What is threat hunting in cybersecurity?

Threat hunting is a proactive cybersecurity approach focused on discovering, identifying, and neutralizing potential threats before they escalate into serious issues. Unlike the reactive method of responding to threat alerts as they arise, threat hunting actively seeks out vulnerabilities and risks. Both approaches share the common goal of preventing hackers from causing significant damage.

Many organizations don’t have the resources or expertise to run their own threat-hunting programs. Just as with all cybersecurity programs, the shortage of skilled staff impacts the scale and effectiveness of threat hunting. In the SANS Institute’s 2023 Threat Hunting Survey, 73% of respondents said their organizations need more training or more experienced staff to conduct threat hunting. Managed detection and response (MDR) providers can assist these overwhelmed organizations.

Comparison of hunting vs. alert management

Hunting Alert management
Service approach Proactive Reactive
Timeframe Retrospective As it happens
Data source Bulk data Specific security event(s)

Why is threat hunting valuable?

The most dangerous and successful cyberattacks often start with a stealthy intruder who spends days or even weeks inside an organization’s networks, preparing to execute their objective. Cybersecurity must go on the offensive, not just the defensive. Endpoint defenses alone can’t stop all threats, especially those that have already infiltrated the network. Cybercriminals constantly adapt to bypass security measures and target the system’s weakest links. Therefore, cybersecurity leaders need to anticipate and prevent attacks before they occur.

How does threat hunting work?

These practices are at the core of threat hunting:

Continuous monitoring and visibility

Threat hunting ensures continuous visibility across networks, endpoints, and systems, enabling organizations to detect anomalous behavior and potential threats. This process utilizes real-time monitoring tools, security information and event management (SIEM) systems, and network intrusion detection systems (NIDS) to collect and analyze the vast amounts of data encountered daily by a security operations center (SOC).

As they monitor network traffic, logs, and system activity, threat hunters can set a baseline of normal behavior and identify deviations that can indicate malicious activity. Continuous monitoring helps security teams detect threats earlier, improving the chances of rapid intervention and mitigation.

An intelligence-driven approach

Human analysts are essential to threat hunting, leveraging their experience and instincts to improve cybersecurity efforts. Detecting threats also requires comprehensive data intelligence, both internal and external, including historical attack data, indicators of compromise, and threat feeds. This robust intelligence base enables security professionals to prioritize and focus on the most critical and high-risk threats, ensuring the SOC stays ahead of cybercriminals by identifying potential threats before they can cause damage to the organization.

Hypothesis generation and testing

Testing hypotheses is a crucial aspect of the threat-hunting process. Armed with solid intelligence and the expertise of experienced analysts, threat hunters formulate hypotheses about potential threats or suspicious activities within the environment.

Once a hypothesis is developed, it is tested using data sources, logs, and behavioral analyses from the SOC. Threat hunters scrutinize system artifacts, identify patterns or anomalies, and validate their assumptions. By rigorously testing these hypotheses, they can confirm or refute their suspicions, potentially uncovering malicious activities that might have otherwise gone undetected.

Collaboration and knowledge sharing

Threat hunting is a team sport. It works because different teams collaborate and share information. This includes security operations centers, incident response teams, and threat intelligence units. The process brings together diverse skills, experiences, and perspectives to supercharge the operation. Ongoing communication and information-sharing create a better understanding of the threat landscape, driving faster response times.

Two approaches to threat hunting

In cybersecurity, some industry leaders see threat hunting’s purpose as only to search for problems based on known indicators of compromise (IOCs), as well as data on the tactics, techniques, and procedures (TTPs) used by known attackers. IOC-based threat hunts are an essential part of cybersecurity because they connect to vast amounts of continuously updated, often crowdsourced threat data. IOC hunts are also useful for remediating and responding to related incidents in real time and assessing impact afterwards.

But the IOC approach has limitations. It misses the “unknown unknowns” out there, so it’s not a 100%-effective solution. IOC hunts represent fleeting moments in time and must be continuously refreshed—they’re very much a reactive exercise.

By contrast, the proactive approach to threat hunting is centered on a deep understanding of an organization’s infrastructure and business requirements. Teams focus on assessing, predicting, and even imagining where vulnerabilities might emerge. Hypotheses are formed, threats are defined, and the hunt is on.