Working in cybersecurity often feels like being a detective solving a complex case. A detective begins by gathering evidence, interviewing witnesses, and identifying potential suspects. However, without the ability to connect the suspects to the evidence and testimony, the case may remain unsolved. Similarly, in cybersecurity, we monitor our environments, collect and analyze data from numerous tools, and study threat actor behaviors. If we fail to correlate this data effectively, we risk missing critical insights, leaving us unable to detect or respond timely to cyber threats.
The stakes are higher than ever, with the threat of cybercrime continuing to grow and attacks becoming increasingly complex. Time to exploit vulnerabilities is down to 5 days, incidents have more than doubled since COVID-19, and the financial losses tripled between 2020 and 2023. Cybersecurity teams are left scrambling, trying to figure out how to keep their organization from being the next headline. This is where threat hunting comes in.
Threat hunting is an approach that takes disjointed processes, which are often reactive in nature, and unifies them to create a more proactive and efficient means of defending against cyber threats. Unfortunately, this method often flies in the face of traditional cybersecurity practices. Many of the things necessary for effective threat hunting are often siloed into different processes supported by different people. Collaboration and information sharing may be ineffective or inefficient, creating an inability to effectively assess risk and respond in a timely manner. Just like with our crime analogy, if we are unable to connect all the pieces, we are unable to fully understand the risk and get to the bottom of it quickly.
Consider this scenario: your organization has millions of vulnerabilities impacting the systems on your network. Among them, several workstations continue to be impacted by a vulnerability coined, PrintNightmare, which is being actively exploited by threat actors. It just so happens that the sophisticated ransomware operation BlackBasta, who has been recently targeting your industry, is using this exact vulnerability as a means of compromise. They work to gain initial access, exploit PrintNightmare for lateral movement, and disable your EDR systems, all before you realize you're under attack. Furthermore, if the teams that manage vulnerability detection, threat intelligence, and endpoint security are separate, and information sharing practices are limited, you may never know the full scope of the impact to your organization.
Hopefully, a similar scenario has not impacted your organization, but if it has or you just want to keep it from happening, it’s time to evolve your approach. Let’s talk about how threat hunting can enable a more proactive means of detection which actually allows you to stay ahead of the threat actors.
What is Threat Hunting?
Threat hunting is a concept that is gaining rapid adoption by mature cyber organizations and vendors alike. Interpretations vary, leading to ambiguity about its purpose and scope. At its essence, threat hunting is a proactive investigative process aimed at identifying and neutralizing potential cyber threats that evade automated detection. Microsoft describes it as “proactively searching for unknown or undetected threats across an organization’s network, endpoints, and data.” NIST reinforces this with its focus on “tracking and disrupting cyber adversaries as early as possible in the attack sequence,” while improving response speed and accuracy. These definitions position threat hunting as a vital strategy for staying ahead of evolving cyber threats.
We have established that threat hunting is about being proactive so let us break it down further. After all, a hunter doesn’t go into the woods without knowing what they are hunting. So what is a ‘threat’ and why are we hunting it?
A 'threat' refers to a potential security risk to an organization's digital assets. In contrast, an ‘attack’ is the actual attempt to exploit that risk and cause harm. Threat actors range from organized groups (APTs), including state-sponsored ones, to cybercriminal networks and individual hackers. Their motives vary—cyberespionage, financial gain, or hacktivism—leading to various tactics such as deploying backdoors, conducting reconnaissance, or compromising data (erased, tampered, exfiltrated, or encrypted). Analytical models, such as the MITRE ATT&CK® framework, standardize attackers' tactics, techniques, and procedures (TTPs), aiding detection and fostering a shared cybersecurity language.
Threats to an organization vary widely, as do the methods used to hunt them. Effective threat hunting, discussed later, must be both proactive and iterative. Regularly forming and testing new hypotheses fosters continuous improvement, ultimately enhancing risk reduction.
The Three Pillars of Threat Hunting
- Proactivity. Instead of waiting for alerts to signal an attack, threat hunters actively seek out potential compromises before they materialize. By focusing on providing early-warnings, this approach allows for the attacker’s advantage to be offset by the defender.
- Intelligence-driven process. Using threat intelligence on malicious actors, their TTPs, and Indicators of Compromise (IOCs), is central to the threat hunter’s job.
- Holistic Analysis. Threat hunting demands connecting dots across your entire security stack and attack surfaces. It's about recognizing patterns where others see only data points.
The Threat Hunting Process
Now, let’s examine a typical threat hunting process step by step. We'll walk through each stage of an investigation, from initial trigger to final reporting, demonstrating how threat hunters connect disparate pieces of information to uncover potential risks. To bring these abstract concepts to life, we'll use a real-world scenario to demonstrate exactly how each step translates from theory into practice.
- Initiating Investigation. The process of threat hunting is typically launched by a trigger, which could be a new piece of intelligence, a detected anomaly or vulnerability, or an internal hypothesis that challenges existing security assumptions. Organizations should focus on triggers aligned with their specific risk profile to ensure investigations address the relevant threats.
- Example: A new report shows that RansomHub, a major sophisticated ransomware group, has been recently exploiting various vulnerabilities against the healthcare sector.
- Forming a hypothesis. Forming a hypothesis about a potential threat is critical to initiating hunting activities. Without a clear hypothesis which clearly identifies the threat to be targeted, even the best analytical research may be of little use. Thus, the hypothesis’s main goal must be to establish an objective, define the means of analyses, and prioritize research sources. It should also include an understanding of both the exposure of the organization and the likelihood of the threat.
- RansomHub’s focus on healthcare, together with its proven ability to exploit Windows vulnerabilities (especially in the ZeroLogon flaw and vulnerabilities in Windows Vista) put many of our organization’s Windows servers at risk which, if compromised, might result in important financial losses.
- RansomHub’s focus on healthcare, together with its proven ability to exploit Windows vulnerabilities (especially in the ZeroLogon flaw and vulnerabilities in Windows Vista) put many of our organization’s Windows servers at risk which, if compromised, might result in important financial losses.
- Collecting the data. The previously formed hypothesis should now make the process of querying the data easier. We may now be able to detect the (potential) trails of a threat actor, for example by looking for relevant IOCs or TTPs.
- For all Windows servers, we need to collect recent logs from installed EDRs and firewalls protecting them; filter with the IPs and malware hashes associated with RansomHub.
- Investigating the data. The purpose of the investigation phase is to answer the 'Who?', 'What?', 'When?', 'Where?' and 'Why?' of any anomalies found in the collection step. The investigation should result in actionable insights about the level of the threat exposure.
- We now notice some Windows servers particularly exposed to the threat posed by RansomHub as they have unmitigated ZeroLogon vulnerabilities.
- We now notice some Windows servers particularly exposed to the threat posed by RansomHub as they have unmitigated ZeroLogon vulnerabilities.
- Acting on the findings. Time to act upon our findings. This part should include both “fixing what is broken” but more importantly this is our time to strengthen our defenses and leverage our existing tools to be better protected against the next risk.
- Ensure that the relevant EDR’s features reducing the risk of a ZeroLogon exploitation are in force.
- Ensure that the relevant EDR’s features reducing the risk of a ZeroLogon exploitation are in force.
- Reporting. Usually this flow is completed by communicating our findings and action items higher up. This is a great opportunity to reflect on the blind spots detected, as well as how we improved going forward.
- Refining the hypothesis. Rather than a linear process, threat hunting is always an iterative loop. Following our findings (and the actions taken to handle the risk), we may want to further refine our threat hypothesis and begin the process all over again.
Modern Threat Hunting Challenges
According to a recent SANS survey, over 51% of organizations already have their defined threat hunting methodology, which is an incredible increase from only 35% in the previous year. This trend reflects the growing need of organizations to be more proactive in reducing the risk. Of course, this also means that roughly half of organizations are still making their way in the hunting world, learning how to do it right.
Having a defined process or not, everyone practicing threat hunting is sure to face some challenges on their journey:
- Data collection is a hurdle!
A proper investigation requires having all the data in place. In today's environment, it’s hard to get this single-pane-of-glass. The modern security stack often includes dozens of tools, each holding crucial pieces of the security puzzle. Consolidating all these data points is essential, or else you will operate in the blind. Data that remains siloed will be harder to act upon, and hence limit the organization’s visibility. - Connecting two worlds: tackling hybrid cloud environments
Today we see more and more organizations with a mix of on-prem and cloud environments. Also, they usually have a tooling difference between the two - in the cloud we will face cloud-native security tools as opposed to the more traditional tools on-prem. If collecting data from one kind of environment is hard, facing two is double the fun. - No hunters to be found
Threat hunting is perceived as a complicated skill one has to acquire and practice. You need extensive knowledge of the entire organization network, to the whole security stack, combined with the analytic glasses to draw the lines between the dots and get to the goldmines. This expertise is often distributed across teams, requiring careful coordination.
The Path Forward
In the relentless race against cyber threats, passive defense is no longer an option. Modern threat hunting requires organizations to adopt a "sniper mindset"—precise, proactive, and always alert. The potential damage to brand reputation and financial stability from successful attacks makes this investment essential.
Here's how to begin your threat hunting journey:
- Start Building Awareness. Before diving into complex hunting operations, dedicate time each week to understanding the threats targeting your industry. Follow threat intel sources, join industry groups, and map how recent attacks could affect your organization.
- Begin Small, Hunt Smart. Choose one critical system or process in your organization. Develop a simple hunting hypothesis around it, gather the relevant data, and start connecting the dots. Use this first hunt to develop your methodology and process.
- Learn and Adapt. After each hunting exercise, document what worked, what didn't, and what data you were missing. Use these insights to gradually improve both your hunting process and your security controls.
Threat hunting represents the evolution of cybersecurity from reactive to proactive defense. In a world where attacks grow more sophisticated by the day, organizations must embrace this approach to stay ahead of threats. The puzzle pieces are there—success lies in how well you put them together.
Remember: the best defense isn't just about having the right tools—it's about using them proactively to hunt threats before they become incidents.
Resources:
https://csf.tools/reference/nist-sp-800-53/r5/ra/ra-10/
https://www.chaossearch.io/blog/threat-hunting-methods-and-frameworks