Ransomware

Threat Hunting 101 

Computer hacker

For those just getting started with threat hunting, there are four points one must understand from the outset:

  1. Threat hunting is proactive, not reactive. Hunters construct hypotheses to test possible conditions under which an adversary might infiltrate the network. These hypotheses can either be lead-driven (i.e. prompted by abnormal network activity) or leadless (i.e. prompted by hypothetical intrusion scenarios).   
  1. Threat hunting assumes the worst has happened. Threat hunters carry out their hunts under the assumption that adversaries have already evaded existing defenses. Therefore, a hunt begins with the hypothesis that an attack was successful, then searches for evidence of conditions that would permit said hypothesis to come true.  
  1. Threat hunting is a human-led activity but can benefit from appropriate technologies. Organizations require trained human specialists to lead threat hunts. Hunters apply critical thinking, scripting knowledge, and manual search methods to identify threats that evade standard detection technologies. Emerging technologies like AI and machine learning can help hunters sift through massive volumes of data and make more informed search queries based on existing threat data. 

  1. Threat hunting improves an organization’s security posture, regardless of hunt outcomes. Hunts may reveal proof of a vulnerability, or they may reveal network activity that is completely unrelated to the target of the investigation. Regardless of what is found, hunting exercises expand the organization’s security awareness and visibility of the network.  

For more on the subject, see the SCMedia eBook “Threat Hunting Essentials: How to Craft an Effective Process.”

Bill Brenner

Bill Brenner is VP of Content Strategy at CyberRisk Alliance — an InfoSec content strategist, researcher, director, tech writer, blogger and community builder. He was formerly director of research at IANS, senior writer/content strategist at Sophos, senior tech writer for Akamai Technology’s Security Intelligence Research Team (Akamai SIRT), managing editor for CSOonline.com and senior writer for SearchSecurity.com.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.