I always find it funny when I come across a news story about cybercrime that uses an image of a young person alone in a dark room, cloaked in a black hoodie, tapping away feverishly on a personal computer. It seems the image of a young Matthew Broderick as a lone hacker in the 1983 film “WarGames” is what comes to mind when most people think of cyber aggressors or threat actors. This could not be further from the truth.

Today’s threat actors are highly intelligent, well-organized, motivated and focused on their intended targets — which includes you, your organization and anyone else in their sights. No matter who they are, where they live or how they dress, these malicious actors could be lurking on your network or threatening to break through. The purpose of threat hunting is to thwart this nefarious behavior before it causes any damage to the enterprise.

Today’s threat actors use sophisticated attack methods to achieve their illegal goals. These attacks can come from various and multiple threat surfaces, such as malicious insiders, fraud, asset misappropriation and other cyber risks. From the outside looking in, organizations often have vulnerabilities at multiple levels — in their networks, their people and within publicly available information. Information that is available on the open web, such as annual reports, operational assurances, access to staff via email and social media, can be a treasure trove for threat actors looking for a way to breach a company. This data gives threat actors additional collateral to study their targets even before they launch their attack.

Unfortunately, commercial organizations do not know by whom, when, where or how a well-planned attack will strike. Even with our best rule-based defenses and solutions, we have limitations. Embedded rules that we typically use to monitor and detect attack vectors often struggle to anticipate how vectors will evolve in the future. To mitigate threats both proactively and reactively, organizations must take a more adaptive approach and move faster than the speed of threat. Simply put, when a threat vector starts to emerge that subverts existing rules, it’s time to go threat hunting.

What Is Threat Hunting — and Where Do You Start?

Threat hunting is becoming a buzzword in the cyber realm, but it really applies to the whole threat landscape that organizations face. That’s why it’s crucial to adopt a holistic strategy for looking at finances, personnel, insider threats and any other vector an adversary could use to attack the business or employees. To do this, threat hunters take a human-led intelligence approach to combat human-based attacks. Threat hunting can quickly discover obscured patterns by connecting events and actions together, which leads to the discovery of well-constructed attack vectors. In order to effectively hunt, organizations should take the appropriate steps to set up an effective threat hunting program.

Before you start threat hunting, it’s important to take the proper steps to carefully plan your program. To start, according to a 2019 SANS Institute report sponsored by IBM, consider the two main objectives of threat hunting:

  1. To proactively search for threats so as to limit attacker impact; and
  2. To gain a better understanding of the environment.

These objectives apply to any threat hunting program, whether you are trying to track down a cyberthreat, financial criminal or any physical threat to your enterprise. Let’s take a deeper dive into some more best practices to help get your threat hunting program off the ground.

How to Hunt Threats With Intention

Hunting with intention means canvasing the landscapes in which you plan to hunt and looking at past, present and potential future threats within each landscape. This enables the threat hunting team to identify previously unknown attacks and mitigate threats to the environment. By reactively addressing threats that are already present, the team can then adopt a more proactive approach based on the indications it discovers.

As noted in the SANS report, “It is very possible that an attacker may have a foothold in an environment but is not tripping any expected alarms the security team is used to responding to. Or worse, the attacker exists in an area where there is no visibility, and thus has inadvertently evaded detection simply by being in the right place at the right time.”

When Threat Hunting, You’re Not Alone

It’s no secret: Analysts love to go down rabbit holes and chase threats until they hit a dead end. This is true when it comes to cyber analysts, anti-money laundering specialists and counterterrorism officers. What these analysts often forget is that there are other resources they can use to make the hunt easier and more successful. For instance, if analysts are wading in internal data sets all day and don’t enrich their internal sources with external intelligence, they could be missing key context that can help shape the threat hunt. Threat hunting is very much a team sport, where internal and external sources all play nicely together.

The SANS piece also recommends investing in solutions that can aid in threat hunting endeavors, such as link analysis tools to enrich the data and identify correlations between internal and external hosts and network data points. Since it’s critical to continuously enhance your defenses with real-time intelligence, start by looking at the most trusted intelligence analysis tools that assist in human-led investigations into cyberthreats.

Respond Reactively, Then Develop a Proactive Strategy

As you start to think through standing up a threat hunting program to find and remediate cyberthreats, financial crime, physical attacks and any other risks to your organization, be sure to hunt with intention, and remember you are never alone. By keeping these two principles in mind, your team can develop the ability to respond reactively to existing threats and proactively mitigate similar threats before they even appear.

Get the SANS report, “Thinking like a Hunter: Implementing a Threat Hunting Program”


More from Threat Hunting

How I Got Started: White Hat Hacker

3 min read - White hat hackers serve as a crucial line of cyber defense, working to identify and mitigate potential threats before malicious actors can exploit them. These ethical hackers harness their skills to assess the security of networks and systems, ultimately helping organizations bolster their digital defenses. But what drives someone to pursue a career as a white hat hacker, and how do you get started in leveraging so-called “evil” skills for the greater good?? In this exclusive Q&A, we spoke with…

3 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

7 min read - In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

7 min read

With 40% of Log4j Downloads Still Vulnerable, Security Retrofitting Needs to Be a Full-Time Job

4 min read - Vulnerabilities like Log4j remain responsible for security breaches a full year after the discovery of the flaw. In the months after widespread reporting about the vulnerability, 40% of Log4j downloads remained vulnerable to exploitation. Rapid Response — by Both Security Teams and Hackers What made this exposure so damaging was how widespread this piece of code is and how hard it is to find exactly where it’s used. This open-source logging code from Apache was the most popular java logging…

4 min read