What Is Threat Hunting?

What Is Threat Hunting? | CDA.Wiki | CDA.Wiki

# What Is Threat Hunting?

Threat hunting is the proactive, analyst-driven process of searching networks, endpoints, and datasets to uncover adversary activity that automated detection systems have failed to surface. It exists because no detection system is complete. Attackers who understand how security tools work will deliberately operate beneath detection thresholds, use legitimate software to move laterally, and blend their activity into normal traffic patterns. Threat hunting addresses this directly: rather than waiting for an alert, a trained analyst forms a hypothesis about how an attacker might behave in the environment, then actively searches for evidence that confirms or disproves it. The output is either a confirmed threat that is escalated to incident response, or validated data that improves detection rules going forward. Both outcomes strengthen the organization's security posture.

---

Definition and Scope

Threat hunting is a structured, iterative security practice in which analysts proactively search for indicators of compromise, attacker behaviors, or anomalous conditions that have not triggered existing automated controls. The core distinction from traditional security monitoring is intent and initiation: monitoring is reactive (alerts drive investigation), while threat hunting is hypothesis-driven (the analyst drives the search before any alert fires).

Threat hunting is not the same as incident response. Incident response begins after a known compromise is confirmed; threat hunting begins before confirmation, sometimes before any indication of a problem exists. It is also distinct from penetration testing, which simulates attacks in a controlled manner to identify vulnerabilities. Hunting works on live production data and looks for real adversary presence, not simulated activity.

Threat hunting is not threat intelligence analysis, though intelligence heavily informs it. Intelligence tells you what threats exist in the world; hunting tells you whether those threats are present in your specific environment.

Variants and subtypes include:

Structured hunting: Driven by specific threat intelligence, such as a new MITRE ATT&CK technique attributed to a known actor targeting your sector. The analyst hunts for evidence of that specific technique.
Unstructured hunting: Driven by anomaly observation, where the analyst notices something unusual in telemetry and follows the thread without a predefined hypothesis.
Situational hunting: Triggered by an environmental change, such as a merger, a new third-party integration, or a recent vulnerability disclosure relevant to your technology stack.
Intel-driven hunting: Tied directly to threat intelligence feeds or government advisories, using indicators of compromise (IOCs) or tactics, techniques, and procedures (TTPs) from a specific threat actor as the starting point.

Each subtype serves a different purpose and requires different data sources, but all share the same foundational requirement: skilled analysts working with high-fidelity telemetry.

---

How It Works

Threat hunting follows a repeatable cycle with five core phases: hypothesis formation, data collection and preparation, investigation, discovery, and feedback.

Phase 1: Hypothesis Formation

Every hunt begins with a question. Good hypotheses come from three sources: threat intelligence (a known threat actor is actively targeting organizations in your vertical), environmental knowledge (a subsidiary was recently onboarded with unknown security controls), or observed anomalies (a subtle pattern in authentication logs does not match expected behavior for that user population).

A well-formed hypothesis is specific and falsifiable. "Attackers might be in our network" is not a hypothesis. "An attacker using a compromised service account may be performing lateral movement via Windows Management Instrumentation (WMI) on weekday evenings between 7 PM and midnight" is a hypothesis that can be tested with available data.

Phase 2: Data Collection and Preparation

Hunting requires telemetry. The quality of the hunt depends entirely on the quality and completeness of available data. Key data sources include endpoint detection and response (EDR) logs, DNS query logs, network flow data, authentication logs (Active Directory, Okta, Azure AD), process execution logs, and command-line argument captures.

A common failure point is discovering mid-hunt that the required data is either not collected or not retained long enough. Organizations should maintain at minimum 90 days of searchable log data for effective hunting, with 12 months preferred for detecting slow-moving persistent threats.

Phase 3: Investigation

The analyst queries the data, looking for behavior consistent with the hypothesis. Techniques include:

Stack counting: Aggregating a field (such as parent process names) across all endpoints to find statistical outliers. If powershell.exe is spawned by winword.exe on three endpoints out of 10,000, that is worth examining.
Baseline comparison: Comparing current behavior against established baselines. A user account that has never authenticated from outside the country suddenly logging in from Eastern Europe at 3 AM is a behavioral deviation that warrants investigation.
TTP mapping: Searching for specific behaviors described in MITRE ATT&CK. For example, hunting for evidence of credential dumping by searching for access to lsass.exe from non-standard processes.
Graph analysis: Mapping relationships between entities (users, endpoints, processes, connections) to identify unusual communication patterns or access chains.

Phase 4: A Concrete Scenario

An analyst receives intelligence that a financially motivated threat actor is actively deploying a remote access trojan (RAT) against financial services firms using spearphishing emails with malicious macro-enabled documents. The analyst forms a hypothesis: if this actor has targeted the organization, there may be evidence of macro execution leading to a child process calling out to an external IP.

The analyst queries EDR telemetry for any instance where a Microsoft Office process spawned cmd.exe or powershell.exe in the past 30 days. The query returns 14 results. Eleven are immediately explained by known administrative activity. Three are anomalous: winword.exe spawning powershell.exe, which then executed an encoded command and initiated an outbound connection to an IP address not seen elsewhere in network logs.

The analyst pivots to DNS logs and network flow data. The destination IP resolves to a domain registered 11 days prior with a privacy-protected registrar. The TLS certificate was issued 10 days prior. These are characteristics consistent with attacker-controlled infrastructure. The hunt has produced a confirmed incident, and incident response is engaged.

Phase 5: Feedback and Improvement

Regardless of outcome, every hunt should produce a detection artifact. If the hunt confirmed a threat, the indicators and behavioral patterns should be converted into detection rules or SIEM queries that will catch the same behavior automatically in the future. If the hunt found nothing, the data gap or telemetry coverage issue that limited the hunt should be documented and addressed.

This feedback loop is what differentiates mature threat hunting programs from one-off exercises. Each hunt improves the detection baseline.

---

Why It Matters

The practical value of threat hunting is measurable: it reduces dwell time. Dwell time is the period between initial compromise and detection. According to Mandiant's M-Trends reporting, the global median dwell time has historically exceeded weeks or months in environments that rely solely on automated detection. Every day an attacker operates undetected is a day they spend escalating privileges, exfiltrating data, establishing persistence, and mapping the environment.

Organizations without a threat hunting capability are, in effect, trusting that their detection rules are comprehensive and that attackers will behave in ways the rules anticipate. That assumption is routinely wrong.

A documented real-world consequence: The 2020 SolarWinds supply chain compromise (also referred to as the SUNBURST campaign) remained undetected across thousands of organizations for months. The initial access mechanism bypassed traditional signature-based detection because the malicious code was delivered inside a legitimately signed software update. Organizations that relied purely on automated detection did not catch it until FireEye's security team identified anomalous behavior during their own proactive hunting activity. Specifically, FireEye analysts noticed an unexpected device registered under an employee's account during a multi-factor authentication review, which initiated a broader investigation. That discovery, driven by human analysis rather than automated alerting, ultimately led to the exposure of one of the most significant espionage campaigns in recent history.

Common misconceptions:

"Threat hunting requires a large team." A single skilled analyst with good telemetry and a structured methodology can run effective hunts. Scale matters, but it is not a prerequisite to starting.
"If the SIEM has no alerts, there is nothing to hunt." This is exactly backwards. The absence of alerts is not evidence of absence. It is the core reason threat hunting exists.
"Threat hunting is only for large enterprises." Mid-sized organizations are frequently targeted precisely because their defenses are weaker. The need scales with the threat, not just the organization size.

---

CDA Perspective

CDA addresses threat hunting within the Threat Intelligence and Detection (TID) domain of the Planetary Defense Model (PDM). The PDM is structured around a foundational principle: organizations must be able to see threats before threats materialize into confirmed incidents. Within TID, threat hunting is not treated as an optional advanced capability reserved for mature programs. It is treated as a core operational function, applied continuously and systematically across the client environment.

CDA's methodology, Predictive Defense Intelligence (PDI), directly informs how hunts are structured. Rather than hunting reactively in response to public advisories alone, CDA analysts develop forward-looking hunt packages based on intelligence about threats likely to target a specific organization given its sector, technology stack, geography, and known adversary interest. This means a financial institution in the United States receives hunt packages informed by actors known to target that sector, including TTPs mapped to MITRE ATT&CK and correlated with telemetry patterns specific to that client's environment.

Operationally, CDA differentiates its approach in three ways. First, every hunt produces a detection artifact: a query, rule, or behavioral indicator that improves automated detection going forward. Hunting is not a standalone exercise; it directly feeds the detection engineering function. Second, CDA maintains a hunt library built from prior engagements, industry intelligence, and original research. This means analysts are not starting from zero on each engagement; they are applying refined, tested hypotheses against new environments. Third, CDA treats telemetry coverage assessment as a precondition of effective hunting. Before executing a hunt, analysts validate that the required data sources are available, correctly configured, and retained at adequate depth. A hunt executed against incomplete telemetry produces incomplete results and false confidence.

The PDI methodology frames threat hunting as an intelligence cycle, not a one-time event. Each hunt generates intelligence about the environment that refines the next hypothesis, continuously tightening the gap between attacker activity and detection.

---

Key Takeaways

Start with a specific, falsifiable hypothesis. Vague questions produce vague results. Define what attacker behavior you are looking for, in which data source, over which time window, before you begin querying.
Validate your telemetry before you hunt. If the data you need is not collected, retained, or accessible, address that gap first. A hunt is only as good as the data it runs against.
Every hunt should produce a detection artifact. Whether the hunt finds a threat or not, convert the behavioral logic into an automated detection rule. Hunting that does not improve your detection baseline is a missed opportunity.
Map your hypotheses to MITRE ATT&CK. Using ATT&CK as a framework ensures hunts are grounded in documented adversary behavior and creates a consistent vocabulary for communicating findings to stakeholders.
Track dwell time as a program metric. If threat hunting is working, dwell time decreases. If it is not measurably reducing the time between compromise and detection, re-evaluate hypothesis quality and telemetry coverage.

---

Sources

MITRE ATT&CK Framework - MITRE Corporation. "MITRE ATT&CK: Design and Philosophy." https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf

NIST SP 800-61 Rev. 2 - National Institute of Standards and Technology. "Computer Security Incident Handling Guide." https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

CIS Control 17: Incident Response Management - Center for Internet Security. "CIS Controls Version 8." https://www.cisecurity.org/controls/v8

Sqrrl (AWS) - "A Framework for Cyber Threat Hunting." https://www.threathunting.net/files/framework-for-threat-hunting-whitepaper.pdf

Mandiant M-Trends 2023 - Mandiant. "M-Trends 2023: Special Report." https://www.mandiant.com/m-trends

Table of Contents

Definition and Scope

How It Works

Why It Matters

CDA Perspective

Key Takeaways

Sources

Related CDA Missions

Related Articles

Format-Preserving Encryption

HTTP/2 Security

Certificate Transparency Logs

Discussion

The Academy

The Command Post

The Armory