Threat hunting is when computer security experts actively look for and root out cyber threats that have secretly penetrated their computer network. Threat hunting involves looking beyond the known alerts or malicious threats to discover new potential threats and vulnerabilities.
Threat hunting is an active IT security exercise with the intent of finding and rooting out cyber attacks that have penetrated your environment without raising any alarms. This is in contrast to traditional cybersecurity investigations and responses, which stem from system alerts, and occur after potentially malicious activity has been detected.
Threat hunting involves going beyond what you already know or have been alerted to. Security software alerts users to the risks and behaviors connected to common threats, such as malware. Threat hunting is about venturing into the unknown to discover new cyber threats.
Organized, skilled, and well-funded attackers exist. They will work diligently looking for a weakness to exploit if you become their target. You can't possibly uncover everything, even with the best security tools. This is where threat hunting comes in. Its primary mandate is to find just these types of attackers.
To carry out a threat hunting campaign, a mix of core skills is needed in a team. These skills include:
You may wish to undertake a threat hunting exercise when you suspect risky behavior has occurred. Ultimately, the most successful hunts are those that are planned. You need to set a scope for the hunt, identify clear goals, and set aside a block of time to perform the exercise. When you are done, you need to assess steps to improve your security posture, establishing threat prevention playbooks to address the results moving forward.
Ultimately, data is key to any successful threat hunt. Before you can do anything related to threat hunting, you need to ensure you have adequate logging capability to carry out the hunt. If you can't see what is happening on your systems, then you can't respond in kind. Choosing which systems to pull data from will often depend on the scope of the hunt. In some cases, you may want to install tools to monitor particular types of traffic. The logs pulled by these temporary systems will then be utilized in the hunt.