What is threat hunting?

Threat hunting helps organizations avoid attacks by analyzing attacker behavior and identifying potential threats.

Learning Objectives

After reading this article you will be able to:

  • Define ‘threat hunting’
  • Compare common threat hunting models
  • Contrast threat hunting vs. threat intelligence

Related Content

Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is threat hunting?

Threat hunting is an umbrella term for the techniques and tools organizations use to identify cyber threats. While traditional threat hunting was a manual investigation process that relied on the expertise of a security analyst, rather than automated tools, modern threat hunting depends on a combination of the two.

Often, ‘threat hunting’ refers to proactive threat detection, during which organizations preemptively evaluate their network for signs of internal malicious activity or investigate attacker infrastructure that exists outside of it. Less often, the term also describes reactive threat detection, during which organizations analyze their own infrastructure for weaknesses following a data breach or similar attack.

What is an indicator of attack (IoA)?

During the threat hunting process, organizations look for indicators of attack (IoA)* to determine the intent and behavior of potential attackers. An IoA is an action or series of actions that an attacker must carry out to successfully complete the attack — for example, tricking a target into opening a phishing email, getting them to click on a malicious link, executing a malware download, and so on. Understanding an attacker’s specific tactics and procedures can help organizations craft a more proactive threat defense.

An indicator of compromise (IoC) is evidence of malicious activity: an anomaly in network traffic, suspicious logins, unexpected updates to administrator-level accounts or files, or other signs that an organization has been breached. IoCs are useful components of reactive threat hunting processes, as they usually indicate that an organization has already been compromised.

*This is also referred to as an attacker’s tactics, techniques, and procedures (TTPs).

How does threat hunting work?

Threat hunting procedures vary based on an organization’s needs and the capabilities of their security team, but commonly fall into one of three categories: structured hunting, unstructured hunting, or situational hunting.

  1. Structured hunting identifies and analyzes specific attacker behaviors and tactics, or IoA. It uses a hypothesis-based hunting model, in which a hypothesis is created according to a threat hunting playbook (e.g. the MITRE ATT&CK framework). The primary goal of a structured hunt is to proactively pinpoint attacker behavior before an attack is leveraged against an organization.
  2. Unstructured hunting is triggered by the discovery of an IoC — in other words, evidence of malicious activity — that may indicate a recent or past attack in which some part of the organization was compromised. An unstructured hunt uses a reactive, intel-based hunting model that examines IP addresses, domain names, hash values, and other data supplied by intelligence sharing platforms. Its primary goal is to investigate existing vulnerabilities in an organization’s infrastructure and systems.
  3. Situational hunting, also called entity-driven hunting, focuses on specific systems, assets, accounts, or data that are at risk of compromise. For example, an admin-privileged account may be at higher risk of a cyber attack compared to an account with fewer privileges, since the former account may have access to more sensitive data and systems. A situational hunt uses a custom threat hunting model that can be tailored to an organization’s needs, since its primary goal is to secure high-risk targets and understand what threats they are likely to face, rather than examine IoAs or IoCs across an entire organization.

To visualize the difference between these processes, imagine that Bob is trying to identify birds using three different birdwatching techniques. One methodology may require a lot of planning: analyzing a bird’s migration patterns, mating rituals, feeding schedules, and any additional behavioral factors that could help narrow down where and when the bird is likely to be spotted. This is similar to structured hunting, which focuses on uncovering an attacker’s known tactics and behavior.

Using another methodology, Bob may visit a forest and search for nests, droppings, or other physical evidence of a bird’s presence. This is similar to unstructured hunting, which is often triggered when an IoC is detected.

A third methodology may require Bob to prioritize tracking endangered birds over more common species, then tailor his approach to the specific bird he is trying to identify. This is similar to situational hunting, which uses a customized strategy to identify threats to high-risk targets.

Types of threat hunting tools

The traditional threat hunting process relied on security analysts to manually examine an organization’s network, infrastructure, and systems, then create and test hypotheses to detect external and internal threats (like a data breach or malicious lateral movement).

Modern threat hunting, by comparison, uses cybersecurity tools to help automate and streamline the investigative process. Some of the most common tools include the following:

  • Security information and event management (SIEM) is a security solution that provides log data aggregation, alert monitoring, security incident analysis, compliance reporting, among other capabilities.
  • Managed detection and response (MDR) is a type of managed security operations center (SOC) that tracks network activity, creates alerts, investigates potential threats, removes false positives from alerts, offers advanced analytics, and helps remediate security incidents.
  • User and entity behavior analytics (UEBA) is a security service that aggregates user and endpoint data, establishes a baseline of normal behavior, and detects and analyzes anomalies across an organization’s systems.

Threat hunting vs. threat intelligence

Threat hunting is the process of discovering and analyzing attacker behavior, evidence of cyber attacks, or other potential threats facing an organization. The purpose of threat hunting is not only to uncover vulnerabilities within an organization’s infrastructure, but to spot threats and attacks that have not been carried out yet.

By contrast, threat intelligence is a set of data about cyber attacks — both potential threats and attacks that have already occurred. Often, this data is compiled into a threat intelligence feed, which organizations can use to update their threat hunting processes and security procedures.

In short, threat hunting is similar to carrying out a crime scene investigation, while threat intelligence is the evidence that is collected at the scene.

To learn more about the categories and purposes of threat intelligence, see What is threat intelligence?

Does Cloudflare provide threat hunting services?

The Cloudflare Security Center offers threat investigation capabilities designed to assist security teams in identifying, tracking, and mitigating potential attacks from a single, unified interface. Within the threat investigation portal, users can query specific IP addresses, hostnames, and autonomous systems (AS) to pinpoint the origin of emerging threats.

Learn more about the The Cloudflare Security Center.