Threat hunting helps organizations avoid attacks by analyzing attacker behavior and identifying potential threats.
After reading this article you will be able to:
Related Content
Threat intelligence
Defense in Depth
Attack vector
Security operations center (SOC)
OWASP API Security Top 10
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
Threat hunting is an umbrella term for the techniques and tools organizations use to identify cyber threats. While traditional threat hunting was a manual investigation process that relied on the expertise of a security analyst, rather than automated tools, modern threat hunting depends on a combination of the two.
Often, ‘threat hunting’ refers to proactive threat detection, during which organizations preemptively evaluate their network for signs of internal malicious activity or investigate attacker infrastructure that exists outside of it. Less often, the term also describes reactive threat detection, during which organizations analyze their own infrastructure for weaknesses following a data breach or similar attack.
During the threat hunting process, organizations look for indicators of attack (IoA)* to determine the intent and behavior of potential attackers. An IoA is an action or series of actions that an attacker must carry out to successfully complete the attack — for example, tricking a target into opening a phishing email, getting them to click on a malicious link, executing a malware download, and so on. Understanding an attacker’s specific tactics and procedures can help organizations craft a more proactive threat defense.
An indicator of compromise (IoC) is evidence of malicious activity: an anomaly in network traffic, suspicious logins, unexpected updates to administrator-level accounts or files, or other signs that an organization has been breached. IoCs are useful components of reactive threat hunting processes, as they usually indicate that an organization has already been compromised.
*This is also referred to as an attacker’s tactics, techniques, and procedures (TTPs).
Threat hunting procedures vary based on an organization’s needs and the capabilities of their security team, but commonly fall into one of three categories: structured hunting, unstructured hunting, or situational hunting.
To visualize the difference between these processes, imagine that Bob is trying to identify birds using three different birdwatching techniques. One methodology may require a lot of planning: analyzing a bird’s migration patterns, mating rituals, feeding schedules, and any additional behavioral factors that could help narrow down where and when the bird is likely to be spotted. This is similar to structured hunting, which focuses on uncovering an attacker’s known tactics and behavior.
Using another methodology, Bob may visit a forest and search for nests, droppings, or other physical evidence of a bird’s presence. This is similar to unstructured hunting, which is often triggered when an IoC is detected.
A third methodology may require Bob to prioritize tracking endangered birds over more common species, then tailor his approach to the specific bird he is trying to identify. This is similar to situational hunting, which uses a customized strategy to identify threats to high-risk targets.
The traditional threat hunting process relied on security analysts to manually examine an organization’s network, infrastructure, and systems, then create and test hypotheses to detect external and internal threats (like a data breach or malicious lateral movement).
Modern threat hunting, by comparison, uses cybersecurity tools to help automate and streamline the investigative process. Some of the most common tools include the following:
Threat hunting is the process of discovering and analyzing attacker behavior, evidence of cyber attacks, or other potential threats facing an organization. The purpose of threat hunting is not only to uncover vulnerabilities within an organization’s infrastructure, but to spot threats and attacks that have not been carried out yet.
By contrast, threat intelligence is a set of data about cyber attacks — both potential threats and attacks that have already occurred. Often, this data is compiled into a threat intelligence feed, which organizations can use to update their threat hunting processes and security procedures.
In short, threat hunting is similar to carrying out a crime scene investigation, while threat intelligence is the evidence that is collected at the scene.
To learn more about the categories and purposes of threat intelligence, see What is threat intelligence?
The Cloudflare Security Center offers threat investigation capabilities designed to assist security teams in identifying, tracking, and mitigating potential attacks from a single, unified interface. Within the threat investigation portal, users can query specific IP addresses, hostnames, and autonomous systems (AS) to pinpoint the origin of emerging threats.
Learn more about the The Cloudflare Security Center.