Hansel and Gretel have wised up quite a bit since their harrowing childhood experience with the Evil Witch. Their narrow escape garnered them a lot of attention, so it was no surprise that they went on to become expert threat hunters as security analysts for the forest.

Back in the day, Hansel and Gretel used breadcrumbs as a simple way to (hopefully) find their way back home. It was a defense that didn’t end well for them. Now Hansel and Gretel spend their days following a different kind of breadcrumb trail: a trail of suspicious behaviors. But why would they put themselves in danger again?

That’s because these breadcrumb trails can lead them to advanced persistent threats (APTs). It’s actually an offensive strategy to help identify well-organized, well-resourced malicious actors — the kind that break through without tripping any alarms. The siblings fell for one of those threats before when they foolishly stepped into the candy-filled home of the Evil Witch, but they won’t let her get hold of a helpless kid ever again.

The Role of Threat Hunters in the Forest

So how will they do it? You see, threat hunters are very deliberate. They know which breadcrumbs lead to serious threats and which don’t. But to start, Hansel and Gretel must first figure out the answers to three questions:

  1. What is their most valuable possession to protect? In the forest, it’s children.
  2. Who would be after this valuable possession? Why, an Evil Witch, of course!
  3. What tactics, techniques and procedures (TTPs) would this person use to breach the network? The sweet smells of candy and cake, for one.

Now Hansel and Gretel can set a baseline for what is normal. How many kids are in the forest on any given day? Does the forest usually smell like delicious baked goods? Has the Evil Witch purchased bulk candy lately? What is considered too close to the Evil Witch’s property?

When any of these data points break out of the norm, Hansel and Gretel know they must act before it’s too late. Thanks to threat hunting, they can close the gap from the time of compromise to the time of detection. No more kids will go missing on their watch!

Follow the Breadcrumb Trail to Security

With IBM i2 Enterprise Insight Analysis and QRadar SIEM, Hansel and Gretel follow a breadcrumb trail that will prevent the evil witch from ever capturing another child.

You can also follow breadcrumbs that lead to your end goals before it’s too late. IBM i2 can help you stop malicious actors in their tracks — whether they’re cunning witches or crafty cybercriminals — in record time.

Finding breadcrumbs in a crowded forest may seem impossible, but narrowing your focus on those clues can help you pinpoint the biggest threats facing your organization. Threat hunting is the ideal, proactive way to identify risks and mitigate them before they become breaches.

Listen to the podcast: The Art of Cyber Threat Hunting

More from Threat Hunting

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today