The Secrets of Successful Cybersecurity Threat Hunters

As cyber attacks become more complex, companies are taking a proactive approach to get ahead of hackers.

  • By Gilad David Maayan
  • Nov 13, 2019

It is no news that cybersecurity attacks are becoming more sophisticated and numerous. The traditional passive approach of reacting to attacks is not being successful. While threat hunting is not a new technique, its relevance is increasing as a way to get ahead of attackers. This article provides an introduction to threat hunting and some characteristics of a successful threat hunting team.

Introduction to Threat Hunting

Threat hunting is a proactive approach to cybersecurity focused on actively searching for attackers. Threat hunters analyze the environment looking for patterns and signs of malicious activity. While human participation is critical for threat hunting, this approach also includes tools such as threat hunting systems, which can support the operation.

Threat hunters use tools to achieve highly granular visibility into the system and network. Then, they look for anomalies in the system, analyzing the possibility of a threat. Threat hunting is a systematic activity—threat hunters need to constantly look for evidence of a possible intrusion. For example, hunting for attributes such as unusual network activity or changes to registry entries.

Understanding Security Threats

Security attacks are now commonplace with data breaches appearing in the news every other day. What motivates attackers? Almost always, the primary motivation is financial gain. Attackers usually steal information they can sell on the dark web. For example, credit card numbers or medical records. Other motivations can be:

  • Political—political activists attack sites to make a political statement. For example, the hacking group Anonymous.
  • Intellectual property theft—these attacks are sometimes sponsored by nations or by rival companies seeking to gain market advantage. Attackers can steal weapons plans or commercial product designs.
  • Revenge—dissatisfied employees can wreak havoc on a company system as a way to avenge themselves. For example, leaking or misusing privileged information.
  • Fame—attackers are valued in their communities for taking down high-visibility companies. They can carry on attacks as a form of gaining recognition among other hackers.

Attackers are constantly innovating, trying new methods to gain access to systems and data. This results in an increase in cyber attacks, as evidenced by the massive data breaches reported in 2019. Here are some notable attacks:

  • Aadhaar data breach—the personal information of 1.5 billion Indian citizens was exposed in a data breach of the nation’s ID database.
  • Facebook breach—a server containing the phone numbers of 419 million users was found online. The server contained several databases, and didn’t have a password, so anybody could access it. The exposed records containing the unique Facebook ID numbers and the phone numbers linked to them.
  • Collection 1—this breach, reported by a security researcher, leaked more than one billion emails and password.
  • Fortnite data breach—early in 2019, an old unsecured website page was used to send phishing emails, exposing 200 million Fortnite user accounts.

According to the Cyber Security Breaches Survey 2019, the most common type of attacks this year were phishing, followed by ransomware and denial-of-service attacks.

The Importance of Threat Hunting Teams

Many companies continue to use passive cybersecurity measures, geared to detect intruders once they breached into the system. Attackers generally start by stealing valid login credentials. They use the stolen credentials for search-and-steal missions, using techniques that an end-user doesn’t’ use. Threat hunters look actively for these anomalies. Some of the reasons an organization should use a threat hunting team are:

  • Stealthy techniques—these days, malware easily overcome traditional cybersecurity measures. One of the stealthy techniques they use is polymorphic malware—a type of malware that continuously changes its features to avoid detection.
  • Evolving attack vectors—attackers innovate, creating new forms of attacks regularly.Threat hunting teams constantly search for new patterns and attack vectors, staying ahead of the attackers’ innovations.
  • Dwell time—the average time before detecting an attack is 180 days. Organizations cannot afford to let an attacker dwell in the system for weeks or months while the impact of the breach grows. Threat hunters can detect attackers early in the process, usually before they can cause damage, preventing dwelling time.

Threat Hunting Techniques

Threat hunters should be skilled not only in cybersecurity. They should have a broad knowledge of systems, administration, and programming, too. Below, you’ll find a number of threat-hunting techniques employed to find threats.

Searching

Threat hunters start by systematically searching data sources to find threats. This process involves using specific queries to return results. The queries shouldn’t be so broad that they return too many results or too narrow that leave out potential threats.

Some of the data sources include logs, alerts, system events or memory dumps. Threat hunters use threat hunting tools to collect and correlate the data.

Clustering

Cluster analysis is a type of Machine Learning (ML) that correlates data from distributed sources, such as logs and records from investigations. The term refers to group a set of objects in a cluster according to similarities between them. Clustering helps threat hunters to extract valuable information from terabytes of data.

The image above shows how scientists can use different algorithms to obtain different results with data.

Stack Counting

The term refers to when an investigator inspects a data set of similar values trying to find similarities. For example, when detecting an anomaly in a metric, investigators should look for clues about what is causing it. Investigators filtering the data end with a stack of data that is specific for this query. Threat hunters use filtering tools to help them with this technique.

Threat Hunting Secrets: Successful Strategies

Advanced threat hunting teams share several characteristics that contribute to their success.

Automate investigation

75% of threat hunting teams automate attack investigation. This allows the team to spend more time hunting than investigating indicators of compromise (pieces of data that identify malicious activity).

Investigating efficiently

Time is of the essence in threat hunting. The mark of a successful team is closing the investigation in 24 hours time.

Know which are your critical assets

Sometimes security teams don’t take the time to assess the assets and identify where they should prioritize their protection efforts, such as critical systems. Security teams should also identify privileged users in order to protect their credentials.

Use sandboxes to work more efficiently

A sandbox is a security mechanism that isolates running programs. This enables security teams to separate software vulnerabilities, preventing it from spreading.

Install the right tools

The basic set of tools of a threat hunting team requires a SIEM solution, endpoint monitoring, and threat intelligence. This can ensure the team can effectively detect potential threats across the network.

Know your vulnerability landscape

Your team should understand which vulnerabilities are common to your industry. This includes the potential threats and attack vectors other companies in your industry are facing.

Threat hunting workflow

Part of a successful strategy is to have an efficient workflow. Threat hunting requires you to monitor and search the network for signals of a potential attack. An efficient threat hunting workflow should include the following steps:

  • Visibility—a key component of threat hunting is identifying normal network activity. Threat hunters use monitoring tools to gain granular visibility of the environment.
  • Hypothesis—hunters search for anomalies in IPs, certificates, and activities. The goal is to try to recognize patterns that indicate malicious activity. They do this by elaborating on a hypothesis and opening an investigation to prove it.
  • Conviction—the hunters try to prove their hypothesis by searching for related indicators. This helps threat hunters to understand the characteristics and severity of the potential threat.
  • Alerting—if the potential threat is confirmed, the threat hunting team works with the incident response team to act before the threat can cause harm. Many threat hunting teams also perform remediation techniques.

The Bottom Line

Efficient threat hunting requires assessing normal network activity, installing the right tools, and following proven strategies. Threat hunters delve deep into networks, looking for patterns and signs that can indicate an attack as it occurs. As attackers become more sophisticated, a threat hunting team becomes a crucial part of any security operation, enabling security teams to effectively prevent attacks and strengthen the security posture of their organization.

Featured

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

  • Overwhelming Majority of CISOs Anticipate Surge in Cyber Attacks Over the Next Three Years

    An overwhelming 98% of chief information security officers (CISOs) expect a surge in cyber attacks over the next three years as organizations face an increasingly complex and artificial intelligence (AI)-driven digital threat landscape. This is according to new research conducted among 300 CISOs, chief information officers (CIOs), and senior IT professionals by CSC1, the leading provider of enterprise-class domain and domain name system (DNS) security. Read Now

  • ASIS International Introduces New ANSI-Approved Investigations Standard

    • Guard Services

  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

  • Report: Nearly 1 in 5 Healthcare Leaders Say Cyberattacks Have Impacted Patient Care

    Omega Systems, a provider of managed IT and security services, today released new research that reveals the growing impact of cybersecurity challenges on leading healthcare organizations and patient safety. According to the 2025 Healthcare IT Landscape Report, 19% of healthcare leaders say a cyberattack has already disrupted patient care, and more than half (52%) believe a fatal cyber-related incident is inevitable within the next five years. Read Now

Most   Popular

New Products

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.