Threat hunting is a little bit of a buzzword in the information security industry, and if you ask what it means, you'll get different answers from different people. There is no industry standard for what a threat hunting process looks like, but there are a few characteristics present in most descriptions of the process.
- Threat hunting is conducted by a human analyst. They can use whatever tools are available to them, including those leveraging automation and machine learning, but the overall process is executed by a person.
- Threat hunting is proactive. If you're reacting to an alert, that's an investigation or incident response motion. Threat hunting is all about proactively developing and testing hypotheses based on a combination of data and human knowledge on the part of the security analyst, in the hopes of uncovering security gaps or adversary behaviors that have not been detected by automated tools yet.
A side benefit of the exploratory nature of threat hunting is that it can help security analysts gain a better understanding of the environment they're responsible for securing, and can help even less experienced analysts hone their instincts to better understand and respond to threats.
This five minute video demonstrates how Reveal(x) network traffic analysis enables quick, simple threat hunting activities even in large, complex enterprise environments. The video explores two scenarios, in which potentially risky DNS and Database activity are discovered and investigated.
For a real-life example of how an ExtraHop customer used these processes to uncover an active attempt to break into their network, read this blog post.
We also wrote up a handy white paper to explain how security teams can use Reveal(x) to detect various real-world adversarial tactics, techniques, and procedures according to the MITRE ATT&CK framework: open that in a new tab.