Many organizations only perform reactive threat-hunting, searching for threats once it’s obvious that their environment has been compromised. A mature threat-hunting program requires proactive hunts, searching for threats that may or may not exist. This requires a different approach to the hunt since the lack of a clear threat means that there is no clear starting point, endpoint or path through the hunt.
The threat-hunting process
Threat-hunting is a multi-stage, cyclic process. Ideally, threat hunts are proactive, so the hunter doesn’t know what they’re looking for in the absence of a known threat. As a result, the first stage of the hunt is defining the purpose of the hunt. After a goal is defined, it’s possible to collect and analyze data and cycle through the phases of a hunt until a threat is detected or disproven. If a threat is detected, remediation and response are necessary to purge the threat from the system.
Defining the hunt
When performing a threat hunt, the first thing to do is to figure out what you are hunting. The wide variety of potential threats and the sea of potential data to collect means that an undirected hunt is likely to miss things.