Glossary
Cyber Threat Hunting
What is Cyber Threat Hunting?
Cyber threat hunting is a proactive security process that involves searching through networks, endpoints, logs, and indicators of compromise (IOCs) to identify malicious activities that evade automated security defenses. Through leveraging dark web intelligence and understanding the tactics, techniques, and procedures (TTPs) of cybercriminals, threat hunters can proactively identify and mitigate threats before those threats can harm individuals and businesses.
With this proactive security approach, threat hunters can identify early indicators of attack (IOAs) and prepare mitigation strategies as soon as possible.
The need for cyber threat hunting
Traditional tools are good at alerting cybersecurity professionals about the presence of suspicious activity because they rely on known signatures or patterns of attack to identify threats. Other traditional security tools, like firewalls and antivirus software, are effective at detecting known threats based on predefined signatures or patterns. However, they may struggle to identify advanced persistent threats (APTs) or zero-day exploits that require deeper analysis and contextual understanding. Real-time network traffic monitoring tools may also miss these sophisticated attacks. This limitation leaves organizations vulnerable to undetected threats.
Cyber threat hunting in cybersecurity requires specialized tools to provide:
- Automated alerts within dark web monitoring platforms, helping to quickly detect threats, prioritize them by severity, reduce human error, and ensure continuous 24/7 monitoring of critical systems.
- Forensic analysis and situational context to understand the scope of potential threats.
- Advanced search and query capabilities for deep investigations.
- Behavioral analysis and pattern recognition to detect anomalies that automated defenses might miss.
- Visualizations, such as attack or threat path graphs, to map out the progression of a security breach.
Types of cyber threat hunting investigations
There are four main cyber threat hunting techniques that can be used in various scenarios. We’ll break each approach down to understand how they are applied and when they are most effective.
Hypothesis-based hunting
Threat hunting is based on data-driven hypotheses. Hypotheses in threat hunting are based on data from previous incidents, threat intelligence, behavioral analysis, and human intuition.
Threat hunters begin their investigations by formulating hypotheses grounded in TTPs from frameworks such as the MITRE ATT&CK and Diamond Model of Intrusion Analysis, historical data, and known attack patterns. Data is then collected and analyzed from various threat intelligence sources, which include malware analysis, user and entity behavior analytics (UEBA), and dark web threat intelligence.
Example: A threat hunter might use a hypothesis-based approach when they notice an increase in failed login attempts from multiple user accounts over a short period of time. They may hypothesize that an attacker is attempting credential stuffing based on that suspicious activity.
Structured hunting
Structured hunting provides a consistent process for detecting and mitigating threats. Threat hunters search for indicators of attack (IOA) which focus on behavioral patterns and TTPs indicating when an adversary is in the process of launching an attack. Threat hunters can better anticipate attacks by analyzing these behavioral signals from intelligence collected on the dark web.
Threat hunters look for:
- Indicators of Compromise (IOCs)
- Indicators of Attack (IOAs) Malware signatures
- Suspicious network traffic patterns
- TTPs
Where they look:
- Dark web forums
- Threat group Telegram channels
- User and entity behavior analytics (UEBA)
- Crowdsourced threat intelligence platforms
- Open Source Intelligence (OSINT) and external threat feeds
- Active directory logs
Example: A threat hunter may use this approach to look for IOCs that have been identified in recent threat intelligence reports.
Security researchers can also gain invaluable insights and early warning signs of emerging attacks being discussed on dark web forums such as Nulled, BreachForums, Dread, and XSS.
Unstructured hunting
Unstructured hunting involves exploring vast amounts of security data without a specific hypothesis. It is typically used when anomalies do not follow clear patterns or align with known attack indicators. This flexible, exploratory approach is useful when the nature of the attack is unclear.
Often employed after a security incident or data breach, to help assess the scope of the compromise and uncover the attacker’s tactics, techniques, and procedures (TTPs). Threat hunters may also implement unstructured hunting when they observe anomalous activity that does not align with known attack patterns, as it provides greater flexibility in the investigation process.
Example: After a ransomware attack, threat hunters might detect unusual activity in network logs. This may include large volumes of data being exfiltrated to an unknown IP address, suspicious file creations, a high volume of file writes to directories, or abnormal account logins from unfamiliar geolocations at odd hours. These IOCs can help threat hunters determine the scope of the breach, identify the attacker’s tactics, and take immediate actions to contain the damage.
Situational or threat-intelligence-based hunting
In situational or threat-intelligence-based hunting, cybersecurity professionals develop hypotheses based on an organization’s internal risk assessments and emerging threats. Threat hunters leverage external data from crowdsourced intelligence platforms, such as Open Source Intelligence (OSINT) and the Malware Information Sharing Platform (MISP), as well as current cyberattack trends. Threat hunters can use this intelligence to discover the latest tactic, technique, and procedure (TTP) used by their adversaries, enabling them to identify potential threats ahead of time.
Example: A cybersecurity team notices an uptick in attacks targeting a specific vulnerability (CVE) in a popular software. They hypothesize that an advanced persistent threat (APT) group is exploiting this vulnerability. Then, the team conducts targeted searches across their network to detect any signs of exploitation, such as unusual login patterns or attempts to exploit the identified CVE.
How cyber threat hunting works
By proactively identifying and exploring cyber threats before they become full-scale attacks, organizations can significantly reduce these timelines. Here is a complete step-by-step breakdown of the cyber threat hunting process.
Step 1: Hypothesis
Threat hunters begin their investigations with a hypothesis. This process uses a potential attacker’s tactics, techniques, and procedures (TTPs) as the baseline structure. Threat hunters combine intelligence sources with their expertise to develop a thorough understanding of possible attack vectors and threat behaviors. Based on this information, they develop a hypothesis that indicates which threats should be prioritized.
Step 2: Collect and process intelligence and data
Cyber threat intelligence (CTI) data comes from a variety of sources, including security logs, threat feeds, and dark web monitoring platforms (like Lunar). Dark web monitoring tools gather relevant information from hacker forums, dark web marketplaces, Telegram, and other sources. By setting alerts, security teams can be notified when threats targeting their network, domain, or stolen PII are discussed on the dark web, enabling proactive threat mitigation.
Step 3: Trigger
Triggers prompt the threat hunter to validate or disprove their hypothesis. A sudden spike in outbound traffic from an internal server during non-peak hours may indicate potential data exfiltration. This anomaly triggers a deeper investigation to determine whether the traffic is linked to malicious activity. Threat researchers use the data they gather to support their hypotheses and develop a plan of action.
Step 4: Investigation
The threat hunter will then conduct a thorough investigation based on intelligence aggregated from various sources. They typically monitor user behavior to identify anomalies and analyze indicators of compromise (IoCs) for a more contextual understanding of the threats. Once all variables are considered, the threat hunter determines the scope of the situation and how to prioritize mitigation efforts.
Step 5: Resolution
The final step in the cyber threat hunting process involves implementing measures to mitigate the threat. This could be isolating affected systems, applying patches or configuration changes, limiting user access permissions, and enhancing security controls. Document all key findings and update incident response plans based on the lessons learned.
« Back to Glossary Home