Threat hunting explained: what is cyber threat hunting?

What is threat hunting?

The process of threat hunting involves proactively searching for malware or attackers that are hiding within a network. Rather than simply relying on security solutions or services to detect threats, threat hunting is a predictive element to a layered security strategy, empowering organizations to go on the offensive looking for threats. Threat hunting is typically carried out by highly skilled security professionals using sophisticated toolsets to identify and stop hard-to-find malicious activities on a network.

According to Microsoft, an attacker resides on a compromised network a median time of 146 days before being discovered, making this kind of attack an advanced persistent threat (APT). In this amount of time, attackers residing on a network in stealth, can exfiltrate data, access applications to identify and use business details to commit fraud, or laterally move through a network gathering credentials for access to even more valuable data and resources.

Why is threat hunting necessary?

Organizations implementing good security practices and tools such as antivirus, email, and web scanning, firewalls, etc. are taking the necessary first steps. A layered security strategy can be effective in stopping the majority of cyberattacks. However, it should be assumed that some small percentage of advanced attacks will evade detection by traditional security solutions, giving cyber criminals access to an organization’s network for as long as they deem necessary to carry out their malicious activities. Because of the potential risk, it’s this small percentage of attacks that can spur an organization to participate in threat hunting.

Implementing a security posture that prevents and detects attacks is defensive in nature – as the idea is to attempt to stop an attack before it happens. Threat hunting is a predictive and offensive tactic, based on the assumption that an attacker has already successfully gained access (despite an organization’s best efforts). Threat hunting uses a mixture of forensics capabilities and threat intelligence to track down where attackers have established footholds within the network and eliminate their access before any damaging malicious actions can take place.

Award Winning SIEM

Threat detection, incident response, and compliance management in one, unified solution.

Learn more

Threat hunting and indicators of compromise (IoCs)

Threat hunting generally begins with security analysts working through threat intelligence, understanding of the environment they secure, and other security data sources to postulate about a potential threat. Threat hunters then look for indicators of compromise (IoCs) found in forensic “artifacts” to identify threatening activity that align with the hypothesized threat activity. 

These artifacts are bits of data from server logs, network traffic, configurations, and more that help threat hunters determine if suspicious activities have taken place. Artifacts include:

• Network-based artifacts – Monitoring listening ports of internet-facing systems, threat hunters can monitor traffic as well as look through packet session recordings, looking for unusual outbound traffic, abnormal communication geographies, irregular amounts of inbound or outbound data, etc.
• Host-based artifacts – Changes in file systems and the Windows registry are two places threat hunters can find anomalous settings and content. Scanning registry values and monitoring changes made to file systems are common threat hunting activities.
• Authentication-based artifacts – Monitoring or reviewing the login (or attempted login) of privileged accounts on endpoint, servers, and services can be useful for a threat hunter to follow the trail used by an attacker to identify which accounts have been compromised and need to be remediated.

The path taken during the “hunt” is only defined by the details discovered. For example, spotting anomalous outbound network traffic would lead a threat hunter to take a closer look at the endpoint transmitting that traffic. Thus, there’s no one established threat hunting process that applies to every hunt.

Threat hunting tools

Cyber threat hunters need to examine both historical and current state details of what actions have transpired on systems and across the network. They need to rely on a number of tools and data sources to assist with their investigations. These include:

• Security monitoring tools - Cyber threat hunters use the monitoring data from various kinds of security monitoring solutions. The monitoring data from firewalls, endpoint protection, data loss prevention, network intrusion detection, insider threat detection, and other security tools all provide threat hunters with attack details that help paint a picture of the activities performed by an attacker still residing in the network. The goal is to collect event log data from as many sources as is possible to also provide context by correlating the various monitoring data sets.
• SIEM solutions - Security Information and Event Management (SIEM) solutions collect structured log data from a wide range of sources within a network environment,  providing near-real-time analysis of the data and producing security alerts to IT. SIEM solutions help threat hunters to automatically gather and make sense of the massive amount of log data from security monitoring tools and other sources, making it possible to identify previously unseen security threats.
• Analytics tools - Cyber threat hunters are human, so there’s only so much analysis and correlation the mind can come up with on its own. Analytics tools that do either statistical or intelligence analysis can be of great use. Tools offering statistical analysis use mathematical algorithms instead of human-defined rule sets to identify any data anomalies that may signify attack activity. Intelligence analytics software allows the threat hunter to visualize complex relational data through the use of interactive dashboards. These analysis tools make it possible for threat hunters to see otherwise hidden relationships between different data sets that, together, can indicate an attack.
• Threat intelligence – Threat hunters need a repository of data on known malicious IP addresses, malware hashes, IoC artifacts, etc. This data can be found in both open source and subscription-based forms on the web, such as the Open Threat Exchange powered by AT&T Alien Labs.
• Other tools – Depending on the path threat hunting takes, plenty of other function-specific tools are valuable to the process. For example, the examining of PDF behavior, PowerShell actions, and JavaScript execution require additional solutions to address.

How threat hunting empowers AT&T Cybersecurity solutions

One of our key brand promises is to deliver our customers the tactical threat intelligence needed for timely and resilient detection and response to threats against their organization.

AT&T Alien Labs delivers breakthrough visibility across your business via our unrivaled vantage point of the threat landscape. We collect diverse threat data for analysis, interpretation, and enrichment from our global sensor network, AT&T proprietary data sources, and AT&T Alien Labs Open Threat Exchange (OTX). This tactical threat intelligence is integrated into our Unified Security Management (USM) platform and our Managed Threat Detection and Response service. Learn more by visiting our AT&T Alien Labs main page.