Tech topics

What is Cyber Threat Hunting?

Illustration of IT items with focus on a laptop

Overview

Cyber threat hunting is a forward-looking approach to internet security where threat hunters proactively search for security risks concealed within an organization’s network. Unlike more passive cybersecurity hunting strategies—like automated threat detection systems—cyber hunting actively seeks out previously undetected, unknown, or non-remediated threats that could have evaded your network’s automated defense systems.

Cyber threat hunting

What is hybrid IT?

Cybercriminals are becoming more sophisticated than ever, making cyber threat hunting an essential component of robust network, endpoint, and dataset security strategies. If an advanced external attacker or insider threat eludes initial network defense systems, they can remain undetected for months. During this time, they can gather sensitive data, compromise confidential information, or secure login credentials that enable them to sneak laterally across your networking environment.

Security personnel can no longer afford to sit back and wait for automated cyber threat detection systems to notify them of an impending attack. With cyber threat hunting, they can proactively identify potential vulnerabilities or threats before an attack can cause damage.

How does cyber threat hunting work?

Cyber threat hunting combines the human element with a software solution’s big data processing power. Human threat hunters—who use solutions and intelligence/data to find adversaries who may evade typical defenses—lean on data from complex security monitoring and analytics tools to help them proactively identify and neutralize threats.

Human intuition, strategic and ethical thinking, and creative problem solving play an integral role in the cyber hunting process. These human characteristics enable organizations to implement threat resolutions faster and more accurately than solely relying on automated threat detection tools.

What's required to start threat hunting?

For cyber threat hunting to work, threat hunters must first establish a baseline of anticipated or authorized events to better identify anomalies. Using this baseline and the latest threat intelligence, threat hunters can then comb through security data and information collected by threat detection technologies. These technologies can include security information and event management solutions (SIEM), managed detection and response (MDR), or other security analytics tools.

Once equipped with data from varied sources—such as endpoint, network, and cloud data—threat hunters can scour your systems for potential risks, suspicious activities, or triggers that deviate from the normal. If a known or potential threat is detected, threat hunters can develop hypotheses and in-depth network investigations. During these investigations, threat hunters attempt to discover whether a threat is malicious or benign, or whether the network is safeguarded adequately from new types of cyber threats.

Is cyber threat hunting a part of threat intelligence?

Cyber threat intelligence is a focus on the analysis, collection, and prioritization of data to improve our understanding of threats facing a business.

Threat hunting investigation types

There are three core threat hunting investigation types:

Structured: This type of cybersecurity hunting is based on an indicator of attack, as well as an attacker’s tactics, techniques, and procedures (TTPs). Using the MITRE Adversary Tactics Techniques and Common Knowledge (ATT&CK®) framework, structured hunting enables threat hunters to identify a malicious actor before they can harm the network.
Unstructured: Based on a trigger or indicator of compromise (IoC), threat hunters use unstructured hunting to search for any noticeable patterns throughout the network both before and after a trigger or IoC was found.
Situational or threat-intelligence-based: Hypotheses are derived from situational circumstances, such as vulnerabilities discovered during a network risk assessment. With the latest threat intelligence, threat hunters can reference internal or crowdsourced data on cyberattack trends or attacker TTPs when analyzing their network.

In all three of these investigation types, threat hunters search through events for anomalies, weaknesses, or suspicious activity outside of anticipated or authorized events. If any security gaps or unusual activity are found, hunters can then patch the network before a cyberattack occurs or reoccurs.

The four steps of cyber threat hunting

To effectively initiate a cyber threat hunting program, there are four steps your security personnel should follow:

Develop a hypothesis: Threat hunters should develop a hypothesis based on risks or vulnerabilities that might exist within the organization’s infrastructure, current threat intelligence or attacker TTPs, or from suspicious activity or a trigger that deviates from standard baseline activity. They can also use their knowledge, experience, and creative problem-solving skills to establish a threat hypothesis and decide on a path forward to test it.
Begin the investigation: During an investigation, a threat hunter can lean on complex and historical datasets derived from threat hunting solutions such as SIEM, MDR, and User Entity Behavior Analytics. The investigation will push forward until the hypothesis is confirmed and anomalies are detected, or the hypothesis is found to be benign.
Discover new patterns: When anomalies or malicious activity are found, the next step is to deploy a quick and efficient response. This could include disabling users, blocking IP addresses, implementing security patches, altering network configurations, updating authorization privileges, or introducing new identification requirements. As your security teams work to resolve network threats proactively, they will inherently learn threat actors’ TTPs and how they can mitigate these threats in the future.
Respond, enrich, and automate: The job of threat hunting is never ending, as cybercriminals are always advancing and creating new network threats. Cyber threat hunting should become an everyday practice within your organization, operating alongside automated threat detection technologies and your security team's current threat identification and remediation processes.

What are the top challenges of cyber threat hunting?

Because cyber threat hunting takes a proactive, hands-on approach to threat detection and remediation, some organizations face significant challenges when implementing this security practice. For a cyber threat hunting program to be successful, an organization must have three key components working in harmony:

Expert threat hunters: The human capital involved with cyber threat hunting is arguably the most critical component. Threat hunters must be experts in the threat landscape and be able to identify the warning signs of sophisticated attacks quickly.
Comprehensive data: To properly seek out threats, hunters must have access to a wealth of data (both current and historical data) that provides visibility across an entire infrastructure. Without this aggregated data, threat hunters won’t be able to create informed threat hypotheses based on your endpoints, network, or cloud infrastructure.
Up-to-date threat intelligence: Threat hunters must be equipped with the most up-to-date threat intelligence, enabling them to compare current cyberattack trends with internal data. Without knowing what new or trending threats exist, threat hunters won’t have the necessary information to analyze potential network threats correctly.

Deploying all three of these components and ensuring they seamlessly work together requires many organizational resources. Unfortunately, some security teams don’t have access to the right tools, personnel, or information to establish a full-scale cyber threat hunting program.

Discover managed cyber threat hunting with OpenText Cybersecurity

Successfully protecting your organization’s infrastructure requires a proactive approach rather than a reactive one. Gone are the days in which automated threat detection technologies are enough on their own to safeguard confidential data or information. Instead, your security teams must implement an ongoing cyber threat hunting program that enables them to create informed hypotheses and pinpoint network anomalies, risks, or suspicious activity before an external attacker or insider threat can cause damage.

Searching for a managed service to deliver cyber threat hunting without need to invest in software and resources? OpenText™ Security Services provides point-in-time threat hunts and subscription-based services to perform situational-, unstructured-, and structured-based threats and identify anomalies, weaknesses, and suspicious activities. Combined with our expertise in risk and compliance, digital forensics, and incident response, our customers trust OpenText to improve their cyber resilience.

FeaturedFeatured

Analytics CloudAnalytics Cloud

Analytics DatabaseAnalytics Database

Business Intelligence and ReportingBusiness Intelligence and Reporting

Data DiscoveryData Discovery

eDiscovery and InvestigationseDiscovery and Investigations

Legal Content and Knowledge ManagementLegal Content and Knowledge Management

Aviator Search

Business Network CloudBusiness Network Cloud

Supply Chain IntegrationSupply Chain Integration

B2B Integration ServicesB2B Integration Services

Ecosystem CollaborationEcosystem Collaboration

Business Network Aviator

Content CloudContent Cloud

Document ManagementDocument Management

AI Content ManagementAI Content Management

Business IntegrationsBusiness Integrations

Capture and Intelligent Document ProcessingCapture and Intelligent Document Processing

Information ArchivingInformation Archiving

Process AutomationProcess Automation

Information GovernanceInformation Governance

Content Aviator

Cybersecurity CloudCybersecurity Cloud

Application SecurityApplication Security

Identity and Access ManagementIdentity and Access Management

Data Privacy and ProtectionData Privacy and Protection

Digital Investigations and ForensicsDigital Investigations and Forensics

Threat IntelligenceThreat Intelligence

Threat Detection and ResponseThreat Detection and Response

Cybersecurity Aviator

DevOps CloudDevOps Cloud

DevOps PlatformDevOps Platform

PPM and Strategic Portfolio ManagementPPM and Strategic Portfolio Management

Quality ManagementQuality Management

Functional TestingFunctional Testing

Performance EngineeringPerformance Engineering

DevOps Aviator

Experience CloudExperience Cloud

Web and Brand ExperiencesWeb and Brand Experiences

MessagingMessaging

Customer Journey and DataCustomer Journey and Data

Media ManagementMedia Management

Contact Center AnalyticsContact Center Analytics

Experience Aviator

IT Operations CloudIT Operations Cloud

Service ManagementService Management

FinOpsFinOps

AIOps and ObservabilityAIOps and Observability

AutomationAutomation

Network ManagementNetwork Management

IT Operations Aviator

OpenText ThrustOpenText Thrust

Developer Cloud technical documentationDeveloper Cloud technical documentation

Aviator Thrust

PortfolioPortfolio

Data protection and endpoint backupData protection and endpoint backup

Endpoint management and mobile securityEndpoint management and mobile security

Hybrid work, email, and team collaborationHybrid work, email, and team collaboration

Archiving, eDiscovery, and data securityArchiving, eDiscovery, and data security

Information reimaginedInformation reimagined

Artificial IntelligenceArtificial Intelligence

IndustryIndustry

Enterprise ApplicationsEnterprise Applications

Your journey to successYour journey to success

Customer SupportCustomer Support

Customer Success ServicesCustomer Success Services

Strategy & Advisory ServicesStrategy & Advisory Services

Consulting ServicesConsulting Services

Learning ServicesLearning Services

Managed ServicesManaged Services

Find an OpenText PartnerFind an OpenText Partner

Find a Partner SolutionFind a Partner Solution

Grow as a PartnerGrow as a Partner

Become a Partner

Asset LibraryAsset Library

BlogsBlogs

EventsEvents

CommunitiesCommunities

Customer StoriesCustomer Stories

OpenText NavigatorOpenText Navigator

Featured

Analytics Cloud

Analytics Database

Business Intelligence and Reporting

Data Discovery

eDiscovery and Investigations

Legal Content and Knowledge Management

Business Network Cloud

Supply Chain Integration

B2B Integration Services

Ecosystem Collaboration

Content Cloud

Document Management

AI Content Management

Business Integrations

Capture and Intelligent Document Processing

Information Archiving

Process Automation

Information Governance

Cybersecurity Cloud

Application Security

Identity and Access Management

Data Privacy and Protection

Digital Investigations and Forensics

Threat Intelligence

Threat Detection and Response

DevOps Cloud

DevOps Platform

PPM and Strategic Portfolio Management

Quality Management

Functional Testing

Performance Engineering

Experience Cloud

Web and Brand Experiences

Messaging

Customer Journey and Data

Media Management

Contact Center Analytics

IT Operations Cloud

Service Management

FinOps

AIOps and Observability

Automation

Network Management

OpenText Thrust

Developer Cloud technical documentation

Portfolio

Data protection and endpoint backup

Endpoint management and mobile security

Hybrid work, email, and team collaboration

Archiving, eDiscovery, and data security

Information reimagined

Artificial Intelligence

Industry

Enterprise Applications

Your journey to success

Customer Support

Customer Success Services

Strategy & Advisory Services

Consulting Services

Learning Services

Managed Services

Find an OpenText Partner

Find a Partner Solution

Grow as a Partner

Asset Library

Blogs

Events

Communities

Customer Stories

OpenText Navigator