
Threat hunting has become an increasingly important aspect of cybersecurity, as organizations strive to identify and mitigate security incidents that automated systems may have missed.
Yes, the definition of threat hunting can vary, and it generally involves a combination of manual and machine-assisted processes driven by human curiosity and pattern recognition. The ultimate goal of threat hunting is not only to find more security incidents — but to improve automated detection capabilities over time.
In this article, we will delve into the intricacies of threat hunting, including its purpose, benefits, drawbacks and the various frameworks available to help guide your efforts.
(Check out our Guide to Threat Hunting with Splunk.)
What is threat hunting?
Probably the first question people ask about threat hunting is, “what exactly is it?” Sometimes it seems like if you ask 10 different people to define threat hunting, you’ll get 15 different answers! For our purposes, the most popular definition is probably the best: threat hunting is the name for any manual or machine-assisted process for finding security incidents that your automated detection systems missed.
The key here is that even though we often use computers, automation, and machine learning techniques to help us identify and filter events of interest, hunting is always driven by a human. Our curiosity, imagination and ability to deduce patterns of malicious activity even when we have never encountered them before are simply beyond the capabilities of today’s technology.
This definition covers a lot of ground, encompassing such basics as searching for known-bad indicators, all the way up through creating innovative, cutting-edge data analysis techniques. The Hunting Maturity Model shows the various stages an organization’s hunting capability might occupy, and serves as a roadmap for threat hunting improvement over time.
The purpose of threat hunting…?
Given our definition, defining the actual purpose of threat hunting seems easy, right? You might be thinking: “The purpose of threat hunting is to find more security incidents!”
Although this is exactly how some organizations approach it, I’m here to tell you: that’s not the best way to think about threat hunting.
Because threat hunting requires human involvement, it’s relatively high-cost. With the volume and velocity of security data coming into most organizations, human review isn’t just expensive, it’s entirely out of the question. We require good automated detection if we want to keep up. And that’s where threat hunting comes in.
Don’t think of hunting as a way to find more security incidents using expensive humans. Instead, think about threat hunting as a way to improve your automated detections over time. When a hunter figures out a new way to detect malicious behavior, the goal is to also figure out how to automate that detection. That way, the next time malicious activity will be alerted and responded to quickly.
The creation of new security incidents during the hunting process is actually a secondary benefit, more as a by-product of the hunt, not its intended purpose.
Must I hunt? Reasons for threat hunting
Of course, you certainly do not have to hunt for threats. Only you can decide for sure. If you ignore it, your automated security detections won’t improve — they’ll get stuck at a moment in time. Meanwhile, threat actors are constantly improving their methods.
For most organizations, threat hunting is highly recommended. That’s for a few reasons. Intrusion prevention doesn’t work 100% of the time. Plus, the stealthy techniques attackers use can often escape detection.
More importantly, attackers are innovating at an alarming rate, resulting in a constant stream of new and updated attacks. Hunting is an effective way of helping your defenses keep up.
The pros and cons of threat hunting
So we can sum up the benefits and drawbacks of hunting. Pros include:
- Improved security posture. Threat hunting can help organizations identify and mitigate weaknesses in their detection rules, platforms, and data collection.
- Harnesses human intuition and creativity. Unlike automated detection products, which can only alert on what they’ve been programmed to find, threat hunting is a human-driven process. Humans are very good at identifying patterns, even in the face of incomplete or ambiguous data.
- Puts security on the offense. Unlike traditional incident detection programs, which are purely reactive, threat hunting is a proactive approach to identifying threat actors on your network that you might not already be detecting well.
The biggest drawback, of course, is that hunting is resource intensive. Threat hunting can be time-consuming and requires specialized skills and expertise.
Threat hunting trends
One final consideration: interest in threat hunting has been steadily climbing the last few years. This is no surprise, of course, as security breaches, attacks and privacy regulations are regular features in national news. More and more people are aware of everyday threats.
One way to see this growing interest is from Google Trends, which indicates how often and popular a given topic is searched. Over the last decade, we see that more people globally are searching for topics around “threat hunting” (the top, steep blue line) and “cyber threat hunting” (the bottom, red line).
Frameworks & hunt types
OK so you’re ready to hunt, but where do you begin? A threat hunting framework is a system of adaptable, repeatable processes designed to make your hunting expeditions both more reliable and more efficient.
There are a number of frameworks out there, the most notable are the following.
The Sqrrl Threat Hunting Reference Model (2015)
Published in three parts (part 1, part 2, part 3), Sqrrl’s framework was not only the first, but remains one of the most influential threat hunting frameworks. It defines the hypothesis-driven hunting process as a loop with four stages:
- Create hypothesis
- Investigate via tools & techniques
- Uncover new patterns & TTPs
- Inform & enrich automated analytics
TaHiTI: Targeted Hunting Integrating Threat Intelligence (2018)
The TaHiTI framework, created by a consortium of financial institutions known as the Dutch Payments Association, is another popular threat hunting framework. We can summarize TaHiTI as:
- Building on pieces of the Sqrrl framework, such as the Hunting Maturity Model.
- Adding a new type of hunt, known as the unstructured or data-driven hunt.
- Providing more detailed guidance on the hunting process and on potential metrics for hunt program success.
PEAK: Prepare, Execute & Act with Knowledge (2023)
The PEAK Threat Hunting Framework incorporates experience gained and lessons learned during the last several years of threat hunting. The PEAK Framework:
- Adds a third type of hunt, Machine-Assisted Threat Hunting (M-ATH), show below.
- Provides even more detailed implementation guidance for each hunt type.
This vendor- and tool-agnostic framework was co-created with one of the original creators of the Sqrrl framework, mentioned above.
The PEAK Framework incorporates three distinct hunt types. This diagram illustrates the Model-Assisted Threat Hunting Process (M-ATH).
Fear not the threat, start hunting
Threat hunting is a proactive approach to cybersecurity that leverages human intuition and creativity to identify and counter security incidents that may otherwise go undetected. By incorporating threat hunting into your organization's security practices, you can:Improve your overall security posture.
- Harness the power of human-driven pattern recognition.
- Ultimately bolster your automated detection capabilities.
While threat hunting can be resource-intensive, the benefits of staying ahead of potential attacks make it a highly recommended practice for most organizations. To get started, consider adopting a threat hunting framework such as the Sqrrl Threat Hunting Reference Model, TaHiTI or PEAK, which can provide a structured and efficient approach to your threat hunting endeavors.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.