Cyber threats don’t always knock on the front door or announce themselves. Some stay hidden, quiet, patient, and dangerous. And while cybersecurity continues to improve at blocking threats, adversaries are evolving just as quickly
Today’s attackers are smart, creative, fast, and their techniques are constantly changing. Therefore it is no longer enough to just react. Organizations need a new layer of defense to proactively detect threat actors before they can actually cause any damage.
That’s what threat hunting is all about.
In this blog series “Into the Unknown”. We’ll explore what threat hunting is, why it matters, and how it helps strengthen your security posture in a world where threats are always shifting
Starting with this opening blog, we will dive into the foundations of threat hunting, laying the groundwork for what it means to go and look for the threat rather than waiting for them to appear
But we’re just getting started. In the next blogs, we’ll look to the future, exploring how LLMs are changing the game and beginning to reshape the hunt, helping threat hunters find risks faster, smarter, and more accurately than ever before.
The Known vs. Unknown Framework
When talking about cybersecurity, not all threats are the same. One way to make sense of this is by thinking about threats as things you know, things you kind of know, and things you don’t know yet.
A helpful way to understand the challenges defenders face is through the Known vs. Unknown framework, often used to describe different levels of visibility defenders have into these threats :
These are threats you clearly recognize, you know what they look like, you are aware of them, and you can plan for them ahead of time. In other words, you know what you know.
These are threats you know might exist, but you are uncertain about the extent of their impact. You know a threat is present in the network, but you are not sure if it’s actually affecting your organization.
These threats are the hardest to deal with because you have no warning signs or clues they are there. You don’t even know they exist, so you are unprepared. These are the most dangerous because, simply put, you don’t know what you don’t know.
Detection and Hunting : What’s the Difference?
Before diving deeper, let’s briefly explain how threat detection differs from threat hunting:
You assume that threats will try to get in, so you set up multiple security layers and monitoring systems. When an alert goes off, you investigate and respond to the threat.
You assume an attacker might already be inside the network, you actively search for hidden signs, looking for threats that haven’t triggered alerts yet and respond if anything is found.
Simply put, detection is about understanding and reacting to known threats, while hunting is about finding the unknown threats before they cause damage.
What is Threat Hunting?
Threat hunting is the practice of proactively searching for cyber threats that may be lurking undetected in your network. The unknown threats that are not detected by traditional automated methods of prevention and detection.
In Threat Hunting, you operate under the assumption that an adversary is already present in the environment, and you actively seek out signs of their activity.
Why does Threat Hunting matter?
No security solution can detect 100% of threats, 100% of the time. When dealing with creative and determined adversaries, you need a backup plan.
Yes, the ability to block advanced threats improves each year, but so do the attacker’s techniques. This leads to critical questions: When prevention fails, what do you have left to protect your organization? How can you uncover gaps as quickly as possible?
Threat hunting fills this gap by enabling organizations to detect and respond to threats that would otherwise go unnoticed.
On average, attackers can remain undetected inside a network for 11 days, according to Mandiant’s reports. A period known as dwell time
The longer the dwell time, the greater the potential damage an attacker can cause.
Threat hunting helps reduce dwell time by proactively identifying threats within an organization’s environment before they can cause harm. Unlike traditional detection methods that rely on SIEM rules or waiting for alerts.Threat hunters rely on their skills and knowledge and actively looking for threats to prevent or minimize the damage
“ It’s important to remember that not receiving security alerts doesn’t necessarily mean your environment is safe. It could simply mean that your current security mechanisms have not detected an ongoing intrusion.”
Understanding the Threat Hunting Maturity Model (HMM)
“To get anywhere, you must first understand where you are, and where you want to go”
This holds especially true in threat hunting. Organizations that recognize threat hunting as the next step in the cybersecurity evolution need a clear path forward. Whether you're just beginning or already hunting, the Threat Hunting Maturity Model (HMM) helps assess your current capabilities and chart a roadmap for growth.
The model defines five levels of maturity, from a basic, non-existent hunting capability HMM0 to a fully mature, automated, and proactive threat hunting practice HMM4. Let’s explore each level :
HMM0 Initial
At this level the organization covers only the basic security operation, they rely primarily on reactive measures like SIEMs, antivirus softwares, etc
There's minimal data collection from the environment, making threat hunting nearly impossible. The focus is on detection, not hunting.
HMM1 Minimal
Organizations at this level begin to centralize data collection and monitor threat intelligence feeds. When a new threat report is published, they extract indicators of compromise (IOCs) and search historical data for matches
While this is still a reactive approach, it’s considered a basic form of hunting
HMM2 Procedural
At this stage, organizations collect large amounts of data and use publicly available hunting procedures. These might include known techniques to detect malware or suspicious behavior.
Most organizations with an active threat hunting program fall into this category. However, they’re still dependent on external playbooks and often lack tailored approaches
HMM3 Innovative
Like the name implies, this level represents a shift toward custom and proactive hunting. Instead of relying only on public procedures, the organization develops its own, based on its unique threat landscape.They think from their organization’s perspective what would motivate an attacker to target them, and how might such an attack unfold?
As hunting becomes more effective, the volume of procedures grows. However, without increasing the number of threat hunters or introducing automation, it becomes difficult to keep up. This is exactly where HMM4 comes in
HMM4 Automated
The most mature organizations automate the majority of their hunting procedures. This reduces repetitive workloads for analysts, allowing them to focus on creating new techniques, to enhance detections, and respond faster.
Note The Hunting Maturity Model is a guideline, not a strict rule. Organizations don’t have to fit perfectly into just one level, sometimes they may be at varying levels of capability
Threat Hunting Methodologies
Threat hunting is not a one-size-fits-all process. How you hunt depends on what you already know and what you are trying to find. Let’s break down three common approaches that hunters use to track down threats
This method uses known indicators of compromise shared through threat intelligence feeds. Hunters look into alerts triggered by these IOCs to see if there’s any bad activity.
This approach depends on the community or intelligence providers identifying and sharing IOCs. If no IOC is available for a particular threat, this method becomes ineffective
This methodology is more reactive because it relies on known indicators and threat intelligence.
This approach goes beyond known indicators and focuses on the Tactics, Techniques, and Procedures (TTPs) that attackers use.
Threat hunters form hypotheses based on how certain threat actors typically operate, they monitor activity patterns in the environment to spot potential threats, in this way, the hunter is able to proactively detect attackers early, before any real damage is done.
This method starts by asking: What looks weird?
It looks for behavior that’s unusual or out of the ordinary, things that don’t match the baseline of how systems or users normally operate. Maybe it’s someone logging in at a strange time, or a computer suddenly sending lots of data out.
This approach starts with data, lots of it. By analyzing logs, user behavior, system activity and network traffic, threat hunters look for patterns that don’t fit the norm.
With the help of tools like machine learning and behavioral analytics, threat hunters can detect abnormal behavior and spot these odd patterns. Even if the threat is brand new and doesn’t have a known signature, this method can still catch it.
That’s why it’s great for finding the “unknown unknowns” threats that have not been seen before
Threat Hunting Frameworks
Threat hunting needs a framework to serve as a foundation for hunters when they begin their hunting process. Let’s cover some of the key frameworks that guide effective threat hunting
The Cyber Kill Chain outlines the steps that an attacker needs to take in order to achieve their objective. By classifying attacker actions into phases, defenders can better identify suspicious behaviors that may fit into a particular phase
Since threat hunting aims to uncover undetected breaches as early as possible, it prioritizes finding threats near the later stages of the kill chain where the attacker is about to achieve their objective. This is commonly searching for any symptoms that hints at the objectives of the attack being achieved
The Pyramid of Pain illustrates the relationship between the types of indicators used to detect attackers and how much “pain” it causes adversaries when defenders block those indicators
The Pyramid provides a priority list of indicators for defenders to target from simple hashes and IP addresses to complex tactics and procedures
The MITRE ATT&CK framework is a detailed knowledge base of attacker tactics, techniques, and procedures (TTPs). It complements the Cyber Kill Chain with more granularity:
MITRE ATT&CK is a valuable tool for threat hunters, it provides a detailed understanding of attacker behaviors
For more details, check out
At this point, we explored the key building blocks of threat hunting including what it is, why it’s important, and the core frameworks that guide the hunt. Now that you’ve got a solid grasp of the fundamentals, you are in a great spot to start thinking like a threat hunter.
Coming up in Part II, we’ll dive into the threat hunting process and show you how to measure the impact and success of your hunts
