5 Threat Hunting Tips from a Seasoned Hunt Team

Threat Hunting Tips #1 — Know what is normal for your environment, then you’ll be able to spot the abnormal easier.

Too many organizations have tried to jump off the deep end of the threat hunting pool without first knowing their environment — a recipe for chasing squirrels and rabbits and getting very little accomplished. Threat hunting is ultimately the practice of looking for the unknown in an environment, therefore understanding what is considered “business-as-usual” compared to “suspicious” or even “malicious” is critical.

Threat Hunting Tips #2 — When building a hunt, start general and work your way to specific based on your hypothesis. By doing this it creates context and understanding of what it is you are looking at in your environment

When threat hunters are first getting their feet wet in structured threat hunting, many of them struggle with building their first hypotheses. The reason many find this process challenging is often because they have tried to be a bit too specific. Instead of jumping straight to the details, first try and be more general in your hypothesis. By doing this, you will better shape your hunt, and add additional context along the way.

Threat Hunting Tips #3 — Sometimes better to hunt on things you understand and know and then pivot vs hunting on things outside your expertise and trying to pivot to something you know

One of the most common challenges new hunters encounter is that it is very easy to get out of your depth very quickly. Not every information security professional is an expert in all areas. The same is equally true in threat hunting.

Threat Hunting Tips #4 — Not every hypothesis will be successful and sometimes it might fail. But don’t be discouraged, go back and test again!

Unlike things like threat protection and threat detection, threat hunting is far from a sure thing. In fact, the very nature of threat hunting means that you are looking for the unknown. Because of this, not every hypothesis you hunt on will be successful. In fact, most hunters know that while they may spend hours digging into a rabbit hole they uncovered, it is more likely that that hole will lead to a power user using PowerShell to save some time, rather than an advanced adversary looking to encrypt your domain controller.

And finally… #5 — Knowing your toolset and its data capabilities is just as important as executing your hunt. False Negatives lurk around every corner if you aren’t validating the expected data even exists in your tools.

While nearly everyone in the IT space understands that every tool and piece of technology is different and has specific limitations, sometimes security folks — and especially threat hunters — can take that for granted.

Conclusion

Threat hunting continues to be a hot topic in the infosec community, but true threat hunting remains very elusive especially for those just starting out. The important thing to remember is that threat hunting is an iterative process, both in doing it and in learning it. So, practice, practice, practice…. And if you are trying to get into threat hunting, why not try out our free threat hunting workshop!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cyborg Security

Cyborg Security

Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.