Threat Hunting — Technology Wiki

Overview

Direct Answer

Threat hunting is the proactive and iterative process of searching for adversaries and malicious activity that existing detection systems have failed to identify within an organisation's infrastructure. Unlike reactive incident response, it assumes breach and systematically investigates suspicious behaviour patterns using hypothesis-driven methodologies.

How It Works

Analysts develop threat hypotheses based on threat intelligence, attack frameworks, and known adversary tactics, then search through network logs, endpoint telemetry, and system artefacts to validate or refute those hypotheses. This cycle involves querying data sources, correlating events, and escalating findings to incident response teams. The process emphasises manual investigation combined with analytics tools to uncover subtle indicators of compromise.

Why It Matters

Organisations face a detection gap where sophisticated adversaries dwell undetected for extended periods; hunting closes this gap by reducing dwell time and minimising breach impact. Regulatory compliance frameworks increasingly expect active threat-seeking capabilities, and early detection significantly reduces remediation costs and data exposure risk.

Common Applications

Financial institutions hunt for unauthorised account access and lateral movement; healthcare organisations search for data exfiltration patterns; technology firms investigate supply chain infiltration. Threat hunting supports response to advanced persistent threats and zero-day exploitation where signature-based detection proves insufficient.

Key Considerations

Threat hunting demands significant skilled personnel and investment in data retention infrastructure, making it resource-intensive for smaller organisations. Success depends heavily on the quality of threat intelligence and hypotheses; poorly targeted searches yield false positives that erode team productivity.

Cross-References(1)

Cybersecurity

Threat Intelligence

Related in Defensive Security

Security Operations Centre

A centralised facility where security professionals monitor, detect, analyse, and respond to cybersecurity incidents.

Intrusion Detection System

A system that monitors network traffic or system activities for malicious activity or policy violations.

Next-Generation Firewall

An advanced firewall that goes beyond traditional packet filtering to include application awareness and intrusion prevention.

Endpoint Detection and Response

Security technology that monitors endpoint devices to detect, investigate, and respond to cyber threats.

Security Orchestration Automation and Response

Technology that automates security operations by orchestrating tools and processes for incident response.

Incident Response Plan

A documented set of procedures for detecting, responding to, and recovering from cybersecurity incidents.

Digital Forensics

The process of collecting, preserving, and analysing electronic evidence for investigating security incidents.

Honeypot

A decoy system designed to attract attackers and study their methods while protecting real systems.

Extended Detection and Response

A unified security platform that integrates data from endpoints, networks, cloud workloads, and email to provide holistic threat detection, investigation, and automated response.

Security Orchestration, Automation and Response

A technology stack that integrates security tools and automates incident response workflows, enabling faster triage, investigation, and remediation of security alerts.

More in Cybersecurity

Threat Intelligence

Offensive Security

Evidence-based knowledge about existing or emerging threats to an organisation's digital assets and infrastructure.

Information Security

Security Governance

The practice of protecting information by mitigating information risks including unauthorised access, use, and disruption.

Biometric Authentication

Identity & Access

Using unique biological characteristics like fingerprints, facial features, or iris patterns to verify identity.

Encryption

Data Protection

The process of converting plaintext data into ciphertext using an algorithm, making it unreadable without the decryption key.

Cyber Kill Chain

Offensive Security

A model describing the stages of a cyberattack from reconnaissance through data exfiltration.

Spear Phishing

Offensive Security

A targeted phishing attack directed at specific individuals or organisations using personalised deceptive content.

MITRE ATT&CK

Offensive Security

A globally accessible knowledge base of adversary tactics and techniques based on real-world cyber observations.

Attack Vector

Offensive Security

The specific path, method, or scenario used by an attacker to gain unauthorised access to a system.