You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment.

Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components of a program? How do you measure its success?

Despite the increasing demand for threat hunting, a prescriptive framework, which isn’t tied to a vendor, is hard to come by. Security leaders often ask our X-Force team, “Can you teach us how to do threat hunting? Are there any resources that can walk us through this?”

After hearing those questions repeatedly, Grifter, X-Force Head of Research John Dwyer and X-Force Global OT Incident Response Lead Sameer Koranne did some exploring. They searched publicly available sources for a central place that covers the operational pieces of threat hunting, including what an internal team looks for, processes that ensure a program’s success, and an overall definition of threat hunting and potential outcomes. They looked for technical and non-technical documentation and couldn’t find anything. Even the definition of threat hunting had a thousand different explanations. If an organization can’t define what threat hunting means, how will it know if its team is being successful? How will the team carry out the right vision of what threat hunting should entail? Companies must set their definition of threat hunting, its goals, why it’s important for them, and how they can direct their threat hunters to carry out their vision before they build a program.

To fill the framework gap, the X-Force team built their own. They will present it at the 2022 Black Hat conference. I asked them to provide a high-level summary of the talk. Below is the information they shared.

Building a Hypothesis

Despite the thousands of definitions, one component of threat hunting doesn’t change — the non-technical pieces are just as important as the technical ones. Threat hunting exercises are part of a business unit, and like anything else require defined processes for technical and business-focused stakeholders alike. It’s hard to justify a threat hunting investment without knowing the goal and actions to take to ensure success. Companies should know the stakeholders involved, their roles and how those roles are impacted by the engagement. Creating one mission statement for the program can help establish a consistent process.

Some companies build a threat hunting program that’s predominantly based on alerts. Threat hunting entails much more than alerts. It’s proactive, testable, and based on a hypothesis. For example, if you say, “I know malware ‘x’ exists,” you can then generate a hypothesis that states, “If malware ‘x’ was executed on my system, then I should be able to collect evidence ‘y’ and ‘z’ to prove that the malware is there.” In other words, if there is malware “x” it will look like “y” and “z.”

Threat hunters can then use that hypothesis when looking for the malware. They would look for the ‘y’ and ‘z’ evidence to detect it. An alert doesn’t exist for the malware yet. A threat hunter’s job is to try to find it. In their framework, John, Sameer and Grifter explain the components of an effective and ineffective hypothesis.

Top Questions to Ask About Threat Hunting

When creating a threat hunting program, it’s important to ask the right questions. The top ones include:

  • What is threat hunting to us? Again, it’s critical companies pick a definition that resonates with them. The definition will help set the vision for what they hope to achieve.
  • How do we know what to hunt for? Defining the hypothesis can help answer this question because it defines the threat and its traits.
  • How do we threat hunt? Establishing a repeatable process that takes you from the threat to the goal is critical. In their framework, the X-Force team defines a standard process that companies can use and customize based on their objectives.
  • How do we measure success? Understanding your KPIs for threat hunting is also key. You can map out those metrics using the framework or base them on the goals for your company — security and business alike. For example, a good metric may be, “number of vulnerabilities we remediated that could or did enable malware ‘x’ to infect our environment.” The metric ties directly to the objective of finding and preventing malware ‘x.’ An example of an ineffective metric may be “number of threats we find.” That metric doesn’t set you up for success.

You could also gather metrics based on a specific threat. For example, the ransomware Conti was popular in 2021. If you aim to discover if Conti has infected your environment, you may want to know the number of hunts your team executed in the last month that map to an observed behavior of Conti.

The Frequency of Threat Hunting

So how often should companies hunt for threats? X-Force recommends the number match the available data that is relevant to the hunt. If you want to hunt for a specific threat, the hunt needs to be tied to a data source, such as an event log. You need to understand how long the data is available to you and assign hunt frequency based on that number. If you have data for 30 days, then you would execute a threat hunt on a 30-day cycle, for example.

What to Expect at Black Hat 2022

If you are interested in learning more about the threat hunting framework, join the X-Force talk at Black Hat 2022.

The X-Force team is also presenting two more talks at Black Hat 2022. X-Force Red hacker Brett Hawkins will talk about how attackers can abuse Source Code Management (SCM) systems. The presentation will provide an overview of SCM systems, and detail ways to abuse some of the most popular ones such as GitHub Enterprise, GitLab Enterprise and Bitbucket to perform various attack scenarios.

X-Force Red hacker Dimitry Snezhkov is presenting a Black Hat talk and arsenal tool demonstration about payloads, ELF binaries, ELF section docking and unveil a proof-of-concept loader and injector tool for evading malware detection mechanisms.

Also, meet our X-Force hackers, responders, researchers and analysts at the IBM Security booth #BHNL B.

To learn more about X-Force visit:

More from Threat Hunting

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

Threat hunting 101: How to outthink attackers

6 min read - Threat hunting involves looking for threats and adversaries in an organization’s digital infrastructure that existing security tools don't detect. It is proactively looking for threats in the environment by assuming that the adversary is in the process of compromising the environment or has compromised the environment. Threat hunters can have different goals and mindsets while developing their hunt. For example, they can look for long-term threats in the environment that advanced threat actors can exploit. Or they can look for…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…