time and speed up incident response.

Who Should Be Involved in Threat Hunting?

Security analysts versed in threat detection and hunting tools are the most essential players in your threat hunting efforts, taking the lead in monitoring and analyzing alerts, tracking suspicious behaviors, identifying indicators of attack (IOAs), and more. Smaller organizations may only employ a single full-time analyst, while larger ones may have sizable security operations center (SOC) teams or managed services.

Other important support personnel often include:

• Threat intelligence analysts to distill threat intelligence into critical context and indicators of compromise.
• Legal and compliance teams to help with adherence to legal and regulatory requirements.
• Executives and board members to make top-level decisions about strategy, human resources, and budgeting.

What Do You Need to Start Hunting Threats?

Your organization needs four key things to hunt threats effectively:

1. A team of skilled hunters and analysts. If you have an in-house security team, invest in ongoing training and development to help them protect your organization against evolving, sophisticated threats.
2. The right mix of threat hunting technologies and automated tools, including SIEM platforms, EDR solutions, NTA tools, and threat intelligence platforms.
3. Access to logs, network traffic data, behavior data, and more to ensure your threat hunters have a complete view of the threat landscape.
4. A clear strategic framework for threat hunting, with defined objectives and strategies that align with your risk tolerance and security posture.

Zscaler’s Role in Threat Hunting

Zscaler ThreatLabz threat hunting experts keep an eye out for anomalies within the 500 trillion data points traversing the world’s largest security cloud, identifying and detecting malicious activity as well emerging threats.

Zscaler ThreatLabz utilizes threat intelligence and proprietary tools to proactively hunt for the telltale tactics, tools, and procedures (TTPs) of threats ranging from the most sophisticated adversary groups to commodity malware, allowing for a comprehensive coverage of current threats.

These data points are also used to train machine learning models for quicker and broader detections. This proactive approach contributes to identifying and blocking 9 billion potential threats daily, before they can affect our customers or cause harm.