Gartner Blog Network


Planned: A Quick Paper on Threat Hunting – Ideas Sought

by Anton Chuvakin  |  March 1, 2017  |  22 Comments

As it happens, I will now work on a short and sweet paper on THREAT HUNTING.

So far, I’ve have seen two types of materials on THREAT HUNTING (TH):

  1. Great materials written by the “security 1%-ers” for other security 1%-ers or, perhaps, for the …ahem… 2%-ers, i.e. less elitish elites [IMHO, much of it is mostly useless for the masses due to the chasm]
  2. Crappy materials often written by vendors who corrupt the threat hunting term to attach a “cool” label to various security products [I’ve seen the hunting label attached to basic indicator matching and essentially to IDS or even to log search].

In the next few weeks, I will try to aggregate a lot of knowledge (from within and outside Gartner, naturally) to come up with a quick guide to threat hunting for the non-elites. It will serve two purposes:

  • Cut through the hype to present a fact-based view of threat hunting (and if this will discourage some from hunting, so be it – there were probably not ready anyway and should invest their resources in other security practices)
  • Provide some practical starter tips and some value justification for starting (in the hopes that those who can benefit from it, will have a starter roadmap to it)

Here is what I am thinking about for my early high-level outline:

  • TH defined
    • Hunting and [alert] gathering
    • TH as hypothesis testing
    • TH as “proactive” IR
    • Other useful TH metaphors
  • TH examples
  • Value of TH for the organization
  • Business case for TH
  • What types of orgs WIN at TH
  • Resources | prerequisites needed for TH
    • Tools
    • Data
    • People
  • How to start TH at your organization
  • Example TH processes and workflows
  • Cautions and risks

Thoughts? Ideas? Pointers to more materials?

Possibly related posts:

Category: hunting  incident-response  monitoring  

Anton Chuvakin
Research VP
5+ years with Gartner
16 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Planned: A Quick Paper on Threat Hunting – Ideas Sought


  1. Martin says:

    I read this article the other day and thought it gave good insight in to the hunt : http://seczine.com/cyber-security/2017/02/bank-got-hacked/

  2. Paul J says:

    Shameless self promotion from SANS summit https://m.youtube.com/watch?v=RHYWG6rEKf4

  3. RIck Holland says:

    Glad to see the prereqs for threat hunting in that outline Anton. On the resources side, how much can you really automate? What is the realistic balance between automation and carbon based analysis? What about threat hunting capability/maturity levels and guidance around what is appropriate for different sizes of organizations? e.g. When should certain orgs outsource to a service provider?

  4. Nichols says:

    Hi, Anton!

    I think the Sqrrl’s paper is a great resource, mainly by introducing the concept of Hunting Maturity Model – http://sqrrl.com/media/Framework-for-Threat-Hunting-Whitepaper.pdf

  5. Matthew Gardiner says:

    A little off from what you are asking…but one angle I think is interesting is how much “threat hunting” you can/should do on your own behalf and how much threat hunting can be done on your behalf by a service provider. This become more relevant as an organization’s security and other services are provided from the cloud…thus making it more available to the cloud provider to conduct threat hunting.

  6. Matthew Gardiner says:

    Of course after posting the above I saw your tweet….No offense to any vendor, but I wonder whether #ThreatHunting literati here believe one can do “threat hunting as a service”, in principle?

    In principle I think “yes”….

  7. Alan Ross says:

    I think spending some time on deterministic vs nondeterministic approaches and where each make sense would help a lot of folks.

  8. @chrissanders88 has done some very interesting research regarding decisions that are made during an hunt or investigation that are a result of an anchoring or bias – and the importance of context in those efforts.

  9. Gary Parente says:

    We have also done our best to cut through the hype and get to brass tacks on a threat hunting definition. In the white paper linked below, we explain exactly what different types of “threat hunting” entail, from tactics to results, etc. Many EDR vendors claim they hunt simply because they log every piece of activity on the endpoint and then give you a search bar to find the threats yourself. Data is not valuable unless it is actionable.

    Check out this resource for a great description of Threat Hunting using Forensic State Analysis:

    https://www.infocyte.com/blog/2017/2/14/threat-hunting-using-forensic-state-analysis

  10. Neena says:

    Hi Anton,

    Haven’t read all of the comments and may be this was included but it will be greatly usedful for customers if you include example case studies where someone used threat hunting and ‘significantly’ improved their threat visibility and were able to stop it early. More details the better, but at this stage we really do need validation points to establish the usefulness of Threat Hunting as a practice. We could benefit from you talking to customers on this issue and gather valuable insights.

  11. Luke Radford says:

    To give it another dimension – how can you apply TH methodology and techniques to business disruption?

    All well and good having your systems protected and being aware of possible exploits but if someone comes and disrupts your market place then what good will a secure system be? Be interesting to see if there are examples where a TH approach has been used to influence innovation and business development.



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.