March 08, 2019 / by Cheryl Dsa / In siem , security-analytics /

What is threat hunting, and why is it important?

The notion of “threat hunting” has become quite popular recently, but for many, the term is still shrouded in a sort of fog. What does this term really mean? How does it work? Is it something you need?

Simply put, threat hunting is the process of proactively searching for malware or attackers that might be lurking in your network, having gone undetected for some time. In this post, you’ll learn more about what threat hunting is, how it works and what makes it necessary.

What is threat hunting?

The concept of threat hunting has been around for a while, but only recently has it become a priority for enterprise security operation centers (SOCs). Richard Bejtlich appears to be the first to have written an article describing threat hunting in a meaningful way. In the article, he explains, “no equation can govern a threat’s behavior, and threats routinely innovate in order to evade and disrupt defensive measures.” Because threats come in such a wide variety of forms, from external threats that maintain persistence to internal threats centered around abusing privileges, it is necessary to conduct counter-threat operations (CTOps) to actively hunt intruders in your enterprise. Hoping that attackers will be stopped in their tracks by your defenses is an excessively naïve approach to security.

How does threat hunting differ from threat detection?

Threat hunting distinguishes itself from other security techniques in that it is a more proactive technique. It is the process of searching for attackers before they have a chance to cause damage. It focuses on identifying threats at the earliest stage of compromise, rather than relying on automated detection mechanisms or waiting for threats to make their presence known.

Cybersecurity professionals previously focused the overwhelming majority of their attention on incident prevention, believing that the right defenses would be sufficient to keep any attacker at bay. What they didn’t realize, however, is that the lack of alerts or visible indicators of a threat does not imply a total absence of threats. It may just mean that a threat has managed to avoid detection.

Thus, threat hunting differs from most prevention and management strategies insofar as threat hunting involves actively seeking out intruders and abnormal activity that may indicate a breach.

How does threat hunting work?

Before you begin hunting for threats, it’s important to understand how the process works and ensure your organization is ready to hunt threats.

The process of threat hunting identifies new patterns of attack through security alerts, external threat intelligence etc. and form a hypothesis to indicate a threat is present in your network. These hypotheses are then explored and tested through a series of investigations to seek out threats that have slipped through the network’s defense system.

Having said that, there is no set process for threat hunting that can apply to every enterprise. Your team should familiarize itself with your organization’s network to devise a process best suited for your particular environment.

Why is threat hunting important?

On average, intruders spend about 191 days inside a network before they are detected, giving them more than enough time to cause damage to your infrastructure and assets. Your defense system, security operations center (SOC) and automated security tools are capable of alerting you and preventing about 80% of attacks, but what about the remaining 20%? These threats, which include advanced persistent threats (APTs), are liable to cause significant damage. While automated and unsophisticated threats can be detected and blocked easily, APTs are carefully designed to evade detection. As a result, they demand more attention from the SOC and defense team. These are the anomalies that you should be actively looking for.

Why do you need threat hunting?

You need threat hunting for three main reasons:

  • Intrusion prevention doesn’t work 100% of the time. The stealthy techniques attackers use enable the malware they produce to easily escape detection.
  • Attackers are innovating at an alarming rate, resulting in a constant stream of new and updated attacks.
  • It is no longer feasible to wait for days to learn about an incident before reacting. The cost, damage and impact of an attack from the time of intrusion all grow by the hour. Actively hunting for these intrusions significantly increases your chances of detecting them before they can cause harm.


While threat hunting is not a replacement for your security tools and defense system, It can be an essential tool in your organization’s security toolbox. Threat hunting is an advanced, complex task; to get the most out of it, you need the right team and the right technologies.

Threat hunting may not be able to put a stop to attacks altogether, but it can make it so difficult and expensive for an intruder to thrive that they are soon forced to move on to other targets.

five effective siem use cases