Blog post

Planned: A Quick Paper on Threat Hunting – Ideas Sought

By Anton Chuvakin | March 01, 2017 | 23 Comments

monitoringincident responsehunting

As it happens, I will now work on a short and sweet paper on THREAT HUNTING.

So far, I’ve have seen two types of materials on THREAT HUNTING (TH):

  1. Great materials written by the “security 1%-ers” for other security 1%-ers or, perhaps, for the …ahem… 2%-ers, i.e. less elitish elites [IMHO, much of it is mostly useless for the masses due to the chasm]
  2. Crappy materials often written by vendors who corrupt the threat hunting term to attach a “cool” label to various security products [I’ve seen the hunting label attached to basic indicator matching and essentially to IDS or even to log search].

In the next few weeks, I will try to aggregate a lot of knowledge (from within and outside Gartner, naturally) to come up with a quick guide to threat hunting for the non-elites. It will serve two purposes:

  • Cut through the hype to present a fact-based view of threat hunting (and if this will discourage some from hunting, so be it – there were probably not ready anyway and should invest their resources in other security practices)
  • Provide some practical starter tips and some value justification for starting (in the hopes that those who can benefit from it, will have a starter roadmap to it)

Here is what I am thinking about for my early high-level outline:

  • TH defined
    • Hunting and [alert] gathering
    • TH as hypothesis testing
    • TH as “proactive” IR
    • Other useful TH metaphors
  • TH examples
  • Value of TH for the organization
  • Business case for TH
  • What types of orgs WIN at TH
  • Resources | prerequisites needed for TH
    • Tools
    • Data
    • People
  • How to start TH at your organization
  • Example TH processes and workflows
  • Cautions and risks

Thoughts? Ideas? Pointers to more materials?

Possibly related posts:

Comments are closed


  • Martin says:

    I read this article the other day and thought it gave good insight in to the hunt :

  • Paul J says:

    Shameless self promotion from SANS summit

  • Sounds like you have the outline down. Is this a project on the ideal or the state of the industry?

    I wrote a short and sweet post discussing the two schools of thought I see dominating the evolution of hunt in the enterprise: the DFIR analyst and the threat intel analyst. Hope to see nods for both approaches in your paper as the DFIR approach tends to get less exposure outside DFIR circles.

    In my exposure of formalized hunt programs, I’ve seen an over emphasis on historical search against an ever increasing store of host and network telemetry as the dominant process in hunt.

    Unfortunately, at some organizations I’ve worked with, I’ve seen some really sharp threat intel gurus create beautiful reports with adversary TTPs and IOCs to search for. Then the button masher gets a hold of it, throws out the TTPs, skips to the appendix and searches for the hashes/IPs in Splunk one by one. Rinse and repeat. Obviously we haven’t reached the ideal.

    I personally subscribe to the proactive host-based DFIR methodology which folks like Mandiant and others pioneered. Has proven to be very effective in the field, especially in less mature organizations since it relies less on infrastructure and comprehensive sensor data.

    I define the processes used here (you can skip the marketing fluff to the meatier section on “Forensic State Analysis”):

    I’ll be joining Alissa Torres at a SANS webcast on 29 March to demonstrate using host DFIR techniques and data stacking to hunt on a large number of systems. It’s called Forensic or Endpoint “State Analysis” to differentiate from analyzing the behavioral telemetry that typically comes off a network or endpoint monitoring tool. Feel free to join – hoping it finds it’s place among material for the 2%ers (we’re certainly making progress from last year – shall we shoot for 3?).

  • RIck Holland says:

    Glad to see the prereqs for threat hunting in that outline Anton. On the resources side, how much can you really automate? What is the realistic balance between automation and carbon based analysis? What about threat hunting capability/maturity levels and guidance around what is appropriate for different sizes of organizations? e.g. When should certain orgs outsource to a service provider?

    • Thanks a lot for the comment, Rick. Indeed, will explore tooling (what you’d call “automation” presumably) and the balance, this is A BIG part, for sure.

  • Nichols says:

    Hi, Anton!

    I think the Sqrrl’s paper is a great resource, mainly by introducing the concept of Hunting Maturity Model –

  • Matthew Gardiner says:

    A little off from what you are asking…but one angle I think is interesting is how much “threat hunting” you can/should do on your own behalf and how much threat hunting can be done on your behalf by a service provider. This become more relevant as an organization’s security and other services are provided from the cloud…thus making it more available to the cloud provider to conduct threat hunting.

    • Hey Matt, this is a good question re: providers. We started with an idea to cover mostly DIY but now I have been influenced to look more into “managed hunting”

  • Matthew Gardiner says:

    Of course after posting the above I saw your tweet….No offense to any vendor, but I wonder whether #ThreatHunting literati here believe one can do “threat hunting as a service”, in principle?

    In principle I think “yes”….

  • Alan Ross says:

    I think spending some time on deterministic vs nondeterministic approaches and where each make sense would help a lot of folks.

  • @chrissanders88 has done some very interesting research regarding decisions that are made during an hunt or investigation that are a result of an anchoring or bias – and the importance of context in those efforts.

  • Gary Parente says:

    We have also done our best to cut through the hype and get to brass tacks on a threat hunting definition. In the white paper linked below, we explain exactly what different types of “threat hunting” entail, from tactics to results, etc. Many EDR vendors claim they hunt simply because they log every piece of activity on the endpoint and then give you a search bar to find the threats yourself. Data is not valuable unless it is actionable.

    Check out this resource for a great description of Threat Hunting using Forensic State Analysis:

  • Neena says:

    Hi Anton,

    Haven’t read all of the comments and may be this was included but it will be greatly usedful for customers if you include example case studies where someone used threat hunting and ‘significantly’ improved their threat visibility and were able to stop it early. More details the better, but at this stage we really do need validation points to establish the usefulness of Threat Hunting as a practice. We could benefit from you talking to customers on this issue and gather valuable insights.

  • Luke Radford says:

    To give it another dimension – how can you apply TH methodology and techniques to business disruption?

    All well and good having your systems protected and being aware of possible exploits but if someone comes and disrupts your market place then what good will a secure system be? Be interesting to see if there are examples where a TH approach has been used to influence innovation and business development.