What is Threat Hunting?
Threat hunting is a proactive, human-driven search for threats that have may have slipped past the typical defences that organisations normally rely on. Hunters start from the assumption that an adversary is already inside the network and dig through the vast amounts of telemetry to surface suspicious activity that may be a sign of an ongoing attack.
Once an attacker has successfully breached a perimeter, in many cases may remain undetected for weeks or months, gathering data and building a foothold that will enable lateral movement. A purely analytic detection engineering driven approach will almost always miss the exceptionally stealthy threats. This is primarily why threat hunting is now seen as an indispensable component of a resilient security posture.
Threat hunting is becoming increasingly important as organisations seek to stay ahead of the latest cyber-threats and respond rapidly to any potential attacks.
Crowdstrike
Threat Hunting Methodologies
| Approach | What it looks like | Why it works |
|---|---|---|
| Hypothesis Driven | Hunters create a testable assumption and search for the appropriate Tactics & Techniques the specific threat actor would have utilised. | Turns intelligence into a concrete, focused search. |
| IOC/IOA Driven | Hunters collect a set of indicators of compromise (hashes, IPs, domains) or indicators of attack (behavioural patterns) from threat intelligence feeds. | Provides a ready made set of “red flags” that can be searched across all telemetry. |
| Advanced Analytics | Machine learning or statistical models sift through high volumes of verbose log data, flagging anomalies that deviate from normal behaviour. | Uncovers hidden patterns that human analysts might miss. |
All three approaches rely on the same three pillars: human expertise, a wealth of high quality data, and up to date threat intelligence.
Mitre ATT&CK
MITRE ATT&CK (Adversarial Tactics, Techniques, & Common Knowledge) is a freely available, evidence‑based framework that catalogues how adversaries behave in the real world. It is organised into tactics (the adversary’s goal at a given point) and techniques (the specific actions they take), with many techniques further split into sub‑techniques that add nuance.
- Tactics – “Why” the attacker is doing something (e.g., Initial Access, Command and Control, Exfiltration).
- Techniques – “How” they achieve that goal (e.g., Phishing, Drive-by Compromise).
- Sub‑techniques – Refine the technique (e.g., Spearphishing Attachment, ARP Cache Poisoning).
The framework is continually updated by the MITRE organisation, drawing on real incident reports, threat‑intel feeds and academic research.
Why is ATT&CK Important?
| Benefit | What You Get |
|---|---|
| Common Language | Everyone in the security community talks about the same techniques, so playbooks, reports and alerts are instantly understandable. |
| Coverage Map | You can see which tactics your environment protects against and where gaps lie. |
| Threat Modeling | By mapping known adversary groups to ATT&CK techniques you can predict the methods they will use against your organisation. |
| Automation Friendliness | Many SIEM/EDR/UEBA products include pre‑built queries or rules that reference ATT&CK IDs, making it easier to turn hunting scripts into alerts. |
| Evidence Base | Each technique is linked to documented use cases, helping you validate whether a detected behaviour is truly malicious. |
Because of these strengths, ATT&CK is often the anchor around which many detection and hunting strategies are built.
The Hunt Cycle: Trigger, Investigate, Resolve
| Step | What happens | Typical artefacts |
|---|---|---|
| Trigger | A flag is raised – either an IOC, a behavioural anomaly, or a hypothesis about a new adversary tactic. | Alert, IOC feed, threat intel brief. |
| Investigation | The hunter drills into the telemetry (EDR, SIEM, netflow, UEBA) to understand the activity. | Process trees, memory dumps, file hashes, network artefacts. |
| Resolution | Findings are communicated to the response team, and mitigations (blocking, isolation, rule creation) are implemented. | Incident report, playbook update, analytic tuning/creation. |
During each phase the hunter builds a hypothesis, tests it, records observations, and refines the next step. The cycle is repeated until the activity is labelled benign or fully characterised as malicious.
Defensive Ecosystem: Where Does Hunting Sit?
Threat hunting operates in parallel to the standard incident-detection-response-remediation (IDR) loop. While automated systems scan for known signatures, hunters use queries, automation and intelligence to pull “leads” out of the same data lake. Those leads are then validated by a human analyst and fed back into the IDR pipeline as new alerts, rules or procedural mitigations.
Metrics: How to Prove Threat Hunting is Working
| Metric | What it tells you | Example Target |
|---|---|---|
| Hunt Count | How many investigations are run per X period | 1-2 per high‑value asset tier (adjusted for risk appetite) |
| Lead-To-Alert Conversion | % of leads that become actionable alerts | > 20 % indicates a well crafted hunting playbook |
| Mean Time to Detect (MTTD) | Hours from compromise to first detection | < 48 h for critical assets |
| False Positive Rate | % of leads that turn out to be benign | < 15 % after 3month refinement |
| Rule Improvement Rate | New or refined detection rules per month | > 3 per month signals healthy feedback from hunting |
| Cost per Threat | Money spent per confirmed compromise | 60% lower than the cost if the incident had gone undetected |
When you finish a hunt, you should share the metrics you collected in the “Resolution” section. A clear drop in MTTD or false positive rate demonstrates that the hunt is adding measurable value.
Governance and Continuous Improvement
- Playbook evolution – After every hunt record lessons learned and update the knowledge base.
- Rule Feedback loop – Use a SOAR or custom scripts to automatically create or tweak detection rules from confirmed leads.
- Red Team/Adversary Simulation – Quarterly simulated attacks validate hunting coverage.
- Skill Sharpening – Monthly sessions (MITRE ATT&CK deep‑dives, memory forensics workshops) keep analysts sharp.
- Compliance Mapping – Align hunts with NIST CSF/ISO 27001 etc. controls to demonstrate that you are addressing the right security objectives.
- Chain of Custody – Capture evidence, document the evidence‑handling process, and keep a record for legal or audit purposes.
This governance loop turns passive detection into an active investigation culture that continually tightens the security perimeter.
Closing the Loop (From Lead to Remediation)
| Stage | What You Produce | Why It Matters |
|---|---|---|
| Evidence Capture | Snap shots of process trees, memory dumps, file hashes. | Essential for forensics, forensics based rules, and incident validation. |
| Remediation Playbook | Immediate isolation, IP/domain blocking, patching guidance. | Cuts the attacker’s life cycle and reduces MTTD. |
| Post Hunt Report | Executive leadership friendly summary, ROI snapshot, roadmap for the next hunt. | Demonstrates tangible business value and guides future hunting focus. |