Threat hunting is a popular buzzword in cybersecurity at the moment, but what does it mean? How do you know if you should be doing it, and where do you start?

To threat hunt means to proactively search for malware or attackers that are lurking in your network — and may have been there for some time. They could be quietly siphoning off data, patiently listening in for confidential information, or working their way through the network looking for credentials powerful enough to steal key information.

When Traditional Protections Fail, Threat Hunting Sniffs Out APTs

Basic security hygiene and properly implemented antivirus, firewalls and other automated security tools should stop the majority of threats from getting in. But once an attacker has sneaked into your network undetected, there’s often not much to stop them from staying there.

On average, cybercriminals spend 191 days inside a network before being discovered, and that’s more than enough time to cause some damage. In contrast to a forensic investigation, which is designed to work out what went wrong after an attack, threat hunting aims to track down these waiting attackers and stop them in their tracks before they have the chance to cause real damage.

Learn the latest on the lifecycle of a data breach with the 2020 Cost of a Data Breach report

Although your automated security tools and tier 1 and 2 security operations center (SOC) analysts should be able to deal with roughly 80 percent of threats, you still need to worry about the remaining 20 percent, which is more likely to include advanced persistent threats (APTs) that can cause significant damage.

Threats that are unsophisticated, automated or untargeted should be easy to detect or block, but those that carefully evade the tools designed to stop them typically come from advanced persistent attackers — groups or individuals who directly target your organization and network. Compared to a basic hacking attempt, an APT demands significantly more effort and attention from the SOC and response team.

What Do You Need to Start Threat Hunting?

Before you start, it’s important to ensure that your organization is actually ready to threat hunt. You should have a fairly mature security setup capable of ingesting multiple sources of information and storing it in a way that lets you access it. A basic set up should include automated blocking and monitoring tools such as firewalls, antivirus, endpoint management, network packet capture, and security information and event management (SIEM). You will also need access to threat intelligence resources so you can look up IP addresses, malware hashes, indicators of compromise (IoCs) and more.

Finally, you will need a tool that allows you to bring together your disparate data sets and slice and dice them in a way that reveals insights with the least possible effort. Threat hunting can involve a massive amount of information, so while it is a human-led effort, you’ll certainly need some computer assistance to make the task more manageable.

Once you have all the tools in place and working together, you will also need a team with enough people to manage the technology and data. Threat hunting is never going to be the first priority. To start, it may not even be a full-time role — just a few hours a week of one person’s time.

There is no set threat hunting process that will apply to every company, so your team must have expertise in your organization’s network. Without being familiar with your systems and knowing how everything is supposed to look, it will be impossible to determine how to best hunt for threats.

How Do You Know What to Look For?

Before starting a threat hunt, you need to set some prioritized intelligence requirements (PIRs) — the questions that will drive your threat hunting efforts and the answers that will drive decision-making within the organization. Ask yourself, for example, is data being exfiltrated from my organization?

Your PIRs will depend on what matters the most to your organization and should be agreed upon in advance by C-level executives and stakeholders. They will also change over time. Once you have set your PIRs, you should decide which IoCs to look for based on an informed hypothesis. For example, certain changes in traffic flows could indicate data exfiltration.

Threat hunting is an advanced and complex task, but with the right people, technology and questions, it can make a massive difference to your organization’s security and prevent major problems before they occur.

Read the solution brief: IBM i2 Enterprise Insight Analysis for Cyber Threat Hunting

More from Threat Hunting

How I Got Started: White Hat Hacker

3 min read - White hat hackers serve as a crucial line of cyber defense, working to identify and mitigate potential threats before malicious actors can exploit them. These ethical hackers harness their skills to assess the security of networks and systems, ultimately helping organizations bolster their digital defenses. But what drives someone to pursue a career as a white hat hacker, and how do you get started in leveraging so-called “evil” skills for the greater good?? In this exclusive Q&A, we spoke with…

3 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

7 min read - In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

7 min read

With 40% of Log4j Downloads Still Vulnerable, Security Retrofitting Needs to Be a Full-Time Job

4 min read - Vulnerabilities like Log4j remain responsible for security breaches a full year after the discovery of the flaw. In the months after widespread reporting about the vulnerability, 40% of Log4j downloads remained vulnerable to exploitation. Rapid Response — by Both Security Teams and Hackers What made this exposure so damaging was how widespread this piece of code is and how hard it is to find exactly where it’s used. This open-source logging code from Apache was the most popular java logging…

4 min read