What is threat hunting?

Threat hunting, also known as cyberthreat hunting, is a proactive approach to identifying previously unknown, or ongoing non-remediated threats, within an organization's network.

A man sitting in front of his laptop against the evening window.

Why threat hunting is important

Threat hunting is important because sophisticated threats can get past automated cybersecurity. Although automated security tools and tier 1 and 2 security operations center (SOC) analysts should be able to deal with roughly 80% of threats, you still need to worry about the remaining 20%. The remaining 20% of threats are more likely to include sophisticated threats that can cause significant damage. Given enough time and resources, they will break into any network and avoid detection for up to 280 days on average. Effective threat hunting helps reduce the time from intrusion to discovery, reducing the amount of damage done by attackers.

Attackers often lurk for weeks, or even months, before discovery. They wait patiently to siphon off data and uncover enough confidential information or credentials to unlock further access, setting the stage for a significant data breach. How much damage can potential threats cause? According to the "Cost of a Data Breach Report 2020," a data breach costs a company almost USD 4 million on average. And the harmful effects of a breach can linger for years. The longer the time between system failure and response deployed, the more it can cost an organization.

How threat hunting works

A successful threat hunting program is based on an environment's data fertility. In other words, an organization must first have an enterprise security system in place, collecting data. The information gathered from it provides valuable clues for threat hunters.

Cyber threat hunters bring a human element to enterprise security, complementing automated systems. They are skilled IT security professionals who search, log, monitor and neutralize threats before they can cause serious problems. Ideally, they're security analysts from within a company's IT department who knows its operations well, but sometimes they're an outside analyst.

The art of threat hunting finds the environment's unknowns. It goes beyond traditional detection technologies, such as security information and event management (SIEM), endpoint detection and response (EDR) and others. Threat hunters comb through security data. They search for hidden malware or attackers and look for patterns of suspicious activity that a computer might have missed or judged to be resolved but isn't. They also help patch an enterprise's security system to prevent that type of cyberattack from recurring.

Types of threat hunting

Hunters begin with a hypothesis based on security data or a trigger. The hypothesis or trigger serve as springboards for a more in-depth investigation into potential risks. And these deeper investigations are structured, unstructured and situational hunting.

Structured hunting

A structured hunt is based on an indicator of attack (IoA) and tactics, techniques and procedures (TTPs) of an attacker. All hunts are aligned and based on the TTPs of the threat actors. Therefore, the hunter can usually identify a threat actor even before the attacker can cause damage to the environment. This hunting type uses the MITRE Adversary Tactics Techniques and Common Knowledge (ATT&CK) framework (link resides outside of ibm.com), using both PRE-ATT&CK and enterprise frameworks.

Unstructured hunting

An unstructured hunt is initiated based on a trigger, one of many indicators of compromise (IoC). This trigger often cues a hunter to look for pre- and post-detection patterns. Guiding their approach, the hunter can research as far back as the data retention, and previously associated offenses allow.

Situational or entity driven

A situational hypothesis comes from an enterprise's internal risk assessment or a trends and vulnerabilities analysis unique to its IT environment. Entity-oriented leads come from crowd-sourced attack data that, when reviewed, reveal the latest TTPs of current cyberthreats. A threat hunter can then search for these specific behaviors within the environment.

Hunting Models

Intel-based hunting

Intel-based hunting is a reactive hunting model (link resides outside of ibm.com) that uses IoCs from threat intelligence sources. From there, the hunt follows predefined rules established by the SIEM and threat intelligence.

Intel-based hunts can use IoCs, hash values, IP addresses, domain names, networks, or host artifacts provided by intelligence sharing platforms such as computer emergency response teams (CERT). An automated alert can be exported from these platforms and input into the SIEM as structured threat information expression (STIX) (link resides outside of ibm.com) and trusted automated exchange of intelligence information (TAXII) (link resides outside of ibm.com). Once the SIEM has the alert based on an IoC, the threat hunter can investigate the malicious activity before and after the alert to identify any compromise in the environment.

Hypothesis hunting

Hypothesis hunting is a proactive hunting model that uses a threat hunting library. It's aligned with the MITRE ATT&CK framework and uses global detection playbooks to identify advanced persistent threat groups and malware attacks.

Hypothesis-based hunts use the IoAs and TTPs of attackers. The hunter identifies the threat actors based on the environment, domain and attack behaviors employed to create a hypothesis aligned with the MITRE framework. Once a behavior is identified, the threat hunter monitors activity patterns to detect, identify and isolate the threat. This way, the hunter can proactively detect threat actors before they can do damage to an environment.

Custom hunting

Custom hunting is based on situational awareness and industry-based hunting methodologies. It identifies anomalies in the SIEM and EDR tools and is customizable based on customer requirements.

Custom or situational hunts are based on customers' requirements, or they're proactively executed based on situations, such as geopolitical issues and targeted attacks. These hunting activities can draw on both intel- and hypothesis-based hunting models using IoA and IoC information

What's the difference between threat hunting and threat intelligence?

Threat intelligence is a data set about attempted or successful intrusions, usually collected and analyzed by automated security systems with machine learning and AI.

Threat hunting uses this intelligence to carry out a thorough, system-wide search for bad actors. In other words, threat hunting begins where threat intelligence ends. Even more, a successful threat hunt can identify threats that have not yet been spotted in the wild.

Also, threat hunting uses threat indicators as a lead or hypothesis for a hunt. Threat indicators are virtual fingerprints left by malware or an attacker, a strange IP address, phishing emails or other unusual network traffic.

Related Solutions

Cyber threat hunting

Significantly improve detection rates and accelerate time to detect, investigate and remediate threats. Learn how to start your own cyberthreat hunting program.

Managed detection and response

IBM Security Managed Detection and Response (MDR) delivers a turnkey, 24x7 threat prevention, detection, and response capability. IBM's proactive threat hunters work with organizations to help identify their crown jewel assets and critical concerns.

Security information and event management (SIEM)

Build out your SIEM foundation and develop a comprehensive program that can be augmented with changing times. Identify insider threats, track endpoint devices, secure the cloud and manage compliance with IBM Security.

Security orchestration, automation and response (SOAR)

Threat detection is only half of the security equation. To improve your security operations center (SOC), you should also consider smart incident response and a single, integrated security orchestration, automation and response (SOAR) platform with managed services.

Offensive security services

Find and fix your most critical known and unknown vulnerabilities with X-Force® Red. This autonomous team of veteran hackers works with IBM to test your security and uncover weaknesses that criminal attackers may use for personal gain.