What is Cyber Threat Hunting?

Cyber threat hunting is a proactive threat detection work method. Generally, it is the process of actively looking for the traces of attackers (past and present) in an IT environment.
The underlying assumption threat hunters make about the existence of cyber attackers, helps them find their traces before any alerts are generated by security controls.

This is in contrast to traditional defensive or preventative measures where the protector investigates data only after a threat indication has been made. A cyber Threat Hunter would normally demonstrate both analytical and creative skills, and could benefit from a strong understanding of adversary cyber tactics, techniques and procedures (‘TTP’s’).

Thinking like an adversary

Impersonating an attacker will help understand how cyber adversaries would act in the context of a specific organization and operation objectives. For example – a cyber operation on a cloud-based software development company with 5K employees would not be carried the same way a cyber operation on a hardware SMB would. To examine possible operation methods, a threat hunter should hypothesize specific Tactics, Techniques, and Procedures (TTPs), understand how these TTPs would appear in specific organizational data sources, and search for them.

Examining known attack behaviors

Despite discovering hundreds of organizational cyberattacks per day, “traditional” security products do not address/document TTPs that are commonly used by cyber attackers. They merely focus on IOCs. Another threat hunting investigation method includes looking at published attacks, and researching attack behaviors in depths. From there, a good threat hunter will build powerful new attack hypotheses, relying on newly discovered attack behaviors and techniques.

Hunting anomalies in known environments

Cyberattackers’ activity is inherently different than that of employees and insiders, because they have different goals. This means that they will always leave traces. Threat hunters can trace anomalies by using different statistical outlier algorithms. E.g.: In an environment with thousands of benign endpoints and only a few that are compromised, specific activities will immediately stand out as anomalous in a statistic analysis. From there, the hard work is understanding whether these anomalies represent a malicious activity or not. An experienced hunter will infuse the statistical analysis with relevant features, differentiators and labels, to raise its efficiency.

Threat Hunting in the Evolution of Threat Detection & Response

The cybersecurity ‘Threat Detection and Response’ domain has gained tremendous traction in recent years. Now, security leaders are looking to extend it across the enterprise, and do it at scale.

Preventing the threat

Blocking hackers from accessing organizational networks

Detecting the threat

Scanning networks for known vulnerabilities identified by previous breaches

Autonomous Threat Hunting

Intercept clever threats that manage to bypass existing controls and detect attacks from the get-go with proactive, autonomous threat hunting

A New Chapter in Threat Detection & Response

New Threat Detection and Response solutions push beyond the single point, and rise above data noise

  • Endpoint solutions
  • Network traffic analysis
  • Organized data that floods telemetry noise
  • Endpoint solutions
  • Network traffic analysis
  • Organized data that floods telemetry noise

In order to rapidly detect threats and effectively respond, enterprises today need to acquire the following features in threat detection and response:

Interconnected Data

Enables effective cross-correlation across every IT environment: cloud, on-premises, endpoints, etc.

Automatic Detection

Enables the processing of petabytes of organizational data, to generate exceptional threat signals

Proactive Detection

- Identifies breaches from an early stage
- Expedites response time
- Provides SOC teams with concrete findings

Vendor Agnostic Analysis

Enables defenders to work freely with existing organizational environments and security controls, with no vendor lock

Autonomous Threat Hunting

Read our blog post: “'XDR': Re-evaluating Threat Detection & Response”

Scroll to Top