Introduction
Whether you’re a growing business, an established enterprise, or an essential service provider —- your cybersecurity needs to be top-notch, or else risk miscues/ lapses in defensive judgment can jeopardize everything you and your team have worked for.
The fact that no business can function without trust, integrity, and essential security has never been truer. As more businesses become intentional about this, they are solidifying their defenses and protecting their attack surfaces. However, sophisticated threats can still find ways to bypass conventional or automated measures, potentially causing devastating disruptions.
Just one threat, one open vulnerability, or one intrusion could put your entire business at risk. While your security team may be prepared to react to incidents or address “known known” (well-understood and documented) threats in the wild with quick remediation, gathering and actioning on security intelligence and telemetry from diverse sources is often a crucial part of how effectively you do it. SIEM (Security Information and Event Management) is particularly effective at identifying “known knowns” using predefined rules, signatures, and correlating log data across the network. But what about threats unbeknownst to you?
Threats: What you know, don’t know, and don’t know you don’t know?
For “known unknowns” (where there is a risk but no specific signature or mapping for the attack), EDR (Endpoint Detection and Response) and XDR (Extended Detection and Response) solutions step in. These tools use behavioral analysis to detect suspicious activities, even when there’s no signature to match. XDR (which actually includes EDR) is especially valuable because it continuously monitors endpoints for abnormal patterns, helping identify potential threats that don’t follow a standard attack blueprint.
But what about the “unknown unknowns” (completely new and undiscovered threats)? This is where threat hunting proves indispensable. Analysts actively search for undocumented threats by looking for anomalies—such as misused permissions, configuration errors, data leaks, or emerging attack patterns that evade traditional alerts. Their expertise in adversary tactics and deep understanding of the environment allows them to spot subtle signs of compromise that automated tools might overlook. Threat hunters don’t just search for risks on the surface level of internal infrastructure—they go deeper to uncover hidden attacker infrastructure, map out the kill chain, and connect the dots for effective attack correlation and attribution.
Switching the focus from defense to actively hunting for cybercriminals is now a major trend in the information security market.
Reactive —> Proactive defenses: What do you need to start threat hunting?
Even though effective threat hunting relies heavily on the quality of your historical security events (endpoints, network logs, web application logs, email artifacts, automatic file analysis (sandbox), etc.) and general knowledge base, the practice becomes more powerful with alerting mechanisms built on top of logging. These alerts enable real-time visibility into activities that might otherwise go unnoticed.
With this foundation, generalized threat hunting helps security teams analyze patterns and determine whether observed behaviors are connected to illegitimate activities, improving overall detection and response efforts.
The key difference between traditional SOC operations and modern threat hunting is the proactive approach to threat actors. In the past, security teams focused on detecting basic indicators, such as hash values, IP addresses, and network artifacts. These indicators were then used iteratively to identify the adversary’s tactics, techniques, and procedures (TTPs).
Today’s advanced threats require teams to mature their threat-hunting methodologies and leverage adversary-centric intelligence to detect attacks preemptively. Security professionals monitor emerging attacks from adversaries targeting specific regions or industries, enabling faster responses and blocking attackers from exploiting known indicators of compromise to contain cyber breaches.
This modern approach surpasses traditional TTP-level detection by integrating security tests—such as penetration testing, MITRE ATT&CK-based simulations into threat-hunting efforts. These methods allow teams to emulate threat actors’ behaviors, uncover new tactics, and prepare for evolving methods that may not have been previously exploited.
| Aspect | Traditional SOC Operations | Modern Threat Hunting |
|---|---|---|
| Approach | Reactive | Proactive |
| Focus | Detection of basic indicators (hash values, IPs, network artifacts) | Adversary-centric intelligence and behavioral insights |
| Goal | Identify and respond to incidents using known indicators | Preemptively detect attacks and uncover hidden threats |
| Tactics Used | Iterative identification of TTPs | Emulation of threat actors using simulations (e.g., MITRE ATT&CK) |
| Key Tools and Methods | Alerts, logs, firewalls | Cyber Threat Exposure Management, malware research, CTI sources, self-assessment (e.g., defense evasion or persistence methods) |
| Response to Threats | Block based on known indicators of compromise (IOCs) | Monitor emerging threats and block new tactics proactively |
| Coverage | Focused on past or known attacks | Focused on evolving, unknown methods |
| Data Sources | Alerts from endpoints and network artifacts | Comprehensive telemetry from EDR, NTA, and CTI integrations |
| Learning and Adaptation | Retrospective analysis after incidents | Continuous learning from threat actors to adjust strategies |
| Outcomes | Resolution of incidents | Enhanced threat detection capabilities by improving real-time monitoring and behavioral deviations. |
Table 1: Distinction between reactive and proactive threat hunting approaches
By continuously learning from threat actors, teams can sharpen their defenses and adjust strategies, such as writing new detection rules, improving threat identification, and enhancing real-time monitoring and defense capabilities.
Given that the modern approach considerably enhances threat hunting, the practice itself does not rely on these methods. To initiate threat-hunting, there are certain necessary prerequisites:
- Resolution of SOC alerts: Ensure the Security Operations Center (SOC) team has addressed and resolved all alerts to avoid overlaps and misjudgments during hunting efforts.
- Continuous access to Cyber Threat Intelligence (CTI) feeds: Maintain subscriptions to reliable CTI feeds with unlimited API access to integrate threat data seamlessly into hunting practices.
- Enabling Endpoint Detection and Response (EDR) and Network Telemetry Solutions: Have an EDR platform with comprehensive security events (telemetry) collections, normalization, and the ability to run various enrichment search queries across the data. Also, leverage a Network Traffic Analysis (NTA) solution that offers complete network coverage and integrates with other security controls.
- Dedicated threat hunting team and processes: Establish well-defined roles and processes within the threat hunting team to ensure iterative and efficient efforts.
Maturing your threat hunting capabilities
The first step in any threat-hunting effort is moving beyond routine data collection from various sources and leveraging threat intelligence to gain deeper insights. Understanding your threat landscape helps strengthen security by focusing on relevant threats.
Through TI, businesses can investigate adversaries’ tactics, techniques, and strategies (TTPs) to determine whether their organization or industry has been mentioned as a target. This is a solid foundation for hypothesis-building – a critical step in threat hunting.
Hypothesis-building involves making informed assumptions about whether a specific threat actor may have targeted your organization. It allows teams to focus their investigations on potential infiltration and analyze vulnerabilities that may have been exploited
Hypothesis building can be scientific (based on empirical evidence) and non-scientific (based on hunch, observation, or historical attacks)
| Scientific | Non-scientific |
|---|---|
| Based on real world | Isn’t correlated with your knowledge |
| Allow us to make predictions | Useless for make predictions |
| Testable | Impossible to test |
| Give us new information after proof | Don’t give us new information after proof |
Table source: Difference in hypothesis-based and experience/intuition-based approaches to threat hunting
The scientific method—which we will explore in detail—begins with formulating a valid and precise question rather than relying on vague or ambiguous language. For example, “Is my network under attack from [name of the threat actor]?” or “Are attackers mimicking the normal activities of my IT team.”
Concurrently, background research will examine open sources and public reports to gather relevant information.
Constructing a hypothesis involves researching the techniques used by a possible threat actor and assessing whether suspicious activities exist within your infrastructure.
Testing the hypothesis requires analyzing data and log files and collecting evidence to support your initial assumptions. The final step is to report your findings, clearly communicating your conclusions and any necessary actions based on the evidence gathered.
The premise of effective threat hunting: Cyber Threat Intelligence (CTI)
Adversaries’ multi-vector, multi-layered attacks demand that businesses leverage high-fidelity, reliable threat intelligence to understand attackers’ tools and tactics and effectively counteract them. This intelligence is crucial for correlating data across technology systems, enabling informed decision-making.
Group-IB Threat Intelligence offers one of the industry’s largest adversary-centric intelligence databases. Through incident response, active threat hunting, and adversary-focused research, we uncover how attackers deploy and operate their infrastructure to target your organization or industry. The threat intelligence platform’s inherent scoring capabilities enable differentiation between noise and relevant information. The platform correlates data across various sources, allowing you to focus on the most critical risks.
With these insights, we map ongoing attacks, reconstruct attack chains, and enrich Indicators of Compromise (IOCs) using an actor-centric approach. This allows for a deeper understanding of attackers’ tactics, techniques, and procedures (TTPs), offering actionable intelligence that leads to proactive detection of emerging threats, reduced dwell time and enhanced protection, increased security system effectiveness and identification of gaps, and stronger prevention against future attacks.
Group-IB Threat Intelligence provides unique, expert-researched, and validated indicators of compromise (IOCs) uncovered through years of cybercrime investigations, incident response operations, and malware analysis conducted by our experienced threat hunters. Our two decades of historical data log on cybercriminals includes billions of records encompassing domain names, IP addresses, and digital fingerprints from servers implicated in attacks, all tagged to specific hackers or groups.
In addition, Group-IB operates Digital Crime Resistance Centers (DCRCs) located across the Middle East, Europe, Central Asia, and Asia-Pacific. These centers critically analyze and promptly mitigate regional and country-specific threats, significantly enhancing Group-IB’s contributions to global cybercrime prevention and continually expanding its threat-hunting capabilities.
Diving deeper into attacker profiles through Threat Intelligence (TI) lets you understand their attack maneuvers. This enables security teams to respond to advanced threats without disrupting business operations. Further, Group-IB’s team of experts support you with managed threat hunting services and empower even less experienced threat hunters and teams to engage effectively in threat-hunting and mature their capabilities through expert guidance.
Read our eGuide
To build or mature your threat-hunting capabilities or for managed threat-hunting services, refer to our expert-built processes and methodologies in our latest eGuide.
