Cyber Threat Hunting

In an active cyber defense activity, it is the process of proactively and iteratively searching through networks, software and applications (computer applications) and SIEM using their knowledge assets and data industry reports and other intelligence Tactics, Techniques and Procedures (TTP) detect and isolate advanced threats that evade existing security solutions.

Background Image

This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), malware sandbox (computer security) and SIEM systems, which typically involve an investigation of evidence-based data after there has been a warning of a potential threat.


Threat hunting has traditionally been a manual process, in which a security analyst sifts through various data information using their own knowledge and familiarity with the network to create hypotheses about potential threats, such as, but not limited to, Lateral Movement by Threat Actors. To be even more effective and efficient, however, threat hunting can be partially automated, or machine-assisted, as well. In this case, the analyst uses software that leverages machine learning and user and entity behavior analytics (UEBA) to inform the analyst of potential risks.

The analyst then investigates these potential risks, tracking suspicious behavior in the network. The hunting is an iterative process, meaning that it must be continuously carried out in a loop, beginning with a hypothesis. The hypothesis can focus efforts on known exploits, potential bad actors or assets and data of value. Using security data, industry reports and other intelligence, the hypothesis is formed, and the hunt team sets out to prove or disprove its validity. Cyber threat hunts often employ both automated and manual tools and techniques to identify a compromise before it is detected.

There are three
types of hypotheses

The analyst researches their hypothesis by going through vast amounts of data about the network. The results are then stored so that they can be used to improve the automated portion of the detection system and to serve as a foundation for future hypotheses.

The Detection Maturity Level (DML) model expresses threat indicators that can be detected at different semantic levels. High semantic indicators such as goal and strategy, or Tactics, Techniques and Procedure (TTP) are more valuable to identify than low semantic indicators such as network artifacts and atomic indicators such as IP addresses. SIEM tools typically only provide indicators at relatively low semantic levels. There is therefore a need to develop SIEM tools that can provide threat indicators at higher semantic levels.


“Machine-learning and UEBA used to develop aggregated risk scores that can also serve as hunting hypotheses”.


“Threat intelligence reports, threat intelligence feeds, malware analysis, vulnerability scans”.

Situational-Awareness Driven

“Crown Jewel analysis, enterprise risk assessments, company- or employee-level trends”.