Security operations centers process thousands of alerts daily. Most of this activity is reactive. Something triggers an alert, and analysts investigate.
This reactive model has a fundamental limitation. You only detect what you've built detections for. Sophisticated attackers know this. They study common detection tools and techniques, then design their operations to avoid triggering them.
Threat hunting addresses this gap. Rather than waiting for alerts, hunters proactively search for evidence of threats that automated detection missed.
Threat Hunting vs. Incident Response
The distinction matters because the approaches require different skills and mindsets.
Incident response begins with an alert or report of suspicious activity. The investigation works backward from a known starting point to understand what happened. Speed matters because an active incident may be causing ongoing damage.
Threat hunting begins with a hypothesis about what an attacker might do. The investigation searches for evidence that would indicate this activity occurred. There's no known incident; the hunter is looking for something that may or may not exist. Thoroughness matters more than speed.
Both disciplines investigate security data, but they ask different questions. Incident responders ask, "What happened here?" Threat hunters ask, "Has this type of attack happened anywhere in our environment?"
Building Hunting Hypotheses
Effective threat hunting requires good hypotheses. A hypothesis is an educated guess about attacker behavior that you can test against your data.
Sources of Hypotheses
Threat intelligence provides information about attacker tactics, techniques, and procedures. If a threat intelligence report describes how an APT group maintains persistence, you can hypothesize that this technique might exist in your environment and hunt for it.
Industry incident reports often describe attacks against similar organizations. These reports suggest techniques that might target your organization too.
Red team and penetration test findings reveal techniques that work in your environment. Hunters can search for indicators that real attackers have used similar approaches.
Environmental knowledge helps generate hypotheses specific to your organization. Understanding your crown jewels, attack surface, and architecture suggests where attackers would focus.
Security news about new vulnerabilities or techniques prompts hunting for evidence of exploitation before patches deploy or detections exist.
What Makes a Good Hypothesis
Good hunting hypotheses are specific enough to be testable. "Attackers might be in our network" is too vague. "An attacker maintaining persistence via scheduled tasks running encoded PowerShell" is testable.
Good hypotheses align with realistic threats to your organization. Hunting for nation-state techniques when you're a small retailer might not be the best use of resources.
Good hypotheses are answerable with available data. If you don't collect the data needed to test a hypothesis, you can't hunt for it. This reality often reveals logging gaps.
Hunting hypotheses don't need to be complicated. Some of the most valuable hunts test simple questions like "Are there any domain admin logins from workstations?" or "What scheduled tasks have been created in the past 30 days?"
Data Sources for Hunting
Effective hunting requires data. What data you have determines what you can hunt for.
Essential Data Sources
Endpoint telemetry provides the richest hunting ground. Process execution, file activity, registry modifications, and network connections from endpoints reveal attacker actions. Modern EDR platforms make this data accessible for hunting.
Authentication logs show who logged in where and when. Unusual authentication patterns often indicate compromised credentials or lateral movement.
DNS logs reveal domain resolutions that might indicate malicious infrastructure. Command and control often uses DNS for communication or domain generation algorithms.
Web proxy logs capture URLs and traffic patterns for web activity. Data exfiltration and C2 often traverse web proxies.
Network flow data shows traffic patterns without content inspection. Flow anomalies can reveal unexpected communication patterns.
Advanced Data Sources
Cloud platform logs capture activity in cloud environments. As workloads migrate to cloud, these logs become essential for hunting.
Email logs provide visibility into phishing attempts and business email compromise. Patterns in email may reveal ongoing attacks.
Application logs capture activity within critical business applications. Attackers often target specific applications once they establish access.
Hunting Methodologies
Several structured approaches guide hunting activities.
ATT&CK-Based Hunting
The MITRE ATT&CK framework catalogs attacker techniques. Hunters can work through relevant techniques, developing hypotheses and testing for each.
This approach ensures comprehensive coverage over time. Track which techniques you've hunted for and which remain unaddressed.
Intelligence-Driven Hunting
Start with specific threat intelligence about attackers targeting your industry or region. Hunt for indicators of compromise and behavioral patterns described in the intelligence.
This approach focuses effort on realistic threats but requires quality threat intelligence.
Anomaly-Based Hunting
Search for statistical outliers in your environment. What machines behave differently than their peers? What user accounts show unusual patterns?
This approach can find novel attacks but generates false positives requiring investigation.
Environmental Hunting
Focus on your organization's specific architecture and assets. If attackers wanted to reach your crown jewels, what paths would they take? Hunt along those paths.
This approach requires deep environmental knowledge but finds issues specific to your organization.
The Hunting Process
A structured process ensures hunting is systematic rather than random.
Planning
Select a hypothesis to test. Define what data you'll examine and what you're looking for. Establish the time frame to investigate.
Document your plan before starting. This documentation helps others repeat the hunt and builds institutional knowledge.
Data Collection
Gather the data needed to test your hypothesis. This might involve querying your SIEM, requesting data from EDR platforms, or examining logs on specific systems.
Ensure you're looking at the right time period. If your hypothesis relates to recent threat intelligence, focus on recent data. If you're looking for long-term persistence, examine longer windows.
Analysis
Examine the data for evidence supporting your hypothesis. Filter noise to focus on potentially interesting findings. Follow threads where the data suggests investigation.
This is where analyst skill matters most. The difference between a productive hunt and wasted time often comes down to the analyst's ability to recognize significant patterns.
Investigation
When you find something interesting, investigate further. Is this genuinely malicious? What's the full scope? What else did this actor do?
Many hunting findings turn out to be legitimate activity or previously known issues. That's expected. The goal is finding the cases that matter.
Documentation
Document your findings whether you found anything or not. Record your hypothesis, methodology, data examined, and conclusions.
Negative findings have value. Knowing that a specific technique isn't present in your environment (as of the hunt date) is useful information.
Operationalization
If you find a technique that should have been detected, improve your detections. If you find logging gaps that limited your hunting, address them.
Hunting should drive continuous improvement in detection capabilities. The best hunting programs convert findings into better defenses.
Don't treat hunting as separate from detection engineering. Every hunt should consider whether the technique could be detected automatically. The goal isn't permanent manual hunting; it's building detections informed by hunting experience.
Building a Hunting Program
Starting a threat hunting capability requires more than just assigning an analyst to hunt.
Prerequisites
Before hunting, you need visibility. If you don't have endpoint telemetry and centralized logging, start there. Hunting without data is guessing.
You need skilled analysts. Hunting requires experience recognizing attacker behavior and skill working with large datasets. Not every SOC analyst is ready to hunt.
You need time. Hunting competes with incident response and other operational demands. Without dedicated time, hunting won't happen consistently.
Starting Small
Begin with simple hunts testing straightforward hypotheses. Build skills and processes with achievable efforts before tackling complex investigations.
Schedule regular hunting time. Even a few hours weekly, consistently applied, builds capability over time.
Document everything from the start. Hunting knowledge that exists only in analysts' heads doesn't persist.
Maturing the Program
As the program matures, increase hunting frequency and sophistication. Track coverage against ATT&CK to ensure you're addressing relevant techniques.
Build relationships with threat intelligence to receive information that drives hypothesis development. Connect with detection engineering to ensure hunting findings improve automated detection.
Measure program value through findings that matter. Techniques discovered that weren't being detected, improvements to detection coverage, and actual incidents found through hunting demonstrate value.
Measuring Hunting Effectiveness
How do you know if your hunting program is working?
Activity Metrics
Track how often hunting occurs and what techniques are examined. These metrics ensure hunting happens consistently but don't measure quality.
Coverage Metrics
Map completed hunts against ATT&CK or your priority threat model. What percentage of relevant techniques have you hunted for? Coverage should expand over time.
Finding Metrics
Count findings by significance. How many detections improved based on hunting? How many actual incidents were discovered through hunting?
Quality matters more than quantity. One significant finding per quarter demonstrates more value than many trivial findings weekly.
Detection Improvement
The ultimate measure of hunting value is improvement in automated detection. If hunting finds things but detections don't improve, you're not operationalizing findings effectively.
Getting Started with Hunting
If you're building threat hunting capability, begin with these steps.
Ensure you have the data. If endpoint telemetry and authentication logs aren't centralized and searchable, address that first.
Start with simple hypotheses. Hunt for known malicious patterns, suspicious scheduled tasks, or unusual privileged account usage before tackling sophisticated techniques.
Dedicate time explicitly. Block hunting time on calendars and protect it from operational demands.
Document from day one. Create templates for hunting plans and findings. Build a library of hunts that can be repeated.
Connect hunting to detection. Every hunt should ask, "Could we detect this automatically?" Then improve detection accordingly.
Threat hunting isn't a replacement for good detection. It's a complement that finds what detection misses and improves detection over time.
Related Service
Learn more about how we can help with Security Operations.
Explore Security Operations Services →
