May 17, 2019 By Michael Kehoe 4 min read

I always find it funny when I come across a news story about cybercrime that uses an image of a young person alone in a dark room, cloaked in a black hoodie, tapping away feverishly on a personal computer. It seems the image of a young Matthew Broderick as a lone hacker in the 1983 film “WarGames” is what comes to mind when most people think of cyber aggressors or threat actors. This could not be further from the truth.

Today’s threat actors are highly intelligent, well-organized, motivated and focused on their intended targets — which includes you, your organization and anyone else in their sights. No matter who they are, where they live or how they dress, these malicious actors could be lurking on your network or threatening to break through. The purpose of threat hunting is to thwart this nefarious behavior before it causes any damage to the enterprise.

Today’s threat actors use sophisticated attack methods to achieve their illegal goals. These attacks can come from various and multiple threat surfaces, such as malicious insiders, fraud, asset misappropriation and other cyber risks. From the outside looking in, organizations often have vulnerabilities at multiple levels — in their networks, their people and within publicly available information. Information that is available on the open web, such as annual reports, operational assurances, access to staff via email and social media, can be a treasure trove for threat actors looking for a way to breach a company. This data gives threat actors additional collateral to study their targets even before they launch their attack.

Unfortunately, commercial organizations do not know by whom, when, where or how a well-planned attack will strike. Even with our best rule-based defenses and solutions, we have limitations. Embedded rules that we typically use to monitor and detect attack vectors often struggle to anticipate how vectors will evolve in the future. To mitigate threats both proactively and reactively, organizations must take a more adaptive approach and move faster than the speed of threat. Simply put, when a threat vector starts to emerge that subverts existing rules, it’s time to go threat hunting.

What Is Threat Hunting — and Where Do You Start?

Threat hunting is becoming a buzzword in the cyber realm, but it really applies to the whole threat landscape that organizations face. That’s why it’s crucial to adopt a holistic strategy for looking at finances, personnel, insider threats and any other vector an adversary could use to attack the business or employees. To do this, threat hunters take a human-led intelligence approach to combat human-based attacks. Threat hunting can quickly discover obscured patterns by connecting events and actions together, which leads to the discovery of well-constructed attack vectors. In order to effectively hunt, organizations should take the appropriate steps to set up an effective threat hunting program.

Before you start threat hunting, it’s important to take the proper steps to carefully plan your program. To start, according to a 2019 SANS Institute report sponsored by IBM, consider the two main objectives of threat hunting:

  1. To proactively search for threats so as to limit attacker impact; and
  2. To gain a better understanding of the environment.

These objectives apply to any threat hunting program, whether you are trying to track down a cyberthreat, financial criminal or any physical threat to your enterprise. Let’s take a deeper dive into some more best practices to help get your threat hunting program off the ground.

How to Hunt Threats With Intention

Hunting with intention means canvasing the landscapes in which you plan to hunt and looking at past, present and potential future threats within each landscape. This enables the threat hunting team to identify previously unknown attacks and mitigate threats to the environment. By reactively addressing threats that are already present, the team can then adopt a more proactive approach based on the indications it discovers.

As noted in the SANS report, “It is very possible that an attacker may have a foothold in an environment but is not tripping any expected alarms the security team is used to responding to. Or worse, the attacker exists in an area where there is no visibility, and thus has inadvertently evaded detection simply by being in the right place at the right time.”

When Threat Hunting, You’re Not Alone

It’s no secret: Analysts love to go down rabbit holes and chase threats until they hit a dead end. This is true when it comes to cyber analysts, anti-money laundering specialists and counterterrorism officers. What these analysts often forget is that there are other resources they can use to make the hunt easier and more successful. For instance, if analysts are wading in internal data sets all day and don’t enrich their internal sources with external intelligence, they could be missing key context that can help shape the threat hunt. Threat hunting is very much a team sport, where internal and external sources all play nicely together.

The SANS piece also recommends investing in solutions that can aid in threat hunting endeavors, such as link analysis tools to enrich the data and identify correlations between internal and external hosts and network data points. Since it’s critical to continuously enhance your defenses with real-time intelligence, start by looking at the most trusted intelligence analysis tools that assist in human-led investigations into cyberthreats.

Respond Reactively, Then Develop a Proactive Strategy

As you start to think through standing up a threat hunting program to find and remediate cyberthreats, financial crime, physical attacks and any other risks to your organization, be sure to hunt with intention, and remember you are never alone. By keeping these two principles in mind, your team can develop the ability to respond reactively to existing threats and proactively mitigate similar threats before they even appear.

Get the SANS report, “Thinking like a Hunter: Implementing a Threat Hunting Program”


More from Threat Hunting

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today