What is cyber threat hunting?

Cyber threat hunting is a proactive approach to identifying and mitigating cyber threats lurking undetected in an organization's IT environment. As a complement to threat monitoring that alerts security and operations teams to a known attack or incident, threat hunters actively seek and root out dangers such as malicious actors and ransomware code that successfully evade traditional security tools to infiltrate an organization’s digital business. In the process, these threat-hunting cybersecurity experts—who often work in a security operations center (SOC)—take measures to shore up their organizations' cyber resilience by preventing bad actors from compromising networks, systems, devices, and data while identifying new potential threats and vulnerabilities.

Why is threat hunting important?

Because many sophisticated cyber threats and attacks can effectively evade common security tools, threat hunting is necessary to ensure an organization's cyber resilience and ransomware readiness. Skilled cybercriminals are continuously looking for weaknesses to exploit so they can penetrate an organization. Once successful, they can access data and login credentials to move laterally—and covertly—across an organization’s IT operating environment. To protect against worst-case scenarios, threat hunting practices unearth and mitigate cyber threats and bad actors that can effectively evade products such as firewalls and antivirus software.

In addition to proactively reducing the likelihood of a successful attack and associated damages including financial, productivity and brand reputation losses, threat hunting helps organizations:

Validate the effectiveness of their security controls.
Identify security gaps.
Determine ways to bolster their security postures, including data security posture management (DSPM).
Prioritize security investments and resource allocations.

What are the goals of cyber threat hunting?

Cyber threat hunting has two primary goals: to proactively identify and to stop hidden threats and attacks before they cause downtime, negatively impacting revenue, employee productivity, and customer satisfaction. According to the SANSTM Institute, “threat hunting is predominantly a human-based activity in looking for incidents that our automated tools have not yet found or cannot yet detect.” The most successful threat hunters search for indicators of compromise (IoCs) which can include irregular network traffic, abnormal user or application behaviors, and malware-specific actions.

What are the types of threat hunting?

Threat hunting is typically characterized in the following ways:

Structured threat hunting – This threat-hunting type focuses on indicators of attack (IoAs) along with the attacker’s tactics, techniques, and procedures (TTP) as supplied by threat intelligence sources. By discovering a TTP and launching a search, threat hunters can identify and stop cybercriminals early, before they cause damage.
Unstructured threat hunting – This type is designed to uncover unknown and dormant threats that infiltrate an IT environment. Once alerted about an IoC or other security event, a threat hunter may manually or automatically, using artificial intelligence/machine learning (AI/ML) techniques, search the organization’s network—and historical data—for any malicious patterns or anomalous behavior that occurred before and after the IoC or trigger.
Situational threat hunting – This threat-hunting type involves a threat hunter applying insights about the latest-attack TTPs and testing hypotheses about how those TTPs might be used to successfully attack the organization. Should a hunter find evidence of the threat on the organization’s network, it can be quickly addressed

How do you perform threat hunting?

The most effective cyber threat-hunting practices include the following core steps:

Get relevant teams on the same page – Since threat hunting is powered by human activities, it’s key that those responsible for the organization’s IT, security, and network operations (i.e., ITOps, SecOps, NetOps) communicate and collaborate around threat-hunting strategies and actions.
Establish processes – Human threat hunters meticulously and exhaustively search for undetected threats based on threat intelligence sources and the alerts delivered by traditional security tools so organizations must set ground rules and consider automation to streamline processes.
Deploy advanced technical solutions – Organizations should be looking to replace traditional systems and manual tasks with modern solutions including backup and recovery that include unified security. A single platform can automatically deliver critical security information about ransomware threats and also empower all teams to collaborate around stronger enterprise data security as they more rapidly discover, investigate, and remediate cyber threats.
Remain agile – Recognizing that cybercriminals evolve their approaches and behaviors in line with new vulnerabilities, technologies, and approaches, organizations must continually evolve their cybersecurity strategies and regularly update threat-hunting practices to keep pace with evolving threats and tactics.

What are some threat hunting techniques and steps?

Considering that security teams see hundreds—even thousands—of alerts every day, they are stretched thin when it comes to investigating and mitigating cyber threats. Their time constraints are further exacerbated by the manual process to hunt for and validate threats and attacks calling data from multiple tools. Integrated IT operations and security tools can reduce manual efforts while providing greater visibility into the organization’s cybersecurity stance.

For example, a modern backup and recovery platform can work seamlessly with security solutions ranging from security orchestration, automation, and response (SOAR) to security information and event management (SEIM) systems to automate threat hunting. Tighter integration makes it possible for teams to:

Continuously monitor for anomalies in data, based on AI-powered insights.
Gain unified visibility into ransomware vulnerabilities.
Streamline collaboration in response to data compromises.
Easily initiate a workflow to restore compromised data or workloads to the last clean snapshot.

The right technology solutions will also enhance typical cyber threat hunting techniques and steps which include:

Reviewing threat intelligence – Each day, threat hunters review network activity, security alerts, and internal and third-party threat feeds to identify patterns and anomalies that may indicate hidden threats.
Analyzing threats and hunting for evidence – Threat hunters assess the scope and potential impact of a threat by correlating threat information with the organization’s risk profile. For example, they might compare log details and alerts from a SIEM system against potential network and system vulnerabilities revealed by vulnerability scanning.
Conducting a thorough investigation – When threat hunters unearth evidence of a threat or artifacts from an attack, they need the best tech tools to help determine whether the threat is benign or malicious.
Mitigating threats and stopping attacks – Once a threat or attack is confirmed, ITOps, SecOps, and NetOps personnel need processes and modern technology solutions that allow them to respond and remediate in a collaborative, proactive way based on the threat-hunting experts' information and also a platform to store the investigation and mitigation data to support future investigations.

What is the difference between threat hunting and threat intelligence?

While threat hunters follow a prescribed method to surface, investigate, and mitigate threats, threat intelligence provides insight into threat trends and threat actors’ behaviors, techniques, motives, and capabilities. Simply put, threat intelligence empowers security teams—including threat hunters—to prepare for, respond to, and even prevent attacks.

Since cyber threat hunting is focused on analyzing all available data to spot vulnerabilities and correlations, threat intelligence is an invaluable resource. With it, threat hunters can gain insights about potential and current cyber threats that make it possible to stop cybercriminals before they successfully compromise systems or data.

Both threat hunting and threat intelligence can help organizations improve their cyber resilience.

What is the difference between threat hunting and threat monitoring?

Threat monitoring is the practice of organizations relying on standard security tools to discover and alert about potential threats while threat hunting counts on human experts to discover and mitigate them before they cause damage. Threat hunters search for threat and attack patterns that often elude traditional security tools. Yet both threat hunting and threat monitoring are actions that can help empower organizations to boost their cyber resilience.

Cohesity and threat hunting

To combat the growing sophistication and determination of today’s cybercriminals, organizations need to take every measure to keep their sensitive data secure. To that end, a proactive threat hunting approach supported by modern digital technology is a core component of a cyber resilience strategy. Organizations using our platform, Cohesity Data Cloud, together with Cohesity DataHawk and Cohesity Security Advisor, can empower their ITOps, SecOps, and NetOps teams with a range of capabilities including immutable snapshots, AI-driven data insights, data classification, and more, to support threat hunters in their missions to identify and thwart data-centric threats.

With Cohesity solutions, cyber threat hunters have the tools they need to:

Find elusive threats using AI/ML-driven threat detection that identifies the latest variants of ransomware.
Detect malicious activity early in the attack sequence to accelerate the threat-hunting process.
Easily rank threats in the IT environment and understand how the organization is performing against best practices.
Determine the exposure of sensitive information in the event of an attack.
Identify threats in backup snapshots that could thwart attack recovery.
Harness recommendations on how to limit their exposure to cyber extortion by addressing potential risks from internal and external bad actors.
Prevent their data from being corrupted, deleted, or stolen.

The Cohesity platform also supports seamless integrations with Data Security Alliance partners and leading security vendor applications. Working in concert, these capabilities and integrations enable threat hunters to better protect their organizations’ data from theft and ransomware by detecting attacks in progress and preventing attacks from tampering with or destroying data.

Learn more about Cohesity threat protection and detection.

Cohesity Data Cloud

Data Cloud packaging

Certified platforms

Backup & Recovery

Cloud Data Protection

SaaS Data Protection

Unstructured Data Protection

Cyber Resilience

Zero Trust Security

Archive & Long-Term Retention

Disaster Recovery

Identity Resilience

Ransomware Anomaly Detection

Threat Protection

Data Classification

Cyber Vaulting

Cyber Recovery Orchestration

Digital Jump Bag

Clean Room Solution

AI Conversational Search

Reporting & IT Insights

Global Search

Why Cohesity

Cohesity vs. Rubrik

Cohesity vs. Commvault

View all solutions

Learn more

Microsoft 365 Protection

AWS

Azure

Google Cloud

Google Workspace

Slack

Active Directory & Entra ID

Hyper-V

Kubernetes

IBM

MongoDB

MS SQL Server

NAS

NoSQL & Hadoop

Nutanix

Oracle

Red Hat

SAP HANA

VMware

Financial services

Healthcare and life sciences

Manufacturing and logistics

Federal government

State, local government, and education

Retail and hospitality

Legal

Energy and utilities

Telecom

Technology

Media and Entertainment

View all

Corporate Overview

Blogs

Demos

Events and Webinars

Customer Stories

Glossary

Marketplace

Support

Support login

How-to videos

Cyber Event Response Team

Cohesity User Group

Cohesity Academy

Trust Center

Channel Partners

Global System Integrators

Security Partners

Cloud Alliances

Technology Partners

Managed Service Providers

Data Security Alliance

Leadership