Threat Hunting: The What, Why and Who?

Sep 07, 2017
5 minutes
... views

It’s hard to accept it, but there is an excellent chance that any network may already have hidden threats lurking in the background. No cybersecurity system is impenetrable or capable of recognizing or stopping every potential threat. Hackers’ tactics, weapons and technologies are evolving so rapidly that by the time a new threat signature is learned, defenses may have already been penetrated. As a result, an increasing number of organizations are becoming proactive about threat hunting.

What Is Threat Hunting?

Three things are required before an adversary can be considered a threat: opportunity, intent and capability to cause harm. Threat hunting focuses on identifying perpetrators who are already within the organization's systems and networks, and who have the three characteristics of a threat. Threat hunting is a formal process that is not the same as preventing breaches or eliminating vulnerabilities. Instead, it is a dedicated attempt to proactively identify adversaries who have already breached the defenses and found ways to establish malicious presence in the organization’s network.

Why Is Threat Hunting Important?

Although perpetrators typically automate many of their attacks, there is still a human mind behind the threats. In today's world, these humans are developing top-notch skills — and they have the intelligence to use them to their best advantage. Many perpetrators are well-funded groups who are sponsored by foreign governments or criminal organizations. This means that they can initiate long-term attacks and be very persistent in maintaining them. Advanced persistent threats can remain hidden for months or even years before triggering an alert. If you wait for the alert, the consequences can be severe. Effective threat hunting allows companies to identify threats and counteract them, preventing or minimizing the extent of the damages.

Who Should Be a Threat Hunter?

To be successful, it is important to choose the right personnel for this job. But given the current talent gap, it may be difficult to hire experienced threat hunters. As a result, the budget may require that existing staff members combine threat hunting with their other duties. For example, a threat hunter may also be an analyst in the SOC or an incident responder. However, when choosing to train a threat hunter or selecting a current staff member to take on this challenge, it is important to choose people with the right characteristics.

  • Threat hunters should be curious and creative. A hunt begins by crafting a hypothesis about a particular activity or threat that might be present in an environment. For example, if executives have recently returned from a trip abroad, could their laptops have been compromised by state-sponsored hackers? If an employee reported a lost smartphone, have perpetrators used the phone to breach the system?
  • Threat hunters should be innovative analysts who know the organization as well as the threat landscape. Without sufficient knowledge of both the organization and the threat potential, they will not know the right questions to ask, making it impossible to find the answers they need.
  • Threat hunters should be skilled with multiple tools, such as SIEM, malware analysis sandboxes, etc. They need to know how to get the most benefit from every tool, but they also need to know the limits of each tool.

Why Is Automating Threat Hunting Important?

Perpetrators are embracing automated attacks like never before. This gives them the ability to be consistent as well as persistent. It also gives them the ability to process more data in less time, jumping from database to database or network to network with relative ease. If companies are trying to find and eliminate threats with manual processes or ad hoc hunts, they are at a severe disadvantage.

Since it is extremely hard and expensive to find skilled threat hunters, automation can help programmatically run common threat hunting steps saving time and resources for analysts. Senior threat hunters can build playbooks which can then be automated.

By automating threat hunting, looking for hidden threats doesn’t have to start from the beginning each time a hunt starts. A well-coordinated hunt maintains consistency and identifies patterns more efficiently. When the right people and automated processes are combined, the result is better long-term protection for organization.


A well designed threat hunting program along with automation tools can help significantly reduce the risk and exposure of organizations. The three main things to keep in mind while designing the threat hunting program is 1. Hiring the right talent for threat hunting, 2. Automating the common threat hunting best practices and 3. Documenting and measuring the threat hunting procedures.

Automate Your Threat Hunting with Cortex XSOAR

Cortex XSOAR provides integrated threat intelligence capabilities woven into an extensive incident management platform. The new capabilities enable customers to integrate the industry leading STIX-compatible threat feeds with Cortex XSOAR and automate threat hunting operations. Such functionality can save time and reduce the risk of exposure significantly. Download the Free Community Edition today to learn more.


Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.