2023 Guide to

Threat Hunting
Introduction

As the prevalence and sophistication of today’s cyber

threats continue to escalate, cyber threat hunting has
become an essential component of an organization's
overall cybersecurity strategy. Cyber threat hunting
involves actively searching for threats and malicious
activities within an organization's networks and
systems, enabling proactive detection and mitigation.
However, as the threat landscape evolves, new
challenges emerge, requiring organizations to
continually adjust and improve their threat hunting
programs.

This eBook explores the history of threat hunting,

current challenges, best practices, and makes a few
predictions about what lies ahead. 

2023 Guide to Threat Hunting 02

The History &

Evolution of

Threat Hunting

The history of [cyber] threat hunting can be traced back to the early days of

firewalls and antivirus software when security analysts relied on their own

knowledge and familiarity with their networks to detect potential threats. In

those days, information about malicious code was shared among security

analysts only, with no public announcements or reckoning. This informal

exchange of information often took place through email and IRC channels, and

occasionally graced the pages of print and digital publications.

As the cybersecurity landscape evolved, so did the methods and tools used for

threat hunting. Back in 2011, Richard Bejtlich — then director of incident

response for GE-CIRT — wrote what may be the first article that described

“threat hunting” in any meaningful way:

“To best counter targeted attacks, one must conduct counter-threat

operations (CTOps). In other words, defenders must actively hunt intruders

in their enterprise. These intruders can take the form of external threats

who maintain persistence or internal threats who abuse their privileges.

Rather than hoping defenses will repel invaders, or that breaches will be

caught by passive alerting mechanisms, CTOps practitioners recognize that

defeating intruders requires actively detecting and responding to them.

CTOps experts then feed the lessons learned from finding and removing

attackers into the software development lifecycle (SDL) and configuration

and IT management processes to reduce the likelihood of future incidents…”

2023 Guide to Threat Hunting 03

In the mid-2000s, the Air Force introduced the concept of
“hunting” as a more proactive approach to detecting and
responding to threats. This involved teams of security experts
performing “friendly force projection” on their networks,
combing through data and occupying systems to find advanced
threats. While they coined the phrase “hunter-killer” to describe
this process, civilian professionals eventually (thankfully) settled
on the term “threat hunting”.

Further evidence of the use of the term “hunt” can be found in a

2009 presentation from the NSA’s Vulnerability and Analysis
Operations (VAO) group on a slide discussing the spectrum of
operations involved in effective cyber defense:

Threat hunting has evolved over time from a manual process,

where security analysts sifted through data using their own
knowledge and familiarity with the network to create
hypotheses about potential threats. As the cybersecurity
landscape evolved, threat hunting became more proactive and
iterative, focusing on detecting and eliminating threats that may
have already breached the network or an organization’s critical

2023 Guide to Threat Hunting 04

systems. The emergence of threat intelligence feeds and sharing
communities, such as Information Sharing and Analysis Centers
(ISACs), allowed for widespread sharing of threat intelligence,
enriching detection tools and staying ahead of emerging threats.

One of the first comprehensive surveys digging into the topic of

threat hunting notes in the executive summary that:

“In 2016, three absolute facts are relevant when it comes to

security: 1) an organization cannot prevent all attacks; 2) an
organization’s network is going to be compromised; and 3)
100% security does not exist. This means that adversaries will
breach your organization’s protection—if they haven’t already.
The goal of security, then, is not just about stopping
adversaries, but also about controlling and minimizing the
overall damage from an incursion. The main method for finding
adversaries already in our networks is threat hunting—an area
on which security personnel are increasingly focusing their
attention.”

Back then, organizations were still figuring out exactly what a

threat hunting program should look like, both in terms of human
skill sets required and the right technology and data sources to
achieve the stated goals. There was heavy reliance on known
indicators of compromise (IOCs) and very manual analyses that
utilized nascent platform tools, augmenting them — when
needed — with customizable in-house tools.

Today, threat hunting involves leveraging proactive practices and

“intelligent” technology to identify and mitigate malicious
activities in an organization’s systems. It has become a
hypothesis-driven approach to prevention, with the goal of
informing an organization’s security posture and hardening

2023 Guide to Threat Hunting 05

attack surfaces to prevent incidents before they occur. The
practice has also shifted from countering attacks to pre-empting
them, with security teams focusing on detecting and remediating
ongoing malicious events and activities inside the network. As a
result, threat hunting programs and maturity levels can vary
greatly from business to business, with organizations
continuously improving, automating, and expanding their
practices.

//

2023 Guide to Threat Hunting 06

Challenges in
Threat Hunting

While the challenges below are not all the challenges that threat hunters face
today, they are the ones that we see most often with our customers and
community.

Not Enough Resources

One of the major challenges in threat hunting is the scarcity of
resources, including budget, time, and personnel. Organizations often
face limitations in allocating sufficient financial resources to invest in
advanced threat hunting technologies and tools, as well as hiring and
training skilled professionals. Additionally, the time required for
thorough threat hunting activities can be demanding, especially when
the resources available are limited. Without adequate resources,
organizations may struggle to conduct comprehensive threat hunting
operations, resulting in potential blind spots and increased vulnerability
to emerging threats.

"Skills" Gap
Threat hunting is often perceived as an advanced skill set that requires
specialized training and expertise. This perception creates a challenge
as organizations may struggle to find or develop professionals who
possess the necessary hunting capabilities. The evolving nature of
threats and the constantly changing tactics used by adversaries demand
continuous skill enhancement and staying up-to-date with the latest

Case Study: Threat Hunting 07

threat intelligence. Addressing the skills gap requires
investing in comprehensive training programs, fostering a
culture of continuous learning, and encouraging cross-
functional collaboration to build a proficient threat hunting
team.

Pattern Recognition and Exposure to

Diverse Data
Pattern recognition plays a vital role in threat hunting,
enabling hunters to identify anomalies and detect potential
threats. However, the ability to notice patterns can be
challenging, particularly when hunters lack exposure to
certain types of data. Familiarity with diverse data sets,
such as network logs, system behavior, and threat
intelligence, enhances a threat hunter's ability to identify
deviations from normal patterns. Acquiring experience and
exposure to various data sources and threat scenarios.

Too Much Data

The exponential growth of data in modern environments
poses a significant challenge for threat hunters. With vast
amounts of information generated by various sources such
as logs, network traffic, and security sensors, it becomes
increasingly difficult to identify relevant indicators of
compromise (IOCs) and detect subtle signs of malicious
activities. Threat hunters face the daunting task of filtering
through massive data sets to extract meaningful insights
and identify potential threats. The sheer volume and
velocity of data can overwhelm even the most skilled
hunters, making it crucial to leverage automated tools and
advanced analytics techniques to effectively handle and
analyze the data flood.

Case Study: Threat Hunting 08

 Need to Better Understand Your Own
Threat Profile/Landscape
Not all organizations face the same threat landscape, and
understanding one's unique threat profile is critical for
effective threat hunting. Organizations must invest time
and resources in comprehensively mapping their
infrastructure, identifying critical assets, and understanding
potential vulnerabilities. Developing a threat model specific
to the organization's industry, technology stack, and risk
appetite helps prioritize threat hunting efforts and focus on
relevant threats. Lack of insight into one's own threat
landscape can lead to ineffective hunting strategies and
overlooking critical risks.
A Lot of Different Tooling
The diversity of available threat hunting tools and
technologies presents a challenge in selecting the right
ones for a particular team and its unique requirements.
Each tool may have distinct features, capabilities, and
limitations, making it essential for organizations to carefully
evaluate and choose the most suitable options.
Compatibility, integration, and interoperability between
different tools can also be complex, leading to additional
challenges in achieving a cohesive threat hunting
infrastructure. Striking a balance between utilizing
specialized tools and maintaining a manageable tooling
ecosystem is crucial to ensure efficient and effective threat
hunting operations.Acquiring experience and exposure to
various data sources and threat scenarios is essential to
develop the skills necessary for effective pattern
recognition and successful threat hunting.

//

Case Study: Threat Hunting 09

Best
Practices

Develop a Strong Hypothesis

A critical best practice in threat hunting is to establish a strong
hypothesis before initiating the hunt. Drawing from the original Robert
M. Lee and David Bianco SANS whitepaper, a hypothesis provides a
focused direction for the hunt and helps guide the investigation.
Utilizing frameworks such as MITRE ATT&CK can further enhance the
hypothesis development process by providing a structured approach to
identify specific artifacts or indicators of compromise (IOCs) associated
with various threat scenarios. A well-defined hypothesis enables
hunters to narrow their focus and increases the likelihood of identifying
potential threats effectively.

In addition to the use of frameworks like MITRE ATT&CK, another

valuable approach in developing a well-defined hypothesis for threat
hunting is to leverage real-time threat intelligence about current
attacks. Incorporating information about ongoing or recent cyber
attacks can significantly enhance the accuracy and relevance of the
hypothesis. By analyzing the tactics, techniques, and procedures (TTPs)
used in these attacks, threat hunters can gain insights into the latest
trends and patterns employed by threat actors. GreyNoise trends
provides deep insight into services and devices being actively scanned
for and further supports hypotheses on where to begin a hunt based on
real world data.

Case Study: Threat Hunting 10

Determine Required Data
Once a hypothesis is established, it is essential to
determine the specific data needed to test the hypothesis.
Threat hunters should identify the relevant log sources and
data repositories that may contain indicators or evidence of
the suspected threat activity. If the necessary data is not
readily accessible, hunters should devise strategies to
obtain it, such as configuring appropriate logging systems,
implementing network monitoring solutions, or
collaborating with relevant teams to gain access. Ensuring
access to the required data is crucial for conducting
comprehensive investigations and validating or refuting the
hypothesis effectively.

IOC-Based Hunts vs. Behavior-Based

Hunts
Threat hunting can follow two primary approaches: IOC-
based hunts and behavior-based hunts. IOC-based hunts
rely on predetermined indicators provided by external
sources or previous investigations, allowing for a clear true
or false determination. These hunts focus on identifying
specific IOCs associated with known threats or malware in
the environment. On the other hand, behavior-based hunts
are more exploratory, aiming to uncover abnormal activities
or suspicious behaviors regardless of the presence of a
known threat. 

Behavior-based hunts provide valuable insights into

potential security weaknesses and help improve overall
security posture, even if they don't directly detect an
advanced persistent threat (APT). While it can be more
challenging to detect malicious activity by identifying
behavior and patterns of action, removing logs that are
irrelevant by doing a first pass with GreyNoise data makes it

Case Study: Threat Hunting 11

easier to start digging into logs that could prove to be more
valuable to the hunt.

Screenshot of the DB2 Scanner tag in the GreyNoise Visualizer

Maintain your own threat intelligence

Commercial threat feeds provide organizations with a
wealth of valuable indicators, including file hashes, domains,
and comprehensive insights into the tactics and techniques
employed by various threat groups. These feeds play a
crucial role in enhancing threat hunting activities by
enabling the identification of adversaries' operational
patterns, which can be effectively mapped to the MITRE
ATT&CK framework. By aligning alerts and observed
activities with the MITRE ATT&CK matrix, organizations
can not only identify gaps in their security posture but also
gain valuable guidance on where threat hunters should
focus their efforts.

Moreover, leveraging behavior-based hunting techniques

can significantly enhance the effectiveness of threat
hunting initiatives. By monitoring and analyzing anomalous
behaviors within the network or endpoint environments,
organizations can uncover potential indicators of
compromise (IOCs) that may be missed by traditional
signature-based detection methods. This proactive

Case Study: Threat Hunting 12

 approach allows for the detection of previously unknown
threats and helps in staying ahead of adversaries' evolving
tactics.

To further augment threat hunting endeavors, maintaining a

custom list of domains, IPs, and other relevant indicators
becomes essential. Such lists can be actively monitored by
the Security Operations Center (SOC) or used in
conjunction with additional hunting activities. By
continuously updating and refining this custom repository,
organizations can focus their hunting efforts on specific
threat actors or campaigns, improving the efficiency and
effectiveness of their threat hunting program.

By following these best practices, organizations can enhance

their threat hunting capabilities and improve their ability to
proactively detect and mitigate potential threats in their
environments.

//

2023 Guide to Threat Hunting 13

Future of
Threat Hunting

While there are some estimates in the “History” chapter of this guide, there is no
definitive data on the exact percentage of organizations that have cyber threat
hunting programs. As noted, various IT and cyber news outlets do report that
only a minority of organizations currently have formal threat hunting programs
in place, with estimates ranging from 10% to 30% based on different [vendor]
surveys. So, one easy prediction is that more organizations will incorporate
cyber threat hunting into their regular activities, and some will form dedicated
teams.

This guide will emerge at or near the midpoint of 2023. As such, this
“predictions” section would be remiss if it did not discuss the future of cyber
threat hunting in the context of large language models (LLMs) and generative
pre-trained transformers (GPTs). Before we go there, we first need to
acknowledge that a common component of any future is the need for
organizations to do a much better and far more complete job of collecting,
organizing, storing, and maintaining relevant business operations data, asset
inventories, and IT/application configurations and logs.

Assuming organizations that want to keep pace with adversaries are engaged in
threat hunting activities, and have embarked on said data-driven mission, it is
quite conceivable that natural language processing models will be developed
and refined for the aforementioned technical and process-oriented data. This
will enable organizations to continually update the corpus of information
accessible to LLM/GPT-enabled threat hunting systems, which will further

2023 Guide to Threat Hunting 14

enable those systems to more thoroughly answer questions from
cyber threat hunters.

At this stage in 2023, we are realizing the impressive utility of

giving LLM/GPT-base systems real-time access to network/
internet resources to augment the precision and efficacy of their
output. So, imagine a world where an organization has wired up
all the necessary internal data sources, invested in a trustworthy
LLM/GPT-enabled solution and are determined to level-up their
cyber threat hunting practices. What might this look like?
Lofty Scenario: The Next “Log4j”
You most likely remember Log4j and Log4Shell. This zero-
day vulnerability (and trivial exploit) in a ubiquitous IT/
application component wrought havoc across many
organizations. If a similar situation occurs in our envisioned
future, our AI-enhanced security solution will provide far
better information to defenders on what systems are in-
scope for potential compromise. That’s great for
vulnerability managers, but how will it help threat hunters?
Assuming the individual or team that handles threat
hunting actions has ensured the LLM/GPT system is
receiving or at least has access to the most up-to-date
shared intelligence on proof-of-concept exploit code and
known exploit activity at other organizations, they will be
able to set up a automated job – with a single, human
language directive, such as “Continually update your
knowledge base on current Log4j exploit activity and
perform regular analysis of IT system and application log
data for signs of similar activity.”

Those tasks used to be performed manually and took a

considerable amount of analyst time. Now, while the
vulnerability management team is working with IT to isolate
and patch vulnerable systems, the threat hunters AI

2023 Guide to Threat Hunting 15

assistant will be continually monitoring the appropriate
sources and providing significantly fewer false positives
than teams deal with today.

More Realistic Scenario: “What Is

This?”
The previous scenario is what one might expect to hear
from an XDR or SIEM vendor. It makes almost impossible
assumptions about the capabilities of typical IT and IT
Security organizations. Most organizations are not going to
fund those departments to levels sufficient enough to
provide such capabilities.

One more realistic scenario is for cyber threat hunters to

build or rely on a third-party system that is kept up-to-date
on adversary tactics, techniques, and procedures. This will
become easier to manage as more threat sharing and threat
intelligence providers standardize on taxonomies and
document models. Then, when traditional event/monitoring
systems do fire off yet another alert, it will be possible to
feed the context directly into a “what is this?” model that
provides some explanation of the intent of the actions
contained in the artifacts and then hazards an informed
“guess”' at whether the action is benign, harmful, or just
“ignorable”.

You can see a naive version of this out today with

something like ChatGPT. Pick any payload from ExploitDB,
paste it into the chat interface and ask the model to analyze
it. Imagine the increase in accuracy and efficacy in a similar
system trained on and continually updated with robust
threat intelligence data.

2023 Guide to Threat Hunting 16

 Bionic Scenario: “Threat Hunting
Copilot”

Finding individuals with the right skillset to perform basic

threat hunting tasks is not easy. Finding similar humans that

can do more than pip install some Python helper tool (i.e.,

actually perform complex scripting or analytics tasks) is

orders of magnitude more difficult.

Now, imagine a scenario where a threat hunter needs to

scour a multitude of systems for evidence of compromise

for a particular attack but is not very proficient in such a

task. While present day LLM/GPT “copilots” are, at best,

mediocre, future ones will be far more reliable and enable

hunters to deploy custom hunts much faster than they can

today.

These “copilots” will also be able to summarize the deluge

of threat information that is broadcast each day, and even

sift out the ones that are most meaningful to a given

organization.

The future of cyber threat hunting will absolutely rely on

increased data collection and management capabilities, but will

be most successful when technology is used to augment the

inherent superpowers of existing human analysts and hunters.

//

2023 Guide to Threat Hunting 17

Conclusion

This eBook has explored the history, current challenges, and best practices of
cyber threat hunting, while also making predictions about the future of this vital
component of cybersecurity. Cyber threat hunting has evolved from a manual
process to a proactive and hypothesis-driven approach, enabling organizations
to detect and mitigate threats before they cause significant damage. However,
several challenges hinder effective threat hunting, including limited resources,
the skills gap, pattern recognition, data overload, and the need to understand
one's unique threat landscape. Implementing best practices such as developing
strong hypotheses, determining required data, and defining deliverables can
enhance threat hunting capabilities.

Looking ahead, it is predicted that more organizations will incorporate cyber

threat hunting into their regular activities, with dedicated teams focusing on
proactive detection and response. Additionally, the future of threat hunting is
expected to involve leveraging large language models (LLMs) and generative pre-
trained transformers (GPTs) to enhance the analysis of technical and process-
oriented data. By continually updating the corpus of information accessible to
LLM/GPT-enabled systems, organizations can improve their ability to answer
questions and stay ahead of evolving threats.

The future of threat hunting holds promise for organizations that invest in data-
driven approaches and leverage advanced technologies. By adopting best
practices, addressing challenges, and embracing emerging trends, organizations
can enhance their threat hunting capabilities and strengthen their overall
cybersecurity posture.

2023 Guide to Threat Hunting 18

Contextualize and
automate threat hunting
with GreyNoise.
GreyNoise provides visibility and deep context for
cyber threat intelligence analysts and threat
hunters. Learn more at greynoise.io.

greynoise.io
Copyright © 2023 GreyNoise, Inc.