Sage Advice - Cybersecurity Blog

An Introduction to Cyber Threat Hunting

cyber-threat-hunting.pngIn order to keep up with the deluge of new cyber threats and malware attacks, cyber threat hunting is becoming more popular. Cybercriminals continue to get more adept at using techniques and building tools that make it extremely difficult for traditional signature-based technologies to detect them. So difficult in fact, that it’s fairly common for an organization to not know an intrusion has occurred for days, weeks, or even months.

Passively monitoring for signs of malware and relying on traditional signature-based technology is not effective. That’s why we’re seeing a shift to a more proactive approach, including hunting for potential network threats, by many organizations.

What is Threat Hunting?

SANS defines threat hunting as a focused and iterative approach to searching out, identifying, and understanding adversaries internal to the defender’s networks. It’s a method of searching through networks and datasets to find advanced persistent threats that evade existing security defenses.

A Crowd Research Partners survey of the Information Security Community on LinkedIn revealed that many organizations are quickly discovering that cyber threat hunting is the next step in the evolution of the modern Security Operations Center (SOC) to combat an increasing array of sophisticated threats from attackers.

It’s important to note that Cyber Threat Hunting is not a technology. It takes highly-trained security experts for accurate and consistent threat detection.

The Tools of the Hunter

There are three important tools that a threat hunter needs.

  • Data. This should include log data from all your network devices, including servers, firewalls, databases, routers, switches, etc., along with all endpoint activity. It’s important to have a central location to assemble the data for analysis. This should include a process to aggregate, correlate, and normalize the millions of data points you’ll be collecting.

  • A Baseline of the Environment. One way to get a better understanding of your network's behavior is to baseline it over time. If you develop your network traffic baseline, and confirm the events in that baseline are expected and authorized, then you can spend less time looking at the noise on your network, and more time looking at those events that do not fit your baseline.

  • Current Threat Intelligence. With cyber-attacks increasing, the likelihood that many organizations are experiencing the same attack is also increasing. When such an incident occurs, the intelligence gathered – including what happened, how it was dealt with, and lessons learned – can teach you what to do in the same situation. Stay up-to-date on the current threat environment, so you can quickly understand and effectively respond to evolving threats.

10 Things Threat Hunters Watch For

From an article in ITWorld, here are 10 things a threat hunter watches for:

  1. Low and slow connections.
  2. Same number of bytes in and out.
  3. Suspicious sites.
  4. Failed logon attempts.
  5. Explicit credentials.
  6. Privilege changes.
  7. Signs of password dumping programs.
  8. Common backdoors.
  9. Dropper programs.
  10. Custom detections.

Benefits of Threat Hunting

The SANS 2017 Threat Hunting Survey found that 60% of organizations using threat hunting tactics are seeing measurable improvements in security. Of significance, 91% of those cited measuring improvement in both the speed and accuracy of response and in attack surface exposure. Other benefits mentioned were:

  • Reduced time from infection to detection.
  • Prevented spread of infection or lateral movement through network.
  • Reduced number of actual breaches based on the number of incidents detected.
  • Reduced exposure to external threats.
  • Reduced time and money spent on response.
  • Reduced frequency and number of malware infections.

Challenges of Threat Hunting

That same SANS study also found that while many organizations understand the need to adopt threat hunting practices, it’s not an easy task to undertake. “The inability to detect advanced threats and find expert security staff to assist with threat mitigation are the top two challenges SOCs are facing. As a result, about four in five respondents stated their SOC does not spend enough time searching for emerging and advanced threats.”

Many IT and security teams are already stretched thin, so it can be difficult to effectively focus on hunting. Plus it takes a highly-trained professional to hunt. They need to understand what they are reviewing and be able to read the context clues to piece an attack together.

Because the cybersecurity workforce shortage is projected to hit 1.8 million by 2022 [Source: ISC2], it could become even more difficult to find hunters moving forward. That’s why increasing number of organizations are looking to specialized security service providers, like Tyler Detect, to fill this gap.

While threat hunting may be a new buzz word circulating throughout the cybersecurity world, the concept of human analysts hunting threats is not new. In fact, for more than a decade Tyler Detect has employed this methodology to detect incidents before they become breaches.


As cyberattacks continue to soar, it's time to get proactive when protecting your network. You can’t simply sit back and wait for an automated alert to let you know you’ve been breached. You need to actively seek out potentially malicious behavior on your network. That’s why we’re seeing a shift to a more proactive approach... Cyber Threat Hunting. Learn how to defend your network. Learn more in the Sage Advice Guide to Cyber Threat Hunting.


Topics: Log Analysis, Threat Detection Tips, Cyber Defense, Threat Hunting

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More