Cyber threat hunting involves proactively searching through networks, endpoints, email, and datasets to hunt malicious, suspicious, or risky activities that have evaded detection by existing tools. Proactive cyber threat hunting tactics have evolved to use new threat intelligence on previously collected data to identify and categorize potential threats in advance of an attack by malicious actors.
Security operations center (SOC) personnel can’t afford to believe that their security system is impenetrable. They must remain ever vigilant for the next threat or vulnerability. Rather than sit back and wait for threats to strike, cyber threat hunting develops hypotheses based on knowing the behaviors of threat actors and validating those hypotheses through active searches in the environment.
With threat hunting, an expert starts with deeper reasoning and forensics rather than an alert or even indicators of compromise (IOC). In many cases, the hunter’s efforts create and substantiate the alert or IOC.
Cyber threat hunting aggressively assumes that a breach in the enterprise has or will occur. Security personnel hunt down threats in their environment rather than deploy the latest tool.
Traditional cyber threat hunting is based on a manual process in which a security analyst scrutinizes data based on their knowledge of the network and systems to build assumptions about potential threats.
Cyber threat hunting has advanced in effectiveness and efficiency through the addition of automation, machine learning (ML), and user and entity behavior analytics (UEBA) to alert enterprise security teams of potential risks.
Once the risk or potential risk, as well as frequency of a hunt, has been determined, an investigation is initiated.
IOC-based Hunting: This reactive approach focuses on detecting known threat artifacts within the environment, such as file hashes, IP addresses, and domains.
Hypothesis-driven Investigations: When significant information of a new, imminent threat vector is discovered, cyber threat hunting will delve deeper into network or system logs in search of hidden anomalies or trends that could signal the new threat.
Analytics-driven Investigations: Searches based on information gathered from ML and artificial intelligence (AI) tools.
Tactics, Techniques, and Procedures (TTP) Investigations: Hunting for attack mannerisms typically uses the same operational techniques. This is helpful to source or attribute the threat and to leverage existing remediation methods that have worked with these behaviors.
Threat hunting is specific to each environment, but some techniques can be applied to almost any environment. Core threat hunting techniques include:
Baselining helps the hunter understand what “normal” looks like within an organization. SANS describes the value of baselining as looking for a needle in a haystack by removing the hay in double-digit percentages to shorten the time needed for the needle to become visible.
To help minimize the time needed to combine baseline analysis with attacker technique, SANS suggests hunters consider the following questions:
How prevalent is PowerShell in your environment?
If prevalent, what does normal system administrator activity look like?
Where does PowerShell activity typically come from? What user accounts typically run it?
As a result, a hunter may not need to baseline all of PowerShell, but rather look for unexpected outliers or attacker-specific command structures.
Baselining aids the hunter in understanding the overall hunt environment, but attack-specific hunts can help track malicious activity faster. Attack-specific hunts typically focus on a specific threat actor or threat. However, the limits of their specific hunt model can throw off false positives. Attack-specific hunts and baselining often yield good results.
All hunts are time sensitive, and therefore require hunters to validate their baseline terms periodically. SANS recommends confirming that new software implementations are not causing unnecessary traffic resulting in false-positive data.
Keeping up with attackers’ shifting to new techniques—or reverting back to old techniques—requires hunters to validate intelligence-based hunts and even hunt again if legacy techniques are detected.
Looking for needles in a data haystack can overwhelm teams of hunters. Third-party providers can help guide hunters to more successful hunts.
SANS lists the following benefits hunters can gather from third-party sources:
Ruling out false positive leads
Focusing on interesting leads
IP lookups
Geolocation
Encrypted traffic metadata
Log detection
Attacker technique overlays
Link analysis of internal vs. external or host vs. network data points
A cyber threat hunt is composed of steps or processes designed for an efficient, successful hunt. These steps include:
Threat hunts begin with a hypothesis or a statement about the hunter’s ideas of what threats might be in the environment and how to go about finding them. A hypothesis can include a suspected attacker's TTPs. Threat hunters use threat intelligence, environmental knowledge, and their own experience and creativity to build a logical path to detection.
Hunting for threats requires quality intelligence and data. A plan for collecting, centralizing, and processing data is required. Security information and event management (SIEM) software can provide insight and a track record of activities in an enterprise’s IT environment.
A hypothesis can act as a trigger when advanced detection tools point threat hunters to initiate an investigation of a particular system or specific area of a network.
Investigative technologies enable deep searches for potential anomalies within systems and networks. This facilitates the classification of those anomalies as benign or malicious.
Data gathered from confirmed malicious activity can be entered into automated security tools to respond, resolve, and mitigate threats. Actions can include:
Removing malware files
Restoring altered or deleted files to their original state
Updating firewall / IPS rules
Deploying security patches
Changing system configurations
These actions can help you better understand what occurred and how to improve your security against similar future attacks.
An enterprise’s cyber threat hunting maturity model is defined by the quantity and quality of data the organization collects from its IT environment. An enterprise’s cyber threat hunting capabilities for hunting and responding, toolsets, and analytics factor into its threat hunting maturity model.
The SANS Institute identifies a threat hunting maturity model as follows:
Initial: At Level 0 maturity an organization relies primarily on automated reporting and does little or no routine data collection.
Minimal: At Level 1 maturity an organization incorporates threat intelligence indicator searches. It has a moderate or high level of routine data collection.
Procedural: At Level 2 maturity an organization follows analysis procedures created by others. It has a high or extremely high level of routine data collection.
Innovative: At Level 3 maturity an organization creates new data analysis procedures. It has a high or extremely high level of routine data collection.
Modern adversaries are automating their techniques, tactics, and procedures to evade preventative defenses, so it makes sense that enterprise security teams can better keep up with attacks by automating their manual workloads. Incorporating automation benefits cyber threat hunting processes and helps SOCs better use their staff and resources. These include:
What foundational security resources are required for an enterprise to implement in-house threat hunting or subscribe to a threat hunting service?
We can’t expect machines to be ethical or strategic. And we can’t expect humans to be good at searching large volumes of data at speed and scale or performing complex pattern matching. That’s why human machine teaming is crucial.
Optimize Human Expertise Through Human Machine Teaming
Here’s what it takes to run an effective and efficient cyber threat hunting program based on human machine teaming:
Human Hunters: Budget personnel and time for analysts to focus on hunting. Threat hunting requires human interaction and input to get to a resolution quicker with more accuracy.
Knowledge of the threat landscape and the solid understanding of the IT environment, along with creative and intuitive thinking, are core fundamentals for a cyber threat hunter.
Humans help get to a resolution quicker with more accuracy, and remove redundant and mundane manual errors that can be riddled with mistakes.
Organizational Model: Each organization must choose the appropriate model for its hunt team. Models are based on an organization’s size and budget, along with the availability of analysts who can provide diverse skillsets.
According to SANS: “Threat hunting entails a more mature organization with a defensible network architecture, advanced incident response capabilities, and security monitoring/security operations team.”
Tools and Technology: Many enterprises use comprehensive endpoint security solutions for detection and response, as well as security monitoring services and management tools. These solutions can include:
SIEM and statistical intelligence analysis tools, such as SAS programs
Threat intelligence platforms (TIPs), where threat intelligence is gathered and curated
Industry threat data banks, such as the Financial Services Information Sharing and Analysis Center (FSISAC) and other ISACs, for security data with actionable indicators
Bad IP address or hash, vulnerability management for published risks, and online reputable publications on threats
Generally, these technologies are siloed, requiring cyber threat hunters to manually integrate their outputs to reach a decisive conclusion.
This complexity presents a significant challenge for organizations lacking the necessary human expertise and resources.
Data: By establishing a baseline of a network’s traffic or system behavior, security personnel can then develop a baseline of expected and authorized events from which to identify anomalies. Use threat intelligence to focus on high-impact malicious activities first.
Learn how to use existing tooling to perform threat hunting and detection engineering to find hidden threats and strengthen your defenses.
Trellix receives recognition for its innovative security portfolio in the 2025 Global InfoSec Awards.
How do the most effective threat hunters operate? They start with the highest-quality intelligence and don’t stop until they’ve tracked a threat from detection to eradication.