We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


Threat Hunting – A Proactive Approach to Secure Cyber Posture

Published on
3,535 Points
2 Endorsements
Last Modified:
Muneeb Imran Shaikh
Information Security | Cyber Threat Intelligence Specialist | Governance, Risk Management Specialist
Threat Hunting is a Proactive & an Iterative effort of searching for anomalous activity in your organizational infrastructure, which evaded existing security defences.

What is Threat Hunting’s Goal?           

The goal of Threat hunting is to reduce the time to detect between initial compromise by an attacker and the discovery of the attacker in the environment which is also known as Dwell Time. 

Possible Reasons for Evasions from Detection:

  • Usage of New Techniques Adopted by Attacker.
  • 0 Day Exploits.
  • Slack in Administration of Detection Technologies.
  • Limitations Detection Technologies.

It is important to note here that the above list is not exhaustive. It is also essential to take a note of the following before we move ahead to define the Threat Management Process & Procedures.

  • Threat Hunting is not a binary process with a success or failure result all the time which means that every hunt may not unmask an adversary.  There would be occasions where data required to perform thorough investigations could be missing due to which relationships to specific adversaries may not be created with certainty, however, that also does not mean that attackers do not have their presence in the organization.  An organization must understand that such hunting exercises always lead to secondary investigations which can provide a better understanding of the attackers’ motivations, targets, campaigns and can also provide organizations better insight of their own infrastructure & help to uncover their blind zones.


  • Bear in mind that as hunting exercises begin and investigators start digging through the mounds of data, it may bring uneasiness in many other divisions within your organization. It primarily stems from the fact that many people don’t like to be questioned and consider it as an attempt by threat hunting team to step on their toes and infringe their privacy. Therefore it is essential all the stakeholders are brought on board to fully understand and cooperate in the activities mandated by Threat Hunting Exercises.


  • Threat hunting program must aim to track malicious actor’s TTPs and behaviour which can effectively reduce the Dwell time.  Subscribing to Threat Intelligence feeds from either Open Source or Commercial Sources can be beneficial in this regard.  Some of the known Commercial Threat Intelligence Providers also offer Incident Response & Retainer services and therefore can be considered as a reliable source for Threat Intelligence. 


  • Threat Hunting Process that utilizes threat intelligence from reliable sources can effectively uncover new TTPs and behaviours that have not been discovered yet and therefore can provide unique insights into Adversaries capabilities, motivations and campaigns they are part of. This process leads to the generation of actionable intelligence which can be further disseminated across stakeholders and community at large.

    Core Values of Threat Hunting Exercise

While establishing the Threat Management function into your organization which is also expected to carry out Threat Hunting, it is imperative that you identify the core values of your team and build an ethos of Threat Management function around those core values. 

Some of the key values essential to drive your Threat Management function are mentioned below, it is important to note that this list is not exhaustive.

1. Assume the Breach & Attack – Hunting begins with a presumption that a breach or an attack has already taken place and has not been identified by conventional detection mechanisms.

2. Understanding the Adversaries – Understanding how various adversaries leverage different tools in their campaigns and what are the motivations of adversaries targeting your industry or the region helps in making correct assessments about malicious sightings in your organizational infrastructure.

3. Aim to Discover & Understand Unknowns – Leveraging Threat Intelligence into your hunting exercises enable you to find known unknowns through known TTPs and as you mature in your hunting you begin to subsequently uncover new TTPs adopted by various adversaries.

4. Adopt Iterative Approach – As highlighted earlier that Threat hunting is not a binary process and therefore it demands creativity, out of box thinking and the ability to understand and construct a view of pervasiveness of an assumed breach. As you find initial clues, you need to use them to perform further pivoting into your hunting exercises. This is an Iterative approach which allows you to connect various parts of the jigsaw puzzle and create a story or narrative.

5. Establish & Test Hypothesis – Hypothesis is an important starting point into your Threat Hunting and strengthens your iterative approach however it is noteworthy that teams remain wary of biases in testing their hypothesis. 

6. Adopt Collaborative Approach – Prior to the adoption of a collaborative approach, it is imperative that your Threat Intelligence Platform that houses the Threat Intelligence is integrated with various other Security Devices like Firewalls, SIEM, Vulnerability Management tool, Sandboxing tools, in your organization to avoid its function in a silo. These integrations create an environment for collaboration among different sub-functions of Information Security. Remember that each threat analysts has his/her own expertise and since Threat hunting is an iterative process so it is imperative that each analyst takes the bait from his/her predecessor in Threat investigations and contribute in enhancing the horizon of Threat purview. 

Please refer to below demonstrating the Framework of Integrations that I propose around Threat Intelligence platform. Some of these integrations may be limited to Threat Intelligence Platform capability to integrate with other Security Solutions while some may offer other integration capabilities as well like that of Integration with Exchange Server & Active Directory to pull in the Emails from Mailbox and having a copy of Active Directory Identities in TIP, however, I would caution against integrating these entities with TIP without engaging your Data Governance and Protection teams since it can create Privacy issues for users whose emails are fed to Threat Intelligence platform.



Threat Hunting Classification:

 1. Driven by Hypothesis: It stems from a risk based approach where an organization that has performed a thorough risk assessment on their mission critical assets, intend to understand the existing threats to their crown jewels. Such Hunting exercises are therefore driven by a hypothesis which utilize incoming Threat Intelligence as an important component to initiate and drive their Threat Hunting exercises and further generating the Threat Intelligence.

A Hypothesis can be built based on inputs from Risk Assessment, Understanding of your crown jewels and through an understanding of various threat campaigns carried out by Adversaries. The most significant aspect of Hypothesis driven Threat Hunting exercise is the manner in which the teams test their hypothesis. 

Remember that such exercises are Iterative by nature and require a collaborative effort to lead to a thorough conclusion.


2. Driven by Data: It is an approach adopted by teams to look for potential malicious sightings in their environment based on the data or Intelligence that they may receive and use it to look for similar signs in their environment either through SIEM, IDS/IPS, Firewall Logs etc. In such an approach, teams that receive IoCs either in the form of Incident Report or OSINT are used by a team to drive their hunting. Such hunting exercises may not necessarily lead to developing an understanding of Threat Actors motivations.  

Threat Hunting changes the operational gear & mindset for the Security Operations Team by proactively going for the hunt, contrary to the norm of waiting for occurrence or identification of anomalous activity and broadly helps the entire organization have the conviction about their Security Posture based on the results of their exercises and not based on the lack of anomalous activities seen.

Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free