What is threat hunting? A practical guide for threat detection success

How long can an attacker lurk in your network? Weeks? Months? Well, according to IBM’s Cost of a Data Breach Report, it takes an average of 194 days for a company to identify that a data breach has occurred. During that time, attackers can extract data, steal credentials, and map out your network for further attacks.

Waiting for an alert to signal a breach is no longer a viable security strategy. So, how can organizations find these hidden threats before they do significant damage? The answer is threat hunting.

What is threat hunting?

Threat hunting is almost what it sounds like—a proactive approach that involves searching for malicious activities in an organization’s network that might have slipped through automated security tools. The hunters here are usually the company's skilled cybersecurity professionals, such as security analysts, who know the organization’s operations well.

So, while traditional security tools like firewalls and antivirus software are designed to stop known threats, threat hunting focuses on uncovering the unknown. Instead of waiting for an alert, a threat hunting team will assume their defenses have been breached and go looking for attackers in their network.

How cyber threat hunting works

During the threat hunt, cyber threat hunters will comb through vast datasets from an organization's existing security tools, like network traffic, endpoint activity, and past incidents, looking for subtle signs of an attacker’s presence. This deep-dive analysis allows threat hunting teams to uncover hidden malware, stealthy attackers, and other suspicious activities. This makes it an essential practice for discovering sophisticated attacks that would otherwise go undetected.

Threat hunting types

Cyber threat hunting usually takes one of the three approaches:

Structured hunting is a systematic and proactive approach where threat hunters form a hypothesis about an attacker's methods. Guided by formal frameworks like the MITRE ATT&CK, they methodically search for specific suspicious tactics, techniques, and procedures (TTPs). This allows hunters to quickly identify and intercept the signs of an attack before it escalates.

Unstructured hunting is a more reactive approach, often triggered by a specific indicator of compromise (IoC). When an IoC is discovered, threat hunters use it as a starting point to search historical data for patterns and clues. The goal is to identify the IoC's source and determine if the threat remains active. This method can be highly effective for uncovering previously undetected threats that automated systems may have missed.

Situational or entity-driven hunting focuses on an organization’s unique risks. Based on an internal risk assessment, threat hunters prioritize specific, high-value assets or employees. They concentrate their efforts on these critical entities to find potential threats that could pose a risk, which allows the organization to maximize security resources and strengthen defenses where they are most needed.

Threat hunting methodologies

Now, let’s turn to threat hunting methodologies that analysts can use to uncover threats that have bypassed traditional automated security tools:

Hypothesis-driven hunting

• Approach: The threat hunter forms a hypothesis, which is grounded in threat intelligence, recent incidents, or known TTPs associated with threat actors. Then they design queries and analytics to either confirm or deny the initial assumption.
• Example: A threat hunter might hypothesize that an attacker is using valid credentials for lateral movement. To test this, the analyst would design queries to detect authentication misuse across specific datasets.
• Tools: MITRE ATT&CK framework, datasets like OpenLDAP event logs, Kerberos ticket usage, RDP session records, or cloud access logs.
• Best for: Because of its proactive nature, this method is ideal for hunting advanced persistent threats (APTs) and other sophisticated attacks.

Intel-driven hunting

• Approach: Threat hunters use Security Information and Event Management (SIEM) and other tools to monitor for known IoCs (e.g., hash values, IP addresses). When an IoC is detected, they investigate by analyzing the network's status before and after the event.
• Example: An analyst learns that a specific ransomware group is using a particular C2 domain. The analyst then hunts the network for any connections to that domain. This looks for evidence of the group's specific tactics.
• Tools: This method relies on threat hunting tools that can correlate and enrich data. This includes SIEM and EDR platforms, threat intelligence platforms, and dark web monitoring services.
• Best for: Staying up-to-date with known threats. It's also ideal for tracking specific adversary infrastructure and behaviors.

Data-driven hunting

• Approach: This method uses statistical analysis and machine learning to find anomalies in large datasets. It's an excellent way to uncover threats without a specific hypothesis, as it flags any deviations from a baseline of normal activity.
• Example: A user account suddenly starts accessing files from a different department at 3 am. The system flags this as anomalous behavior, prompting a hunt.
• Tools: Threat hunters analyze this data using SIEM platforms, user and entity behavioral analytics (UEBA) tools, and log aggregation systems.
• Best for: Discovering unknown threats, insider risks, or zero-day attacks that would otherwise go undetected by traditional security tools.

Situational or reactive hunting

• Approach: The hunt is triggered by specific events like a security alert with missing context or an ongoing incident. In turn, the hunters perform a retroactive analysis to determine the scope and root cause of the threat and to uncover any additional TTPs or backdoors.
• Example: An EDR alert flags a malicious file on one endpoint but provides no further details. Threat hunters launch a reactive hunt to see if the file was part of a larger campaign, looking for signs of lateral movement or other compromised systems.
• Tools: Effective programs rely on high-quality telemetry from tools like SIEM, EDR, and SOAR platforms.
• Best for: Rapid response to emerging threats and vulnerabilities.

Threat hunting steps

As you can see, threat hunting isn't a random search—it's a systematic process. By following a clear methodology, security teams can move from a suspicion to a confirmed threat and then to remediation. Here are the core steps that guide a successful threat hunt:

1. Form a hypothesis about a potential threat: Every good hunt has a starting point. The hypothesis or theory can be based on threat intelligence, an alert from a SIEM, or a known vulnerability.
2. Conduct research, collect data and intelligence: Gather and process all relevant data. This includes log data, network traffic, endpoint data, and threat intelligence. You might be using a tool for threat exposure to get an overview of your organization's external threat landscape.
3. Identify the trigger: Then threat hunters identify the specific data sources needed to start their investigation. This can involve endpoint telemetry, authentication logs, DNS queries, or cloud audit trails.
4. Investigate the threat: This is where threat hunters do their deep-dive analysis to determine if the threat is malicious. You may even be doing some form of vulnerability scanning or attack surface management.
5. Respond and remediate: If a threat is found, the team must take action. This involves containing the threat, eradicating it, and recovering from any damage. The insights gained from the hunt are then used to improve security defenses and prevent similar attacks in the future.

Key tools and technologies used in threat hunting

To outmaneuver sophisticated threats, hunters need more than intuition—they need a tech stack that can keep up. The right solutions centralize vast datasets, automate tedious tasks, and provide a comprehensive view of the entire external threat exposure. Let's take a closer look at the key technologies used for threat hunting:

SIEM: It’s a security solution that centralizes logs and events from across your entire network. It provides a single platform for searching and analyzing data, which helps threat hunters detect attacks earlier and reduce the number of false positives they need to investigate.

Endpoint Detection and Response (EDR): Such tools collect detailed telemetry on process execution and user activity. This allows threat hunters to quickly trace an attacker's actions and uncover the root cause of suspicious events. It’s an essential tool for detecting threats like fileless malware and tracing initial execution paths.

Extended Detection and Response (XDR): XDR provides threat hunters with unified telemetry from endpoints, cloud workloads, and email gateways. This allows them to correlate an attacker's activity across multiple security layers, from phishing to lateral movement.

Security Orchestration, Automation, and Response (SOAR): SOAR platforms automate the detection, analysis, and response to cyber threats, allowing threat hunters to act more efficiently, accurately, and quickly.

Threat intelligence platforms: Such solutions provide a stream of external threat intelligence, including IOCs, such as compromised credentials and open ports, which is essential for intel-driven hunting. For example, NordStellar’s cyber threat intelligence can help threat hunters rapidly identify and block potential malware infections before major damage occurs.

Behavior analytics tools: These tools use machine learning to detect anomalies in user and network behavior, which can be an excellent starting point for a hunt.

Building a successful threat hunting team

While a threat hunter's tools are critical, they're only part of the equation. A high-performing team with clearly defined roles is essential for a successful threat hunting program.

The core of the team is the threat hunter, who is the expert in the hunt process, skilled in data analysis, threat modeling, and understanding attacker TTPs. Next is the SOC analyst, who monitors alerts and provides the initial input for hunts, often being the first to spot an anomaly that sparks an investigation. The threat intel analyst provides crucial context by delivering up-to-the-minute information on emerging threats, adversaries, and their methods. Lastly, the data engineer ensures that the data is clean, accessible, and correctly structured for analysis.

Cross-functional collaboration is also vital. The threat hunting team should work closely with incident responders to address confirmed threats, with the IT team to implement new security controls, and with security managers and CISOs to communicate risks and inform strategic decisions. Conducting a cybersecurity risk assessment can help identify key areas to focus on.

Common cyber threat hunting challenges

The rapid evolution of cyber threats makes threat hunting challenging. Attackers are increasingly using sophisticated tactics, techniques, and procedures (TTPs) like fileless malware and encrypted traffic to bypass automated security systems. These advanced methods don't always match known patterns, making them difficult to detect.

Additionally, the sheer volume of data and the constant stream of alerts can lead to data overload and alert fatigue, making it difficult for security teams to find critical threats buried in the noise. This is compounded by a global shortage of skilled cybersecurity personnel.

A further challenge is poor tool integration, where different security platforms fail to communicate effectively, creating data silos that slow down investigations and reduce overall visibility.

Best practices for ongoing improvement

Threat hunting isn't a one-time exercise—it's a continuous process of learning and improvement. Attackers constantly refine their methods and introduce new TTPs. To stay ahead,hunters must dedicate time to researching and understanding these emerging threats.

Additionally, knowledge sharing is crucial. Teams should regularly share their findings, post-hunt reviews, and new techniques to help the entire organization improve its defenses. You can also leverage publicly available hunt libraries (like those from the CISA or other security organizations) to provide new ideas and methodologies.

Finally, integrating threat intelligence feeds is a crucial step for any threat hunting team. By using platforms like NordStellar, you can ensure your hunts are always based on the most current and relevant information, allowing you to proactively hunt for emerging threats and stay one step ahead of adversaries.

Final thoughts

Threat hunting allows organizations to get ahead of attackers and discover hidden threats before they escalate into major incidents. It's a practice that, when composed of the right mix of skilled professionals, clear methodologies, and powerful technology, enables a more resilient and proactive defense.

This approach moves security teams beyond simply reacting to alerts. It empowers them to actively seek out and eliminate threats lurking in the network, turning defense into a decisive action.