Proactively searching for cyber security threats that might be lurking undetected in the organizations network
Allows to improve detecting capabilities, reduce attack surface, block attack vectors, identify critical assets
Threat Hunting Steps
Establish a Hypothesis
Predicting high-impact, likely events through threat modeling
Profiling Threat Actors and Activities
Envisioning how potential attackers might intrude and what they aim to achieve
When threat hunting we need to assume that all the existing security controls have failed
This is what differentiates normal network monitoring from threat hunting
Gathering Threat Intelligence
Advisories and Bulletins
Published by vendors and security researchers when new TTPs and vulnerabilities are discovered
Intelligence Fusion and Threat Data
Use SIEM and analysis platforms to spot concerns in the logs and real-world security threats