GUEST ESSAY: The case for engaging in ‘threat hunting’ — and how to do it effectively

By Mike James

Modern cyber threats often are not obvious – in fact it is common for them to lurk inside a business’ systems for a long time without anyone noticing. This is referred to as ‘dwell time’, and a recent report from the Ponemon Institute indicates that the average dwell time is 191 days.

Related podcast: The re-emergence of SIEMs

In an ideal world there would no dwell time at all, and threats would be identified before they can penetrate business’ defenses. To achieve this for your organization, it is no longer possible just to run reactive cyber security. It is essential that should invest in a proactive approach – that’s why you need to start threat hunting.

Seeking anomalous activity

Threat hunting is the practice of actively seeking out dangers to cyber security by detecting and eliminating new and emerging threats that are able to evade preventative controls such as firewalls and antivirus software.

It consists of actively looking for anomalous activity that has not been identified by existing tools and involves thorough, on-going analysis of data sources such as network traffic and server logs as well as web and email filter traffic.

Businesses that embrace threat hunting are likely to significantly reduce the dwell time of attacks, identify advanced threats that could otherwise be missed, and enhance security controls and processes. Effective threat hunting requires not only the right tools, but an advanced understanding of the latest tactics and techniques used by criminals. So, what do you need to get started?

Tracking users


To hunt for threats, it’s important to have the right tools at your disposal in order to obtain the visibility needed to detect threats across your business’ IT infrastructure. For example, cyber criminals commonly attempt to compromise endpoints in order to gain access to a network. Endpoints are devices such as computers and servers, and they can be vulnerable to attacks. This means that you need to have extensive endpoint monitoring detection and response at your disposal.

Furthermore, threat hunters are increasingly investing in something known as user and entity behaviour analytics or UEBA.  This is a type of security monitoring that focuses on users rather than threats, and utilises machine learning, algorithms and statistical analysis to help gain insight into what users on a system are doing, such as their login behavior and which files they are accessing.

One of the most commonly used tools for threat hunting, however is security information and event management (SIEM).


SIEM technology works by capturing and correlating network data such as event logs and looking for patterns of malicious behavior. It is often the case that events that look harmless in isolation can actually by an indicator that something suspicious is happening. The software provides an alert when it notices something unusual, prompting security teams to conduct further investigation and respond accordingly.

On the surface, UEBA and SIEM may look similar, but they actually offer something quite distinct. Whereas UEBA follows user behavior, SIEM technologies take a more holistic approach, and are used to monitor the overall network.

Tapping professionals

Perhaps the most important element in threat hunting is not the systems or the software, but experienced cyber security professionals. In order to detect hidden threats, threat hunting requires knowledgeable experts with a strong understanding of security trends and the latest techniques used by cyber criminals. Tools and software are next to useless without skilled people that known what to look for.

The role of the threat hunter is to understand which threats are facing the network and then to hypothesize about particular threat behaviors and indicators of compromise. The next step is to then use data and security technology such as SIEM and EDR to establish whether breaches have occurred. The final step is to use the intelligence gathered through the hunting process to inform defensive actions such as optimizing technologies to detect new hacking tactics, techniques and procedures.

Patience, persistence required

Businesses of every size will benefit hugely from a threat hunting program in order to enhance threat detection and response. Hunting capabilities need to be developed over time however. Successful threat hunting is not something that can be performed as a one-off activity; your organization will need to continually refine and evolve its approach over time.

Finally, remember that the technologies used in threat hunting are not a quick fix. For hunting operations to be successful you will need high quality data as well experienced security personnel to analyze and interpret it.

About the essayist: Mike James is a Brighton, UK.-based cybersecurity professional; his 15 years IT experience, includes penetration testing and ethical hacking projects.


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone