Moving the Needle Forward on Threat Hunting

The Definition of Threat Hunting

Before we get into the weeds on the misused or redefined types of threat hunting, it probably would help to give the quick and dirty definition of threat hunting. For our purposes, we will define threat hunting as:

IOC “Hunting,” or Security Analysis?

This is perhaps the most common misuse of the term ‘threat hunting.’ The proponents of the term typically define it as “hunting” across and environment for a given indicator of compromise (IOC) that they have acquired. These IOCs are usually broken down into IP addresses, domains, full URLs, filenames, and hashes — admittedly there are more, but these are typically the most common. When an organization gets a hold of these IOCs, they will often search through their environment to see if they have previously been observed, and depending on the reliability of the indicator, they may deploy it into one or more of their security platforms for future detection.

External Threat Hunting, or Reconnaissance and Vulnerability Assessment?

Another one of the more curious “redefinitions” of the term threat hunting is that of ‘external threat hunting.’ It is an interesting case because even the term itself is used for multiple practices, none of which are threat hunting.

External Threat Hunting, or Data Visualization and Enrichment?

The second use of the term ‘external threat hunting’ is perhaps even more curious. This use of the term describes the function of specific tools to connect relationships between IOCs, leaked credentials, and a Hodge Podge of additional data, information, and refined intelligence, usually with a visual element to allow for easy mapping. Typically, these tools do not ingest data from an environment, but rather require a manual transfer of the data, which it then enriches and provides additional contextualization such as WHOIS looks up, passive DNS or similar.

Conclusion

One of the most important takeaways from this blog is, simply, that just because these things aren’t “threat hunting” shouldn’t trivialize them. Quite the opposite, all of these are practices that every organization should have in place. However, it is equally true to assert that none of these are threat hunting. Now, you may ask why that matters?

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cyborg Security

Cyborg Security

Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.