How to Develop a Successful Threat-Hunting Program

Blue military radar screen with grid coordinates and positioning. The scanner axis is spinning around the center and a detected object (plane or missile) is observed on the top half.
Author: Emma Nistor, senior product marketing manager, N-able
Author: Emma Nistor, senior product marketing manager, N-able

According to the 2021 Cost of Data Breach report, the average attack “dwell time”—the period between an attacker’s breach of an organization’s network and the point at which the organization finds out about it—is 287 days. During this time, the attacker can stealthily look to gather valuable information to steal or compromise data, incurring huge costs for affected companies. The longer the dwell time, the higher the costs; the same report states that a breach with a lifecycle over 200 days cost an average of $4.87 million versus $3.61 million for a breach less than 200 days.

As an MSP or MSSP, imagine you’re onboarding a new customer. Do you have the right security tools and practices in place to detect and mitigate stealthy threats lurking in their environments? Or to prevent these threats from ever breaching their networks? Waiting until threats become visible or for traditional SOC monitoring tools generate an alert can be too late. Threat hunting is a more proactive cybersecurity approach to identify threats that evade security controls before they can execute an attack or fulfill their goals.

What is threat hunting and why do you need it?: Threat hunting is the process of searching for suspicious behavior across the entire attack surface. It is hypothesis-driven and requires an expert understanding of the expected architecture, system, application, and network behavior This enables targeted questions to be asked that help uncover unexpected behavior and outliers such as lateral movement or known tactics, techniques, and procedures (TTPs) that attackers use.

Six best practices to creating a successful threat-hunting program

1. Get the right data in the right context: Having the right data to answer the right threat-related questions is key to successful threat hunting. Because your threat-hunting efforts will be based on endpoint telemetry, that data needs to be comprehensive and put in the right context. Endpoint telemetry needs to capture a wide range of activity and behaviors spanning multiple operating systems, including network traffic patterns, network activity, user activity, file hashes, file operations, system and event logs, denied connections, peripheral device activity, and more. All of the data points and different events need to be correlated so as to better understand the context of the potential threat.

2. Understand what’s normal in your environment: Understanding what’s normal within your environment is also critical. Threat hunters need to have a good understanding of the company’s profile, employee behavior, company valuable data, as well as business activities that could be of interest to attackers so they can baseline what is “normal”. Knowing what is normal, they can look at the data points available and start asking questions that help identify any outliers.

3. Develop threat hypotheses: Okay, so you have the right data and you’ve baselined what is normal behavior within your environment. How do you start hunting for threats? The answer depends on whether the threat is known or unknown.

To hunt for known threats, you can start from looking at various intelligence sources that use Indicators of Compromise (IoCs), hash values, IP addresses, domain names, network, or host artifacts such as Information Sharing and Analysis Center (ISAC) or the FBI. However, there are many unknown threats constantly being developed and used in attacks. So, threat hunting can’t rely only on known sources and methodologies.

For unknown threats, you can first create hypotheses about activities that might be taking place within the environment and then test them. You can start by asking questions such as: “If I were to attack this environment, what would I attempt to gain access to?” or “Why do I see an abnormal volume of DNS queries from a single machine?” More ideas can be derived from tools and frameworks like the MITRE ATT&CK framework, threat intelligence based on real incidents, information about new attack techniques appears for the first time via social media, research blogs, and conferences, penetration testing practices, and past experiences.

4. Investigate potential threats: If the hypothesis you create is correct and you find evidence of malicious activity, then you need to immediately validate the nature, scope, and impact of the finding. This is where threat investigation tools come in handy. The next step in the process is to identify new malicious patterns in the data and uncover the attacker’s TTPs.

5. Respond effectively: Once you identify a new TTP, you need to effectively respond and remediate the threat. What this means is you need to not only take immediate measures to neutralize the attack and prevent it from damaging the system, but to also take measures to prevent similar future attacks.

6. Enhance your global security: One final step is to inform and enrich automated analytics with insights from successful hunts. This enables you to use the knowledge generated from threat hunting to improve EDR systems, which helps enhance and consolidate the security for your organization globally.

Looking ahead

Building an effective threat-hunting program is no easy feat, but it can bring valuable benefits:

  • proactive discovery of potential threats
  • faster incident response times
  • enhanced security posture
  • less work for your security techs
  • consolidated SOC, future-proofed from rising threats.

Ready to start your own threat hunting program? Check out this ebook on threat hunting best practices to learn more. For more blogs on security visit:

Guest blog courtesy of N-able. Read more N-able guest blogs here. Regularly contributed guest blogs are part of ChannelE2E’s sponsorship program