Threat hunting has become an increasingly important aspect of cybersecurity, as organizations strive to identify and mitigate security incidents that automated systems may have missed.
Yes, the definition of threat hunting can vary, and it generally involves a combination of manual and machine-assisted processes driven by human curiosity and pattern recognition. The ultimate goal of threat hunting is not only to find more security incidents — but to improve automated detection capabilities over time.
In this article, we will delve into the intricacies of threat hunting, including its purpose, benefits, drawbacks and the various frameworks available to help guide your efforts.
(Check out our Guide to Threat Hunting with Splunk.)
Probably the first question people ask about threat hunting is, “what exactly is it?” Sometimes it seems like if you ask 10 different people to define threat hunting, you’ll get 15 different answers! For our purposes, the most popular definition is probably the best: threat hunting is the name for any manual or machine-assisted process for finding security incidents that your automated detection systems missed.
The key here is that even though we often use computers, automation, and machine learning techniques to help us identify and filter events of interest, hunting is always driven by a human. Our curiosity, imagination and ability to deduce patterns of malicious activity even when we have never encountered them before are simply beyond the capabilities of today’s technology.
This definition covers a lot of ground, encompassing such basics as searching for known-bad indicators, all the way up through creating innovative, cutting-edge data analysis techniques. The Hunting Maturity Model shows the various stages an organization’s hunting capability might occupy, and serves as a roadmap for threat hunting improvement over time.
Given our definition, defining the actual purpose of threat hunting seems easy, right? You might be thinking: “The purpose of threat hunting is to find more security incidents!”
Although this is exactly how some organizations approach it, I’m here to tell you: that’s not the best way to think about threat hunting.
Because threat hunting requires human involvement, it’s relatively high-cost. With the volume and velocity of security data coming into most organizations, human review isn’t just expensive, it’s entirely out of the question. We require good automated detection if we want to keep up. And that’s where threat hunting comes in.
Don’t think of hunting as a way to find more security incidents using expensive humans. Instead, think about threat hunting as a way to improve your automated detections over time. When a hunter figures out a new way to detect malicious behavior, the goal is to also figure out how to automate that detection. That way, the next time malicious activity will be alerted and responded to quickly.
The creation of new security incidents during the hunting process is actually a secondary benefit, more as a by-product of the hunt, not its intended purpose.
Of course, you certainly do not have to hunt for threats. Only you can decide for sure. If you ignore it, your automated security detections won’t improve — they’ll get stuck at a moment in time. Meanwhile, threat actors are constantly improving their methods.
For most organizations, threat hunting is highly recommended. That’s for a few reasons. Intrusion prevention doesn’t work 100% of the time. Plus, the stealthy techniques attackers use can often escape detection.
More importantly, attackers are innovating at an alarming rate, resulting in a constant stream of new and updated attacks. Hunting is an effective way of helping your defenses keep up.
So we can sum up the benefits and drawbacks of hunting. Pros include:
The biggest drawback, of course, is that hunting is resource intensive. Threat hunting can be time-consuming and requires specialized skills and expertise.
One final consideration: interest in threat hunting has been steadily climbing the last few years. This is no surprise, of course, as security breaches, attacks and privacy regulations are regular features in national news. More and more people are aware of everyday threats.
One way to see this growing interest is from Google Trends, which indicates how often and popular a given topic is searched. Over the last decade, we see that more people globally are searching for topics around “threat hunting” (the top, steep blue line) and “cyber threat hunting” (the bottom, red line).
OK so you’re ready to hunt, but where do you begin? A threat hunting framework is a system of adaptable, repeatable processes designed to make your hunting expeditions both more reliable and more efficient.
There are a number of frameworks out there, the most notable are the following.
Published in three parts (part 1, part 2, part 3), Sqrrl’s framework was not only the first, but remains one of the most influential threat hunting frameworks. It defines the hypothesis-driven hunting process as a loop with four stages:
The TaHiTI framework, created by a consortium of financial institutions known as the Dutch Payments Association, is another popular threat hunting framework. We can summarize TaHiTI as:
The PEAK Threat Hunting Framework incorporates experience gained and lessons learned during the last several years of threat hunting. The PEAK Framework:
This vendor- and tool-agnostic framework was co-created with one of the original creators of the Sqrrl framework, mentioned above.
The PEAK Framework incorporates three distinct hunt types. This diagram illustrates the Model-Assisted Threat Hunting Process (M-ATH).
Threat hunting is a proactive approach to cybersecurity that leverages human intuition and creativity to identify and counter security incidents that may otherwise go undetected. By incorporating threat hunting into your organization's security practices, you can:Improve your overall security posture.
While threat hunting can be resource-intensive, the benefits of staying ahead of potential attacks make it a highly recommended practice for most organizations. To get started, consider adopting a threat hunting framework such as the Sqrrl Threat Hunting Reference Model, TaHiTI or PEAK, which can provide a structured and efficient approach to your threat hunting endeavors.
See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.