Threat hunting includes the policies, methods, and techniques used to scour networks for hidden threats that have evaded traditional defenses and detection systems. Generally, threat hunting is a proactive approach to cyber defense. Threat hunting might be sparked by emerging threats, newly identified vulnerabilities, or a hunter’s hypothesis.
Cyber threat intelligence (CTI) can help shape a hunt by detailing emerging threats or new tactics, techniques, and procedures (TTP) used by known threat actors. Hunters create hypotheses and hunt plans based on how they think actors might exploit vulnerabilities via the methods shown in MITRE’s ATT&CK Framework.
In addition, threat hunters often help incident response efforts by determining the scope of an intrusion, finding where threat actors are hiding, and containing threats. This is a more reactive use of threat hunting, but the same approaches apply.
No matter how a hunt starts, threat hunters focus on the actions and behaviors of the threat actor and not the hard indicators of compromise like file hashes, internet protocol (IP) addresses, and domain names. The “Pyramid of Pain” shows the level of effort required by an attacker to change or obfuscate attack artifacts. Focusing on TTPs increases the likelihood of finding advanced actors that are skilled in evading cyber defenses.