Threat Hunting Introduction

Threat hunting proactively searches for threats that automated detection missed. Rather than waiting for alerts, hunters hypothesize threats exist and seek evidence proving or disproving those hypotheses.

Why Hunt?

Detection rules catch known patterns. But attackers evolve, new techniques emerge, and some activity looks legitimate until context reveals its malicious purpose. Hunting addresses these gaps.

Assume compromise. Rather than assuming defenses work perfectly, hunters assume sophisticated adversaries may already have access. The goal is finding evidence of their presence.

Time matters. The longer attackers persist undetected, the more damage they cause. Hunting reduces dwell time by discovering threats between detection rule updates.

The Hunting Cycle

Hypothesis formation starts every hunt. A hypothesis proposes a specific threat presence: "APT29 may have established persistence via scheduled tasks." Hypotheses derive from threat intelligence, recent incidents, vulnerability disclosures, or analyst intuition.

Investigation tests the hypothesis against available data. Query logs for scheduled task creation. Examine which accounts created tasks. Analyze what tasks execute. Look for characteristics matching the hypothesized threat.

Discovery occurs when investigation reveals actual malicious activity. Most hunts conclude without findings—disproving the hypothesis is success too, showing that specific threat is not present.

Response follows discovery. Confirmed threats require incident response. Near-misses might justify additional detection rules.

Documentation preserves hunting knowledge. What was hypothesized? What data was analyzed? What was found? This record enables future hunts and contributes to organizational learning.

Hypothesis Development

Strong hypotheses are specific and testable:

Weak: "Attackers might be in our network"
Strong: "External attackers may have gained access through recently disclosed VPN vulnerability CVE-XXXX-YYYY and established persistence"

Sources for hypotheses:

• Threat intelligence about active campaigns


• Industry targeting information


• Vulnerability disclosures affecting your technology


• Gaps identified in detection coverage


• Anomalies noticed during normal operations


• Red team findings from assessments

Resource Allocation

Hunting requires analyst time and technology access. Prioritize hunts based on threat relevance, data availability, and potential impact.

Schedule hunting time explicitly. Without dedicated allocation, urgent reactive work consumes all available hours. Even a few hours weekly yields results over time.