Threat Hunting: 7 Ways to Reduce Risk

Why Trust Techopedia

The process of actively looking for malware or intruders on your network is known as threat hunting. Utilizing a security information and event management (SIEM) solution to carry out threat hunting is the widely accepted approach because it provides visibility into an organization’s network, endpoint and application activity; all of which could be an indication of an attack.

SIEM solutions centrally collect log data from various sources, including servers, firewalls, security solutions, antivirus (AV) and more. Assuming compromise is a security mindset that helps security organizations mature and respond to today’s increased number of threats.

The importance of threat hunting continues to increase as cybercriminals evolve and find new ways into organizations’ internal IT systems.

While most security tools are able to thwart roughly 80% of threats, 20% are still left undetected. These remaining threats are likely to be much more capable of causing catastrophic harm. This issue emphasizes the need for automated threat hunting, which greatly reduces the period between intrusion and detection.

Every threat hunt should start with a threat hunting hypothesis — a statement about a tactic or technique that is relevant to your organization. The hypothesis should be something that can be tested and result in an outcome of either true or false. Once a threat hunting hypothesis is ready, use these seven types of hunts to identify suspicious abnormalities indicative of threat activity:

1. Recognizing Suspicious Software

Attackers use locally-installed malware for a variety of purposes including control, persistence, automation and data exfiltration. However, malware must be active as a process on the endpoint in order for an attacker to use it. As a result, you can look for out-of-place software running on endpoints to spot potential attacks.


You can identify suspicious software in two ways: by process name or by process hash. You may be able to transmit the log data from your endpoint detection and response (EDR) solution to your SIEM system, giving you more opportunities to identify suspicious applications. (Also Read: How Cloud Computing is Changing Cybersecurity)

IT receives a flat view of what is happening on a given endpoint when processes or hashes are monitored. However, when you incorporate other elements, like whether a process is typical for a specific user or which parent process gave rise to a potentially suspicious process, monitoring starts to focus more on endpoint or user behavior.

The same sources (i.e., security log, Sysmon and your EDR solution) can be used to gather information on which user or parent process initiated a new process, allowing you to identify the source in detail. These combinations give the background information required to decide if an investigation is necessary.

2. Scripting Abuse

Attackers attempting to avoid detection generally steer clear of implementing new procedures that would notify IT of their existence. Instead, they use scripting languages that are already installed on the endpoint, namely Windows Scripting Host and PowerShell.

Keeping an eye out for scripting engine executions is the simplest threat hunt. The launching of a script is indicated by the CScript, WScript and PowerShell processes. Additional logging for Sysmon, PowerShell operational logs and command line parameter logging will likely be necessary to get this visibility.

3. Antivirus Follow-Up

Enterprise-wide use of antivirus data can help you better identify whether or not and where malware is spreading throughout your environment. Consider antivirus log data as a potential source of post-threat intelligence that can assist in identifying any potential elevated privilege or network segmentation issues in your environment. (Also Read: How Cyberattacks Affect Share Holders and Board Members)

4. Persistence

Once an attacker has gained some level of control over an endpoint, they want to hold onto that control even if the endpoint is rebooted, the user logs off or a malicious process is terminated. Attackers ensure that the malicious code that establishes their control runs each and every time the system boots up or logs on by using well-known techniques for launching apps.

A baseline of users, processes and registry keys that are frequently changed might serve as the foundation for monitoring; however, you may want to keep an eye on the relevant keys while providing as much information as possible on relevant changes.

5. Lateral Movement

The next step for a hacker is to hop from endpoint to endpoint across the network until they locate the target system housing important data.

An early warning sign that a threat actor is trying to migrate laterally within the network is odd user or endpoint login combinations and anomalous network connections made between computers. It’s vital to monitor for abnormal usage of privileged accounts or any indication they may have been compromised.

6. DNS Abuse

Endpoints should only communicate with the configured DNS servers using DNS requests of the proper size. Several methods exist for keeping an eye out for DNS misuse including, monitoring for changes to the hosts file or the DNS setup, enormous quantities of DNS traffic coming from a single endpoint (which indicates data being smuggled through port 53) and DNS rebinding requests.

7. Bait the Bad Guy

Baiting an attacker widens the idea of a honeypot to encompass accounts, files, shares, systems and even networks as a means of detecting attacks without putting your production environment at risk.

In theory, you pick the elements of the environment you want to imitate, create a virtual environment to serve as the honeypot and then make that environment accessible by leaving open ports that are vulnerable to attack, using weak passwords and generally making it more appealing to attackers.


A layered security plan with various technologies in place to offer cutting-edge attack defense is not something every organization can afford. Using log data and a suitable cybersecurity solution can provide organizations with the ability to look for risks immediately instead of waiting for automated detection.

Threat hunting enables security teams to identify threats quickly by allowing them to see both leading and active indicators of attacks. Through threat hunting, organizations can lessen their threat surface by better understanding where their defenses are vulnerable, how attacks work and how to fix security flaws. (Also Read: Why aren’t more people choosing cybersecurity as a career?)

Sally Vincent
Threat Research Engineer
Sally Vincent
Threat Research Engineer

Sally Vincent is a Threat Research Engineer at LogRhythm. She is a network security engineer with broad experience in systems administration. She is especially focused on threat research and has experience in multiple industries (financial, healthcare, government, retail, MSSP) from SMB to enterprise size.