Skip to main content
Splunk Lantern

Prescriptive Adoption Motion - Threat hunting


Cyber threat hunting is a practice used to proactively search for potential threats that may have infiltrated an organization's network or systems. This involves a combination of automated and manual techniques to identify and analyze suspicious activities or anomalies in network traffic, system, or endpoint logs.

The main objective of cyber threat hunting is to locate and identify potential risks and threats before they can cause harm to the organization. This approach is different from reactive cybersecurity methods, which focus on detecting and responding to known threats or vulnerabilities.

Cyber threat hunting involves several steps, including:

  • Preparation. Defining the scope of the hunting exercise, selecting the appropriate tools and techniques, and establishing procedures for reporting and responding to any identified threats.
  • Collection. Collecting and analyzing data from various sources, such as system logs, network traffic streams, and endpoint devices.
  • Analysis. Analyzing the collected data to identify patterns and anomalies that may indicate a potential threat.
  • Investigation. Investigating identified threats to determine their scope, severity, and potential impact on the organization.
  • Remediation. Taking appropriate actions to mitigate the identified threats and prevent future attacks from occurring through the same methods.

Cyber threat hunting involves a combination of technical expertise, analytical skills, and knowledge of the latest threats and attack techniques. As these threats and techniques are constantly evolving, threat hunting becomes an ongoing process that requires continuous monitoring and analysis of systems and network activity. This ensures that potential threats are detected and addressed promptly.

Benefits of using establishing and using a threat hunting program can include:

  • Early stage detection of threats. By proactively seeking out threats, cyber threat hunting can identify threats earlier than traditional detection-based security methods.
  • Improved response times. Because cyber threat hunting identifies threats earlier in the attack lifecycle, organizations can respond much more quickly and effectively to prevent or mitigate the impact of the potential cyber attack.
  • Reduced risk of data breaches. Cyber threat hunting can help organizations identify and address vulnerabilities in their network or systems, reducing the risk of data breaches and other detrimental cyber attacks.
  • Improved visibility into network activity. Cyber threat hunting provides a more comprehensive view of network activity, which can help organizations identify potential security gaps or areas for improvement in their defensive measures.
  • Enhanced security posture. By establishing a proactive approach to security, organizations can improve their overall security posture and reduce the risk of cyber attacks.
  • Compliance with regulations. Many industry regulations and standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR), require organizations to have robust security measures in place. Cyber threat hunting can help organizations meet these requirements and maintain compliance posture.

Overall, threat hunting is a valuable tool for organizations that want to improve their cybersecurity defenses and stay ahead of potential risks and threats. Through the practice of proactively seeking out threats, organizations can reduce the risk of data breaches occurring, improve response times, and enhance their overall risk and security posture.

Aim and strategy

The aim of implementing a cyber threat hunting program is to proactively detect and respond to potential cyber threats before they can cause harm to an organization. The strategy involves using a combination of automated tools and manual techniques to identify and analyze suspicious activities or anomalies in network traffic or system logs. In general, the objective of a cyber threat hunting program is to stay ahead of potential threats by proactively searching for them and taking necessary actions to mitigate them.

Common use cases

Some of the most common use cases for cyber threat hunting include:

  • Detection of advanced persistent threats (APTs). APTs are stealthy, targeted attacks that can be difficult to detect using traditional security measures. Cyber threat hunting can help seek out and identify APTs by looking for unusual patterns or behaviors and indicators.
  • Identification of insider threats. Insider threats are attacks that are launched by employees or contractors who have access to an organization's systems or data. Cyber threat hunting helps identify insider threats by monitoring user activity and identifying unusual behaviors or patterns that would otherwise be difficult to detect.
  • Detection of malware and ransomware. Malware and ransomware are common types of cyber threats that can cause significant damage to an organization's systems and data. Cyber threat hunting can help identify and detect these types of attacks through indications of unusual network traffic or system behavior.
  • Identification of vulnerabilities. Cyber threat hunting can help identify vulnerabilities in an organization's systems and applications that could be exploited by attackers. Through the use of proactively searching for vulnerabilities, organizations can take steps to remediate them before they are exploited and pose risk to the organization.
  • Incident response. Cyber threat hunting can be used as part of an incident response plan to quickly identify and respond to potential cyber attacks. By proactively seeking out threats, organizations can respond more quickly and effectively to identify and minimize the impact of an active attack.

User roles

Role Responsibilities
Threat Hunter

Conducts proactive searches for potential threats within an organization's network and systems. The threat hunter is typically a skilled security analyst with expertise in threat intelligence, data analysis, and incident response.

Threat Intelligence Analyst

Collects, analyzes, and interprets threat intelligence data to identify potential threats and risks to an organization. The threat intelligence analyst typically has expertise in the latest cyber threats and attack techniques, as well as knowledge of the organization's industry and the types of threats that are most likely to target it.

SOC Analyst

Monitors an organization's network and systems for potential security incidents. The SOC analyst typically has expertise in Splunk Enterprise Security and detection and prevention systems.

Incident Responder Responds to and mitigates cyber attacks when they occur. The incident responder typically has expertise in incident response procedures, data forensics, and system recovery.
Splunk Admin Applies configuration changes and user or permissions changes. as well as installs and maintains apps.
Information Security Management Approves changes and sponsors projects.


1. Prerequisites

There are several prerequisites to consider before establishing efforts for cyber threat hunting. These might include:

  1. Data sources. A variety of data sources is required to effectively conduct cyber threat hunting. This includes user authentication logs, network traffic logs and streaming data, system logs, endpoint logs, and other various security-related data. It's important to have a centralized location such as Splunk Enterprise Security for collecting, searching, and analyzing this data.
  2. Analytical tools. In addition to data sources, it's important to have the right analytical tools to effectively identify and respond to potential threats. This can include automated tools such as firewall, intrusion detection systems and security information and event management (SIEM) systems, as well as a variety of manual analysis techniques.
  3. Skilled personnel. Cyber threat hunting requires trained and skilled personnel who are knowledgeable about current cyber threats, conducting data analysis, and performing or coordinating incident response activities. This can include security analysts, threat intelligence specialists, and incident response teams.
  4. Knowledge of the organization's assets and identities. It's important to have a comprehensive understanding of the organization's assets and identity data, as well as the types of threats that are most likely to target the organization. This can help ensure that the cyber threat hunting program is focused on the areas that are most critical to the organization's security.
  5. Executive support. Cyber threat hunting requires support from the organization's executive leadership to ensure that the necessary resources are allocated and that the program is integrated into the organization's overall security strategy.

4. Considerations

When it comes to hunting for potential threats, having clearly defined goals is crucial. Your goals should be in line with your organization's security strategy and business objectives. A good place to start is to set goals for reducing the time it takes to detect threats and increasing the number of threats detected.

To effectively hunt for threats, you need access to a comprehensive set of data sources. This includes asset and identity data, real-time or near-real-time network traffic logs, system and application logs, and endpoint event logs. It's important to make sure these data sources are detailed and can be accessed through a centralized repository for ease of analysis, such as Splunk Enterprise Security. Additionally, the tools you use for hunting should be robust, allowing for deep analytical analysis and the ability to investigate data from various perspectives. Keeping these tools updated and well-maintained is essential for identifying potential threats.

Having skilled personnel who are knowledgeable about current cyber threats and trends is also crucial for a successful threat hunting program. Staying up-to-date on the latest threat actors and methods is necessary for staying ahead of the curve. Clear knowledge of the types of threats that specifically target your organization is also important, as is regular training to keep skills up-to-date.

Communication and collaboration among all stakeholders are key for an effective cyber threat hunting program. This includes the cyber threat hunting team, incident responders, and executive leadership. Ensuring everyone understands their roles and responsibilities and that conflicts are avoided is vital.

Finally, it's important to understand that cyber threats are constantly evolving, so an effective program is continuously evaluating and looking for improvements to the processes and tools. Regularly reviewing and updating the program's goals, data sources, analytical tools, and personnel skill sets is essential for keeping your threat hunting program effective.

Implementation guide

1.0 Determining search hypothesis

Threat hunting is a targeted investigation that focuses on a specific set of objectives. The hunter collects information about the environment and generates a hypothesis or theory about potential threats. Based on this hypothesis, the hunter selects a target for further investigation. This target can be a particular system or set of systems, a network area, or a wide-ranging set of artifacts that span a general set of collected information. Regardless of the specific scope of focus, the process always starts with a hypothesis.

The hypothesis often focuses on TTP (Tactics, Techniques, and Procedures), threat intelligence, or IOC (Indicators of Compromise). This information can come from various sources, such as new zero-day vulnerabilities, threat actor research, threat intelligence, security control gaps, incident reports, and more. These sources of security information are often specific to an industry or business vertical. However, regardless of the source, a good hypothesis is based on relevance and testability.

2.0 Creating and implementing threat search and investigation

After a target is identified and scoped, threat hunters concentrate on proactively searching for indications of the threat or anomalies that either prove or disprove the hypothesis. At this stage, a wide range of tools and technologies is used to assist in investigating anomalies, which may or may not be malicious. This process in Splunk Enterprise Security uses searches created using Search Processing Language (SPL) with a focus on knowing where the data is located (index, source type, etc.), what’s being hunted, and understanding the language or syntax to return results to guide the hunter into a data set that can be further analyzed. Knowledge of Splunk commands that allow the user to perform data manipulation, pivoting and visualization is vital. The depth of knowledge needed, however, varies based on the hunt method and scope.

Documentation on SPL is widely available through Splunk Docs, and there are many Splunk EDU courses available to help you become familiar with SPL and crafting searches at various knowledge levels.

When hunting for cyber threat indicators or TTPs, the search process could simply involve identifying significant indicators in a set of fields or event types. On the other hand, more complex intelligence-based cyber threat hunting requires quick data retrieval and might depend on commands such as tstats to analyze the indexed fields and accelerated data models in Splunk Enterprise Security. tstats is heavily relied on in Splunk Enterprise Security as it's used for searching against accelerated data models and indexed fields.

Threat hunting can be a complex and advanced use case to implement in many environments. Analytics-based threat hunts often require the user to have advanced Splunk query knowledge, and to be comfortable with using stats, eventstats, or streamstats commands to examine how events are connected together. The SPL creation process can involve some trial-and-error, especially as the complexity of the hunt increases and often modifications are needed in your searches to give a valuable set of data to explore. SPL adjustments may include the use of exclusion lists based on false positives when the data is returned, or modifying time and source thresholds based on output. After a reliable set of data is available, the results can be analyzed and any findings deemed suspicious or malicious can be further investigated through your established processes.

3.0 Incident response

During the incident response phase, the information collected during the investigation is communicated to other teams and through other tools that can respond, prioritize, analyze, or store the information for future use. Regardless if the information is about benign or malicious activity, it can be useful in future analyses and investigations to build relational data from. Data from the investigation can be leveraged to predict trends, prioritize and remediate vulnerabilities, and improve your security measures and risk posture.

The incident response should define both short term and long term response measures that can be used to stop and remediate the attack. The main goal of incident response is to immediately put an end to the ongoing threat and to prevent the system from damage by a perceived attack. But it is also essential to collect information during this stage and to understand the root cause of the threat to improve security and prevent attacks of a similar nature in the future. 

Finally, successful threat hunting forms the basis for informing and enriching automated analytics. The final component in the threat hunting practice is to utilize the knowledge generated during the threat hunting process to gather, validate, enrich and improve end-point and network detection systems. Through this process, the organization’s risk posture and security is enhanced in large part due to the discoveries made during the investigation. As the program grows and advances in skill and use, advanced threat hunting techniques could be automated to perform as many tasks as possible. Automation of tasks can monitor user behavior and compare that behavior against itself to search for anomalies. While automation of processes is effective in maturing threat hunting capabilities, they will still, however, require both manual and automated techniques to practice. 

Success measurement

When implementing this guidance, you should see improvements in the following:

  • Time to detection. The amount of time it takes to detect a potential threat. A shorter time to detection indicates that the cyber threat hunting program is effective at identifying potential threats in a timely manner.
  • Number of threats detected. The number of potential threats that are identified and investigated. A higher number of threats detected indicates that the cyber threat hunting program is effective at proactively searching for potential threats.
  • False positive rate. The number of alerts that are generated by the cyber threat hunting program that turn out to be false alarms. A lower false positive rate indicates that the program is effectively filtering out noise and focusing on genuine threats.
  • Mitigation rate. The percentage of potential threats that are successfully mitigated. A higher mitigation rate indicates that the cyber threat hunting program is effective at responding to potential threats and minimizing their impact.
  • Overall impact on security posture. The overall impact that the cyber threat hunting program has on the organization's security posture. This can include factors such as reducing the number of successful attacks, minimizing the impact of breaches, and improving the organization's overall security awareness and readiness.