What threat hunting is
Threat hunting is the practice of proactively searching through an organisation's systems and logs to find evidence of attackers who have already bypassed automated defences. It is not waiting for an alert to fire. It is actively going looking for adversaries based on the assumption that they may already be inside.
This assumption is not paranoia — it is based on data. The average dwell time for a sophisticated attacker (the time between initial access and detection) is measured in months, not hours. During that window, the attacker is quietly exploring the network, mapping assets, escalating privileges, and preparing for the eventual objective — whether that is ransomware deployment, data exfiltration, or persistent access.
Threat hunting complements SIEM and EDR but does not replace them. Automated tools catch known, high-confidence threats quickly. Threat hunters address the gap: threats that are too novel, too subtle, or too patient to trigger existing detection rules.
Why organisations need threat hunting
The core argument for threat hunting is the dwell time problem. IBM's Cost of a Data Breach Report consistently documents that attackers in sophisticated intrusions go undetected for months. During that period, automated detection tools — SIEM, EDR, AV — are generating no alerts because the attacker is behaving within the bounds of what those tools consider suspicious.
Advanced Persistent Threats (APTs) are specifically designed to evade automated detection. They use living-off-the-land techniques (abusing legitimate system tools rather than deploying malware), blend their traffic into normal network patterns, and move slowly to avoid triggering threshold-based detection rules.
SolarWinds SUNBURST was active in US government networks for 9 months before detection. It used sophisticated OPSEC — blending into normal SolarWinds update traffic. Every automated tool missed it. A FireEye threat hunter noticed an unusual device registering for MFA — that single human observation broke the breach open.
The threat hunting process
Effective threat hunting follows a structured, cyclical methodology. Each completed hunt either confirms or denies the hypothesis — and either way produces output that improves the organisation's detection capability.
-
1Hypothesis Formation
Based on threat intelligence, the hunter formulates a specific, testable hypothesis — for example: "An APT targeting our sector is known to use WMI for lateral movement. Are there anomalous WMI execution patterns in our environment over the last 30 days?" The hypothesis must be concrete enough to be testable against available data.
-
2Data Collection and Scoping
Identify which data sources are required to test the hypothesis — EDR telemetry, SIEM logs, DNS query logs, network flow data. Confirm that the relevant data is available and has sufficient retention. Hunters are often limited by gaps in log coverage.
-
3Analysis and Investigation
Query the data for patterns that support or contradict the hypothesis. This is the core investigative work — running searches, pivoting on interesting data points, building timelines, and distinguishing genuine anomalies from benign outliers.
-
4Findings and Response
The hunt either confirms the hypothesis (an active or historical threat is found, triggering incident response) or denies it (the environment is clean for that specific technique, which is also valuable information). New IoCs or techniques discovered during the hunt are documented.
-
5Detection Improvement
Hunt findings are converted into new SIEM detection rules or EDR behavioural alerts. Every completed hunt — regardless of whether a threat is found — should result in improved automated detection coverage. This is the compounding value of threat hunting over time.
IoCs vs IoAs
Understanding the distinction between Indicators of Compromise (IoCs) and Indicators of Attack (IoAs) is fundamental to threat hunting practice.
IoCs are known bad artifacts: a specific malicious IP address, a file hash associated with known malware, a C2 domain from a published threat report. IoC-based hunting is reactive — it looks for evidence of attacks that have already been documented. Against novel or zero-day attacks, IoCs are useless because no one has published them yet.
IoAs are behavioural patterns that indicate attacker activity regardless of the specific tools used: PowerShell executing from a Word.exe parent process, an account logging into 40 different systems within 10 minutes, regular outbound connections to an uncommon domain every 4 minutes (C2 beaconing pattern). IoA-based hunting catches novel attacks because adversary behaviour is more consistent than their tooling.
Mature threat hunting programmes use both. IoC matching on known threat intel provides fast, confident detection. IoA-based behavioural hunting catches what the IoCs miss.
Threat hunting tools
- EDR platforms (CrowdStrike Falcon, Microsoft Defender for Endpoint): Provide the richest endpoint telemetry available — process trees, file system changes, network connections, registry modifications. The primary data source for most endpoint-focused hunts.
- SIEM (Splunk, Microsoft Sentinel): Used for hunting across log data from multiple sources — AD, DNS, firewall, web proxy. SPL and KQL query skills are essential for efficient hunting at scale.
- Threat Intelligence Platforms (MISP, ThreatConnect): Provide structured threat actor profiles, published IoCs, and TTPs from the wider security community. Used to build hunting hypotheses based on real adversary behaviour.
- MITRE ATT&CK Framework: The adversary behaviour taxonomy that underpins most modern threat hunting programmes. ATT&CK catalogues over 200 real adversary techniques across the full attack lifecycle, mapped to the data sources needed to detect them.