In the ever-changing cyber landscape, new threats emerge daily, testing the resiliency of businesses worldwide. To effectively stay ahead of these threats, many businesses are turning to threat hunting, the discipline of proactively seeking out cyber threats that may be lurking in an organization’s IT environment.
However, successful threat hunting isn’t just about random searches and hunches. It requires a structured and systematic approach.
So what does the threat hunting workflow actually look like? In this blog, we will dive into the typical threat hunting process, explore its key phases and highlight how threat hunting should fit into a broader cybersecurity strategy.
The Purpose of Threat Hunting
Once upon a time, security professionals spent most of their days reacting to alerts and cyber incidents. But as threats grew more complex and frequent, the need for a proactive approach arose.
Threat hunting isn't just another cybersecurity buzzword; it's a proactive approach that empowers defenders to go on the offensive. Instead of waiting for alarm bells to ring, threat hunters take the initiative to track down adversaries that might be in their environment. It heavily relies on human expertise and the ability to think like the adversary.
Typically, the goal of any threat hunt can include one (or more) of the following:
- Find malicious activity that other security tools overlooked or didn’t catch
- Reduce threat actor dwell time and minimize potential damage
- Improve overall security posture by identifying weak spots and refining detection rules
- Share intelligence with the community and strengthen our collective defense against cyber threats
Structured vs. Unstructured Threat Hunting
Threat hunting is a dynamic discipline, and there's no one-size-fits-all approach. But generally, a hunt can be considered either structured or unstructured.
In structured hunting, threat hunters work with clear hypotheses and follow well-defined procedures. These established guidelines streamline the process and ensure a consistent, repeatable and scalable approach. It's like having a trail map and compass leading the way through the hunt. Using their knowledge of adversary capabilities matched against their current security measures, threat hunters know the expected threat activity they’re looking for and the general direction their hunt will go in.
Unstructured hunting is more freestyle, allowing threat hunters to be guided by their curiosity. There are no strict guidelines, and they explore rabbit holes or work off of hunches or small pieces of threat intel. Because of their boundless nature, these hunts usually require more senior knowledge of attack frameworks and adversarial tactics to be effective.
For the purpose of this blog, we’ll be focusing on structured threat hunting.
Typically, the structured threat hunting process can be broken down into three main phases: the planning phase, the execution phase and the reporting phase. Let's dive into the three phases of the threat hunting process.
1. The Planning Phase
The planning phase lays the foundation for an effective threat hunt. It involves gathering threat intelligence and research, building a hypothesis and identifying the right data.
In this phase, threat hunters will seek to define the threats or activities they are looking for, where they will be looking and what tools and techniques they will use in their hunt.
- Gather intelligence: Just like the attacker’s workflow, threat hunting usually kicks off with some reconnaissance. Most commonly, this is determined by identifying risk areas or looking at historical data to specify the patterns and potential threats to hunt down. This can also come from various outside sources, such as open-source intelligence or social media feeds.
- Build hypotheses: Formulating a hypothesis is a critical step in the planning phase. Based on the gathered threat intelligence, threat hunters will create an educated guess about potential threat actors, their tactics and the techniques they might employ. The hypothesis serves as the “north star” throughout the threat hunting process.
- Determine data sources: Data can make or break a hunt. With a clear hypothesis in mind, threat hunters will turn their attention to which data sources are available and where they can look for clues. Common data sources include system logs, network traffic and endpoint telemetry.
2. The Execution Phase
This is where the actual threat hunt takes place. In this phase, threat hunters will investigate data sources and test their hypotheses continuously.
- Query data sources: Using specialized tools and techniques, threat hunters will collect and scrutinize the data—querying databases, performing log analysis or doing other forensic analysis.
- Follow breadcrumbs: Along the way, threat hunters will investigate the tactics, techniques and procedures (TTPs) or other clues and patterns that align with their hypothesis.
- Test hypothesis: Overall, the aim is to prove or disprove the initial hypothesis—at the same time, threat hunters will also refine their hunt as new information is revealed and create new hypotheses as needed.
3. The Reporting Phase
After completing the hunt, this final phase focuses on making sense of the findings, creating detections (if applicable) and determining the appropriate next steps and improvement opportunities.
- Distill findings: Knowledge is power, so threat hunters will summarize and document their findings—distilling the most critical information from their hunt, even if they couldn’t validate their initial hypothesis.
- Create detections: Identifiable patterns or signatures can be passed along to a SOC or security team to help build or modify detection rules that can alert on that activity in the future.
- Improve process: Because threat hunting is an iterative process, there’s always an opportunity to create a feedback loop and look for areas for improvement—in both the hunting process and the organization's security posture.
Threat hunting appears to be the next frontier in cyber defense. And with their structured process, attention to detail and human intuition, it’s the threat hunters who are leading the charge and helping businesses stay one step ahead of today’s adversaries.
Watch Now: Explore the ins and outs of modern threat hunting in our new video series, Behind the Hunt.
