Threat Hunting Basics

Purpose and Scope

Threat hunting is the proactive search for adversary activity that has evaded existing detection mechanisms. Unlike alert driven investigations, hunting starts with a hypothesis about attacker behavior and seeks evidence to confirm or refute it.

Prerequisites

• Data access: SIEM or log aggregation platform with endpoint, network, and identity telemetry
• Baseline knowledge: Understanding of normal environment behavior and authorized tools
• MITRE ATT&CK familiarity: Ability to map hypotheses to tactics and techniques
• Query skills: Proficiency in your platform's query language (SPL, KQL, Lucene, SQL)

Detection Goals

Hunting aims to find:

• Attacker footholds that bypassed perimeter and endpoint controls
• Living off the land techniques using legitimate tools for malicious purposes
• Persistence mechanisms maintaining long-term access
• Lateral movement between systems
• Data staging and exfiltration activity

Hunting Workflow

1. Develop a Hypothesis

Start with a specific, testable statement:

• "Attackers may use encoded PowerShell commands to download second-stage payloads"
• "Compromised credentials may be used to access file shares outside business hours"
• "Phishing victims may have browser processes spawning unexpected child processes"

Ground hypotheses in threat intelligence, recent incidents, or known gaps in detection coverage.

2. Identify Data Sources

Determine which logs contain evidence for your hypothesis:

• Endpoint: Process creation, file writes, registry changes, network connections
• Network: DNS queries, HTTP/TLS metadata, flow records
• Identity: Authentication logs, privilege changes, group membership
• Cloud: API calls, resource creation, configuration changes

3. Build and Execute Queries

Translate your hypothesis into queries. Start broad and refine based on results:

• Use statistical analysis (rare values, outliers) to surface anomalies
• Stack results by user, host, or process to identify patterns
• Correlate across data sources for higher-fidelity findings

4. Analyze and Triage Results

For each finding, determine:

• Is this expected behavior for this user/system?
• Is there additional context that explains the activity?
• Does this warrant escalation to incident response?

5. Document and Iterate

Record your hypothesis, queries, and findings regardless of outcome. Negative results are valuable: they confirm detection coverage or help refine future hunts.

Common Hunting Techniques

Frequency Analysis

Identify rare or first-seen values. Attackers often introduce artifacts that stand out against normal baselines:

• Rare parent child process relationships
• First time service installations
• Unusual user agent strings

Stacking

Group results by key fields to find outliers. If 500 users run PowerShell with similar patterns but one runs encoded commands at 3 AM, that user warrants investigation.

Long Tail Analysis

Focus on the edges of distributions. Look at the least common values, most bytes transferred, or highest connection counts.

Validation and False Positives

• Cross reference findings with asset inventory and authorized software lists
• Check with system owners before escalating administrative activity
• Use threat intelligence to validate indicators
• Document known benign patterns to exclude from future hunts

Escalation Guidance

Escalate to incident response when:

• Activity aligns with known attacker TTPs and cannot be explained
• Multiple indicators correlate across time or systems
• Sensitive data access or exfiltration is suspected
• Persistence mechanisms are identified

References

• MITRE ATT&CK: attack.mitre.org
• MITRE D3FEND: d3fend.mitre.org
• CISA Hunt and Incident Response Program
• NIST SP 800-61: Computer Security Incident Handling Guide