Cyber Threat Hunting (1): Intro

After some long months debating whether to write a white paper, and what potential topics I could write about – I just decided that I do not have enough time to go through the process of writing a research paper for the next 6 to 12 months. Instead, I am taking some of my research and current experience  and I am sharing it with you. I will be brief and to the point – it is not my intention to spend much time in the bushes. I want to provide you with a solid foundation to start hunting an understanding the “creativity” behind the process.

HunterI am actively involved in memory forensics, that was my original idea for my white paper, however I decided that this area overlaps with this subject and it is part of threat hunting in the endpoint – which I will also cover up in the next months. These new series of articles are about threat hunting, which is currently the buzz in the industry.

The funny thing about threat hunting is that everybody speaks and writes about it, telling you what you need to do but not telling you how to do it.

Incident response has evolved from  a reactive approach to a complete new proactive approach, in which you as a first responder, rather than waiting for the breach to happen you are actively looking for adversaries in your network in order to avoid that breach from happen.

To formally define it, we can explain threat hunting as the act of aggressively intercepting, tracking and eliminating cyber adversaries as early as possible in the Cyber Kill Chain. The earlier you locate and track your adversary in the chain the less impacting activities he will carry on in your organization’s network.

Threat hunting provides many benefits for your organization and cyber analysts – Incident responders:

  • Gaining visibility and uncovering your organization’s weaknesses
  • Early detections of threats
  • Damage control
  • Improvement of automatic countermeasures

For the personnel in charge of the defense of your networks it provides:

  • A better understanding of the threat profile of your organization
  • Understanding your organization’s network layout and behaviour
  • Deep familiarization with your organization network technology
  • Potential to improve their careers

What does the hunting cycle look like?
What are the existing approaches to threat hunting?

The threat hunting cycle is extremely similar to the incident response cycle.


I will not get into detail about the different stages as they are very easy to understand.

In regards to the approaches to threat hunting we can discuss 2 different approaches – Automated or continuous hunting or On-demand hunts. Automated or continuous hunt focuses on anomalies, unusual connections, strange registry keys and anything else out of the baseline.

On-demand hunts look for particular attacks, IoC’s within an organization. To do this you need to know exactly what to look for.

We will not be dealing with On-demand hunts, this is the ground for the Threat intelligence team with their IoC’s. This approach, although useful, is very limited and provides very little results as the threat infrastructure life cycle lasts a few days or even hours. This ultimately means that it is very difficult to hunt using “known” IoC’s unless the threat information has been shared within hours of the initial detection and this is a very well known challenge in the industry. The share of threat intelligence information remains an obstacle in the industry.

I will dedicate a quick post to this hunting approach and some other support posts to understand the threat infrastructure life cycle, but the focus of these future articles will be continuous hunting.

As part of my past experience in business development and my interest in technology to solve problems, I am always looking for new people, startups or companies that are working in interesting technological solutions. One of the few vendors that is  exploiting hunting as the next leap in the world of cyber security right now is Sqrrl.

Sqrrl  has defined a Threat Huntin Maturity Model. This model is very similar to the Capabilities Maturity Model Integration (CMMI) which is a generic process model improvement. It is worth keeping an eye in vendors like this.

In my next post I will continue the journey we started here and I will get you ready to start hunting.

4 Comments Add yours

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s