Sqrrl Blog

Apr 8, 2016 10:49:00 AM

Cyber Threat Hunting (1): Intro

Originally posted by Samuel Alonso, KPMG Global Security Operations Center threat hunter at http://cyber-ir.com/2016/01/21/cyber-threat-hunting-1-intro/ 

After some long months debating whether to write a white paper, and what potential topics I could write about, I have ultimately decided that I do not have enough time to go through the process of writing a research paper for the next 6 to 12 months. Instead, I am taking some of my research and current experience  and I am sharing it with you. I will be brief and to the point – it is not my intention to spend much time in the bushes. I want to provide you with a solid foundation to start hunting and understanding the “creativity” behind the process.


I am actively involved in memory forensics that was my original idea for my white paper; however, I decided that this area overlaps with this subject and it is part of threat hunting in the endpoint. These new series of articles are about threat hunting, which is currently the buzz in the industry.

The funny thing about threat hunting is that everybody speaks and writes about it, telling you what you need to do but not telling you how to do it.

Incident response has evolved from a reactive approach to a complete new proactive approach, in which you are acting as a first responder; you are actively looking for adversaries in your network in order to prevent a breach from happening.

To formally define it, we can explain threat hunting as the act of aggressively intercepting, tracking and eliminating cyber adversaries as early as possible in the Cyber Kill Chain. The earlier you locate and track your adversary in the chain, the lower impact his activities will have on your organization’s network.

Threat hunting provides many benefits for your organization's cyber analysts and incident responders:

  • Gaining visibility and uncovering your organization’s weaknesses
  • Early detections of threats
  • Damage control
  • Improvement of automatic countermeasures

For the personnel in charge of the defense of your networks, it provides:

  • A better understanding of the threat profile of your organization
  • Understanding your organization’s network layout and behavior
  • Deep familiarization with your organization's network technology
  • Potential to improve their careers

What does the hunting cycle look like? What are the existing approaches to threat hunting?

The threat hunting cycle is extremely similar to the incident response cycle.


I will not get into detail about the different stages as they are very easy to understand.

In regards to the approaches to threat hunting, we can discuss two different approaches – Automated or continuous hunting, and On-demand hunts. Automated or continuous hunts focus on anomalies, unusual connections, strange registry keys and anything else straying from the baseline.

On-demand hunts, on the other hand, look for particular attacks within an organization. To do this you need to know exactly what to look for.

We will not be dealing with On-demand hunts, as these are the grounds for Threat Intelligence teams with their IoC’s. This approach, although useful, is very limited and provides very little results as the threat infrastructure life cycle lasts a few days or even hours. This ultimately means that it is very difficult to hunt using “known” IoC’s unless the threat information has been shared within hours of the initial detection. This is a very well-known challenge in the industry, and the sharing of threat intelligence information remains an obstacle.

I will dedicate a quick post to this hunting approach, as well as some other supporting posts, to help you understand the threat infrastructure life cycle. For now, the focus of the future articles in this series will be continuous hunting.

As part of my past experience in business development and my interest in using technology to solve problems, I am always looking for new people, startups or companies that are working in interesting technological solutions. One of the few vendors that is exploiting hunting as the next leap in the world of cyber security right now is Sqrrl.

Sqrrl has defined a Threat Hunting Maturity Model. This model is very similar to the Capabilities Maturity Model Integration (CMMI) which is a generic process model improvement. It is worth keeping an eye on vendors like this.

In my next post, I will continue the journey we started here and I will get you ready to start hunting.

Topics: Cyber Hunting, Incident Response, Threat Hunting, Cyber Threat Hunting