Threat hunting is a popular buzzword in cybersecurity at the moment, but what does it mean? How do you know if you should be doing it, and where do you start?

To threat hunt means to proactively search for malware or attackers that are lurking in your network — and may have been there for some time. They could be quietly siphoning off data, patiently listening in for confidential information, or working their way through the network looking for credentials powerful enough to steal key information.

When Traditional Protections Fail, Threat Hunting Sniffs Out APTs

Basic security hygiene and properly implemented antivirus, firewalls and other automated security tools should stop the majority of threats from getting in. But once an attacker has sneaked into your network undetected, there’s often not much to stop them from staying there.

On average, cybercriminals spend 191 days inside a network before being discovered, and that’s more than enough time to cause some damage. In contrast to a forensic investigation, which is designed to work out what went wrong after an attack, threat hunting aims to track down these waiting attackers and stop them in their tracks before they have the chance to cause real damage.

Learn the latest on the lifecycle of a data breach with the 2020 Cost of a Data Breach report

Although your automated security tools and tier 1 and 2 security operations center (SOC) analysts should be able to deal with roughly 80 percent of threats, you still need to worry about the remaining 20 percent, which is more likely to include advanced persistent threats (APTs) that can cause significant damage.

Threats that are unsophisticated, automated or untargeted should be easy to detect or block, but those that carefully evade the tools designed to stop them typically come from advanced persistent attackers — groups or individuals who directly target your organization and network. Compared to a basic hacking attempt, an APT demands significantly more effort and attention from the SOC and response team.

What Do You Need to Start Threat Hunting?

Before you start, it’s important to ensure that your organization is actually ready to threat hunt. You should have a fairly mature security setup capable of ingesting multiple sources of information and storing it in a way that lets you access it. A basic set up should include automated blocking and monitoring tools such as firewalls, antivirus, endpoint management, network packet capture, and security information and event management (SIEM). You will also need access to threat intelligence resources so you can look up IP addresses, malware hashes, indicators of compromise (IoCs) and more.

Finally, you will need a tool that allows you to bring together your disparate data sets and slice and dice them in a way that reveals insights with the least possible effort. Threat hunting can involve a massive amount of information, so while it is a human-led effort, you’ll certainly need some computer assistance to make the task more manageable.

Once you have all the tools in place and working together, you will also need a team with enough people to manage the technology and data. Threat hunting is never going to be the first priority. To start, it may not even be a full-time role — just a few hours a week of one person’s time.

There is no set threat hunting process that will apply to every company, so your team must have expertise in your organization’s network. Without being familiar with your systems and knowing how everything is supposed to look, it will be impossible to determine how to best hunt for threats.

How Do You Know What to Look For?

Before starting a threat hunt, you need to set some prioritized intelligence requirements (PIRs) — the questions that will drive your threat hunting efforts and the answers that will drive decision-making within the organization. Ask yourself, for example, is data being exfiltrated from my organization?

Your PIRs will depend on what matters the most to your organization and should be agreed upon in advance by C-level executives and stakeholders. They will also change over time. Once you have set your PIRs, you should decide which IoCs to look for based on an informed hypothesis. For example, certain changes in traffic flows could indicate data exfiltration.

Threat hunting is an advanced and complex task, but with the right people, technology and questions, it can make a massive difference to your organization’s security and prevent major problems before they occur.

Read the solution brief: IBM i2 Enterprise Insight Analysis for Cyber Threat Hunting

More from Threat Hunting

How Do Threat Hunters Keep Organizations Safe?

Neil Wyler started his job amid an ongoing cyberattack. As a threat hunter, he helped his client discover that millions of records had been stolen over four months. Even though his client used sophisticated tools, its threat-hunting technology did not detect the attack because the transactions looked normal. But with Wyler’s expertise, he was able to realize that data was leaving the environment as well as entering the system. His efforts saved the company from suffering even more damage and…

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

RomCom RAT Attack Analysis: Fake It to Make It

The RomCom RAT has been making the rounds — first in Ukraine as it went after military installations, and now in certain English-speaking countries such as the United Kingdom. Initially a spear-phishing campaign, the RomCom attack has evolved to include domain and download spoofing of well-known and trusted products. In this piece, we’ll break down current RomCom realities, dive into the problems with digital doppelgangers and offer advice to help secure software downloads. RomCom Realities Despite the name, there’s no…

A Perfect Storm: 7 Reasons Global Attacks Will Soar in 2023

In 2023, the global annual cost of cyber crime is predicted to top $8 trillion, according to a recent Cybersecurity Ventures report. This seemingly enormous figure might still be a major underestimate. In 2021, U.S. financial institutions lost nearly $1.2 billion in costs due to ransomware attacks alone. That was a nearly 200% increase over the previous year. If we continue at that rate, next year could see global costs approaching $16 trillion. Why might costs be so high? Here…