What is Threat Hunting?

How Threat Hunting Works

The Hypothesis-Driven Approach

Effective threat hunting begins with a structured hypothesis based on threat intelligence, known adversary techniques, and environmental context. A hypothesis might be: 'A threat actor targeting organizations in our industry has been using living-off-the-land techniques involving PowerShell and WMI for lateral movement. I am going to look for anomalous PowerShell execution patterns in our environment.' The hunter then searches the available data — EDR telemetry, SIEM logs, network flow data — for evidence consistent with that hypothesis, investigating anomalies that could indicate adversary presence.

Intelligence-Driven Hunting

Threat intelligence — knowledge of specific adversary groups, their tools, techniques, and procedures (TTPs) — drives targeted hunting for specific threat actors relevant to the organization. If a specific ransomware group has been actively targeting organizations in your industry using a specific initial access technique, hunting for indicators of that technique in your environment is high-priority work. MITRE ATT&CK provides the framework that maps adversary techniques to the observable behaviors and data sources that hunters use to detect them.

Anomaly-Based Hunting

Anomaly-based hunting looks for deviations from established baselines without a specific prior hypothesis. A system that has never communicated with cloud storage services suddenly transferring data to S3 is anomalous. An account that has never logged in outside business hours authenticating at 3 AM is anomalous. A process that is legitimate in most contexts running from an unusual parent process is anomalous. The hunter's judgment determines which anomalies warrant investigation and what the investigation reveals.

What Threat Hunting Finds That Automated Detection Misses

The value of threat hunting is finding what automated detection is specifically designed to not alert on — subtle activity that falls below alert thresholds, novel techniques that have no signature, and deliberate evasion of detection rules by sophisticated attackers.

Living-off-the-land attacks that use legitimate Windows tools — PowerShell, WMI, certutil, mshta — are designed to blend with legitimate administrative activity. Alert rules tuned to reduce false positives frequently allow these legitimate tools to run without alerting, even when the specific execution is malicious. A threat hunter looking at PowerShell execution in context can distinguish the system administrator running a legitimate script from an attacker using PowerShell for command-and-control communication.

Slow and deliberate attackers who operate at low intensity to avoid triggering rate-based detection rules generate individual events that do not cross alert thresholds but that, when viewed in aggregate over time, reveal a pattern of attacker activity. Threat hunting over historical data can identify an attacker who has been present and methodical for months — activity that real-time alert-based detection missed because no single event was alarming enough.

Threat Hunting for Mid-Market Organizations

Mature internal threat hunting programs require dedicated analysts with advanced skills, comprehensive data collection, and tooling that most mid-market organizations cannot justify economically. The staffing requirement alone — experienced threat hunters available full-time — is prohibitive for organizations below a certain scale.

Managed detection and response (MDR) services incorporate threat hunting as a component of the managed service — hunters working across the customer's environment using the MDR provider's data and tooling. For mid-market organizations, this provides threat hunting capability without the internal staffing requirement. The quality of hunting varies significantly across MDR providers and is one of the key differentiators to evaluate when selecting an MDR partner.

At minimum, organizations should ensure that penetration tests and red team exercises include scenarios designed to test detection coverage — confirming that the controls in place would detect the techniques most relevant to the threat actors targeting their industry. This adversarial validation of detection coverage is the minimum version of threat hunting accessible to any organization.

Real-World Example: The FireEye Hack Discovery

In December 2020, FireEye — one of the world's leading cybersecurity firms — announced that it had been breached by a sophisticated nation-state actor. FireEye discovered the breach not through automated alerts, but through a threat hunter who noticed an anomalous MFA device registration from an employee's account. The registration appeared to be legitimate at first — a new device being added to an employee's account. But the hunter noticed that the registration occurred from a location inconsistent with the employee's normal patterns and at a time when the employee would not typically be working. Investigation revealed the SolarWinds backdoor that had given the attackers initial access. The breach of a world-class cybersecurity firm was discovered by human attention to a subtle anomaly that automated systems had not flagged.