Threat Hunting in the Modern SOC

Mounika Raghavarapu   

Modern-day threats are becoming more evasive than ever, and conventional defences and leading antivirus are not enough to evade advanced threats. Security teams often face a multitude of threats right from malware, ransomware, file-less attacks to cyberespionage. The major challenge for many security teams is not about dealing with numerous risks, but performing repetitive tasks every day, as they prioritize incidents and effort to sort out an endless backlog of alerts. A proactive Threat Hunting mechanism is what is needed for the organizations to stay ahead of the modern-day attackers.

Now let’s understand what “threat Hunting” Actually means

Threat Hunting: is a process of proactively performing an intensive search throughout the network to expose the lurking undetected threats. 


Why is Threat Hunting Required?

Alerting from Security systems is important, but it cannot be the only focus of a detection program. The primary goals of a hunting program should be to improve detection by prototyping new ways to detect malicious activity and then turning those prototypes into effective new automation methods.

There are no "one size fits all"-type solutions in threat hunting.

When conventional Protections Fail, Threat Hunting helps explore the hidden APT(Advanced persistent threats)s in the network. The general security hygiene practices, automated security tools, firewalls and antivirus are effective in stopping the majority of threats from intruding into the network. But when an intruder enters into the network by bypassing these security measures, it is very difficult to identify the presence of the intruder in the network, with these traditional security mechanisms.

As per research, it is known that a cybercriminal spends an average of 191 days in an organizations network before they are detected, and this is a very long time for the intruder to easily cause huge damage to the organization data. After an attack is encountered organizations generally perform a forensic investigation to evaluate the events that led to the attack to happen. In contrast to forensic investigation, threat hunting targets to explore the waiting attackers and stop them in their paths before they have the chance to create real damage.

It is evident that the organization's automated security tools and tier 1 and tier 2 security operations centre (SOC) analysts are capable enough to restrict and handle almost 80 percent of the threats. But still, there is a need for the organizations to think about that 20 percent, where there is a huge chance for the modern-day attackers to include advanced persistent threats (APTs) that will cause noteworthy damage.

Unlike the general and automated threats, the attacks performed by the advanced persistent attackers easily evade the advanced tools that are in place for restricting the intruder’s activity, they directly target the organization's network. In comparison with the general hacking attempt, an APT needs higher attention and significantly more efforts from the response teams and Security Operations Centre (SOC).

Pre-requisites for Starting Threat Hunting

Before starting up the threat hunting program, organizations need to have a proper security setup that is capable of ingesting various sources of data and storing it in a way that lets the staff access it. A proper security setup must have security information and event management (SIEM), endpoint management, firewalls, network packet capturing tools and antivirus. Apart from these automated blocking and monitoring tools, organizations also need access to threat intelligence resources, through which they can explore the indicators of compromise (IoCs), malware hashes, IP addresses and more.

Threat hunting is normally a tedious process and it involves a lot of human effort to analyse and detect huge sets of data. In this case, there is a need for an automated tool that helps the security teams to slice and dice the huge data sets into small chunks so that they can reveal the insights of the data. Human efforts plus automation is the best combination in threat hunting to detect each granule of the data. 

There is no established threat hunting process that can be used by all the organizations, so the security teams must have expertise in the organization’s network. Without being acquainted with the organization's systems and having knowledge of how each and every dataset is supposed to look, it is highly difficult to define how to best hunt for threats.

Threat Hunting Process 

Hypothesis-driven approach 

What is Hypothesis? 

A Hypotheses is generally an Assumption made on the attack behaviour. It is an actionable use case developed relying on the observations, intelligence, and experience of the security team. 

Three types of hypothesis: 

The analytics-Driven hypothesis is derived using Machine-learning and UEBA (User and Entity Behaviour Analytics ), by this an aggregated risk scores are derived which will also serve as hunting hypotheses

Situational-Awareness Driven hypothesis is derived by performing "Crown Jewel analysis (identifying core missions, assets and data in the organization), enterprise risk assessments, and by analysing company- or employee-level trends"

The intelligence-Driven hypothesis is derived based on the Threat intelligence reports, vulnerability scans, threat intelligence feeds and malware analysis 

Operationalized Hunting 

Collect All Endpoint Data 

  • Leverage EDR (Endpoint Detection and Response) sensor for a raw feed of endpoint telemetry 

Establish Hypothesis

  • New threat report 
  • Map current detection capabilities to ATT(adversarial tactics, techniques,)&CK (common knowledge)
  • "What does this look like on the endpoint?" 


  • Hunt retrospectively within existing environments to validate hypothesis 

Detector Development:

  • Codify the behaviour of component observations 
  • Automatically identify this behaviour in the future 

Threat Detection:

  • Look for suspicious and malicious behaviours in aggregate 

Triage and Investigation:

  • Analysts review events and either confirm the threat, suppress, or automate future similar events

Threat Hunting Models 

Not all hunts have the same objective. 

Continuous model: Parts of the attacker Recycle are best detected by hunting. To scale hunts on specific targets. Combine them into a series of multiple hunts for one objective. 

Complementary model: Hunting is not monitoring. But it can be used as a stopgap measure while monitoring is put in place. Reduce the interim risk. 

Adversary model: IT staff know all your opponents moves. But do they know if they can find them, across all the stages of their Recycle? 

R&D model: Hunting changes as the landscape of your organization changes. Make sure to allow for innovative hunting on the unknown. 

Cymune’s Cyber Threat Hunting Service is part of our Managed Detection and Response Service (MDR). With MDR, you not only get a robust Threat Hunting mechanism to secure your enterprise but also Security Monitoring, Incident & Event Analysis, Incident Response, Breach Management, and SOC & NOC Monitoring.

Why stop with Threat Hunting alone, when you get accompanying advisory services for handling all the technical and business aspects of your cybersecurity. Leverage a managed service that can enable you to secure your Enterprise.