Threat hunting is the proactive, hypothesis-driven practice of searching for malicious activity that has evaded automated detection controls. It occupies the highest tier of the security operations maturity model — the capability that separates organizations that discover breaches in days from those that discover them in months or never. For organizations serious about building a defensible security posture, understanding threat hunting methodology is essential, regardless of whether you build the capability internally or leverage a managed provider.
Reactive vs. Proactive Security: The Maturity Gap
Most security programs are fundamentally reactive: alerts fire, analysts investigate, incidents are closed. This model has a critical flaw — it only detects what the detection rules are written to find. Advanced persistent threat actors, insider threats, and novel malware specifically designed to evade detection all operate below the threshold of reactive alerting. By the time a reactive program generates an alert, the adversary may have been present for weeks or months.
Proactive security inverts this model. Threat hunters assume that adversaries are already present in the environment and search for evidence of their activity regardless of whether any alert has fired. This assumption — sometimes called the "assumed breach" posture — is not pessimism; it is empirically justified. The median dwell time for financially motivated threat actors is 16 days (Mandiant M-Trends 2024), and for espionage-motivated actors it is significantly longer. Assuming a clean environment because no alerts have fired is one of the most dangerous assumptions in security operations.
Threat Hunting Maturity Model
The hunting maturity model (HMM) provides a structured framework for assessing and improving hunting capability across five levels:
- Level 0 — Initial: Hunting is entirely automated and reactive. No human-led searches. Organizations rely entirely on SIEM rules and EDR signature detections. The majority of organizations without dedicated security teams operate at this level.
- Level 1 — Minimal: Some use of indicator-based searching — hunting for known IOCs (IP addresses, hashes, domain names) from threat intelligence feeds. Better than Level 0, but still fundamentally reactive because it depends on prior knowledge of attacker infrastructure.
- Level 2 — Procedural: Hunters follow documented procedures and query playbooks. Searches are TTP-based rather than purely indicator-based — looking for techniques rather than specific tools. Most organizations with a dedicated SOC function operate at Level 2.
- Level 3 — Innovative: Hunters create novel hypotheses based on threat intelligence, environmental knowledge, and adversary TTPs. They develop new detection logic from hunt findings and contribute back to the detection engineering pipeline. This level requires experienced practitioners with offensive security intuition.
- Level 4 — Leading: Automated hunt procedures combined with continuous hypothesis generation. Hunt operations feed a data science and machine learning pipeline that generates statistical baselines and surfaces anomalies for hunter review. Large security teams only.
The Hypothesis-Based Hunting Process
Structured threat hunting follows a disciplined process rather than ad hoc exploration:
- Threat Intelligence Input: Start with current, relevant threat intelligence. What APT groups are targeting your industry? What TTPs are currently prevalent? FS-ISAC bulletins, CISA advisories, vendor threat reports, and MITRE ATT&CK updates all inform hunt priorities. A hunt without intelligence grounding risks spending time on low-probability scenarios.
- Hypothesis Formation: Translate intelligence into a testable hypothesis. Example: "Based on FS-ISAC reporting of Lazarus Group activity targeting financial sector VPN appliances, an adversary may have established persistence on our Fortinet VPN infrastructure using web shells or scheduled tasks." A good hypothesis is specific, falsifiable, and tied to observable data.
- Hunt Execution: Search available data sources for evidence supporting or refuting the hypothesis. Identify what data sources are required, what tools will execute the queries, and what constitutes a positive finding. Document the methodology as you execute so the hunt is repeatable.
- Findings Documentation: Document all findings — both positive (threat confirmed) and negative (no evidence found). Negative findings are valuable: they either confirm the control is working, identify a data gap, or establish a baseline for future comparison.
- Detection Improvement: Convert hunt findings into automated detections. Every successful hunt should produce a SIEM rule, EDR behavioral detection, or monitoring alert that automates future detection of the same technique. This is the feedback loop that raises the security program's floor over time.
MITRE ATT&CK-Driven Hunt Hypotheses
The MITRE ATT&CK framework provides the most widely used structured vocabulary for threat hunting hypotheses. Rather than hunting for specific malware families, ATT&CK-driven hunting focuses on techniques that adversaries use across tools:
- Kerberoasting Hunt (T1558.003): Query Active Directory event logs for Kerberos TGS-REQ requests for service accounts with SPNs, particularly requests using RC4 encryption (downgrade from AES) and requests for high-privilege service accounts. Alert on unusual volumes, off-hours requests, or requests from workstations where Kerberoasting tools have been observed.
- DCSync Hunt (T1003.006): Hunt for non-domain-controller accounts issuing replication requests (
DS-Replication-Get-Changes-AllLDAP operation). Event IDs 4662 with specific GUIDs in Windows Security logs. Any workstation making DCSync calls is a high-confidence indicator of credential theft tooling. - LSASS Memory Dump Hunt (T1003.001): Monitor for processes accessing the LSASS process with
PROCESS_VM_READpermissions (Sysmon Event ID 10). Legitimate processes that access LSASS are well-known (AV engines, EDR agents); any unexpected process accessing LSASS memory warrants immediate investigation. - Living-off-the-Land Hunt (T1218): Analyze process trees for LOLBin execution patterns —
mshta.exeloading remote HTA files,regsvr32.exeexecuting COM scriptlets,certutil.exewith decode or download parameters,wmic.exeexecuting process creation. Build an allowlist of known-legitimate LOLBin usage and alert on anything outside it.
Hunt Data Sources and Tools
Effective hunting requires rich telemetry. The most valuable data sources are:
- EDR telemetry: Process creation (with full command lines), network connections by process, file writes, registry modifications, and memory access events. EDR platforms like CrowdStrike Falcon, SentinelOne, and Microsoft Defender for Endpoint all provide this telemetry at scale.
- Windows Event Logs: Security events (4624, 4625, 4648, 4662, 4663, 4688, 4698, 4720, 4768, 4769), PowerShell script block logging (4104), and Sysmon-enhanced telemetry.
- DNS logs: Anomalous DNS query patterns, high-entropy subdomain lookups (DGA activity), DNS over unusual ports, and queries to newly registered domains.
- Network flow data: Long-lived connections, beaconing patterns (periodic connections at regular intervals suggesting C2 communication), unusual data volumes by host, and connections to known-bad ASNs.
Hunt execution tools include Velociraptor (open-source IR and hunting platform with VQL query language), OSQuery (SQL-based OS instrumentation), Elastic Security (EQL-based hunting in the Elastic Stack), and Splunk with SPL. Purpose-built hunt platforms like Sqrrl (acquired by Amazon) and SpecterOps BloodHound are valuable for specific hunt categories like Active Directory attack path analysis.
Our penetration testing service generates the adversary TTPs and attack paths that form the most relevant hunt hypotheses for your specific environment. When your pen test reveals that LSASS dump techniques were successful in your environment, your hunt team knows exactly what to look for. If you are evaluating your threat hunting capability or seeking a managed security service with proactive hunting capability, contact us to discuss your requirements.