How to Start Threat Hunting

6 min readJun 20, 2023

This article is for you if you are a cybersecurity professional who is looking to get started in threat hunting at your organization; your business, your school, your nonprof, wherever. There are lots of articles, classes, books, and free resources available on the Internet to help get you trained up and hunting. And you should certainly read and study them all. But you can start here, and return here if you want. I’m going to break it down to the essentials and explain it in a way that should be easy to understand and easy to put into practice.

What is Threat Hunting?

Threat hunting in this context is a practice that utilizes all available tools to detect cyber threats. And it is meant to be done by people, not automated software solutions. While threat hunting, you will be proactively searching your IT enterprise in search of advanced threats that evade your existing security controls.

What this means is that you will be using your creativity and resourcefulness to go beyond what your existing suite of security tools can do. We want to find the super smart hackers that have figured out how to hide in our environments.

Hopefully you already have good tools and workflows in place to provide security coverage and monitoring for your endpoints, networks, SAAS tools, cloud resources and everything else. Threat hunting shouldn’t be the first program you build out at your org. You should already be continuously monitoring for vulnerabilities, threats and exposures before you move on to the more advanced activities like threat hunting and offensive security.

But what happens when hackers get around all that stuff? Then what? That’s why we take a mindset of “assume breach” and take nothing for granted. Our assumption is that there are hackers who have breached our defenses; that there is malware that has gone undetected. And the goal of threat hunting is to find them.

Program Development

For a threat hunting program to be provided as a service to the org for years, it needs to be sustainable. That doesn’t happen by accident. The way you get there is by building it intentionally. Here are three goals to get you onto that path.

Strong Theoretical Foundation — Build a framework for threat hunting based on industry best practices that is practicable, effective, and sustainable.
Applied Maturity Model — Continually assessing your program against the Sqrrl Threat Hunting Maturity Model (explained below). This will inform the directions you go in growing your capabilities.
Praxis — Commit to conducting 1–2 threat hunts per month for one quarter. Try to involve as many cybersecurity team members as possible. Reassess after the first quarter and renew your commitment for the next quarter if the hunting has been valuable or at least promising.

Hypothesis-driven Threat Hunting

To get a threat hunt started, it’s good to first develop a hypothesis to guide and focus your efforts. Then you can go about testing it. There is no one right way to do this, but I like constructing them in the form of if-then statements.

If <supposition>, then <proposition>.

So for example, “If an attacker has been able to compromise the identity of one of our users, then we should be able to detect the compromise by analyzing our identity provider’s (IDP) logs, searching for that user’s identity and looking for anomalies.”

With a hypothesis formed, you’ll probably already have some ideas of how you’ll test it. It’s always going to involve gathering and analyzing data. How you do that is different every time, and completely depends on what you’re looking for. Here are some common data sources relevant to threat hunting:

System and application logs like syslog, or Windows event logs.
Cloud logs in GCP Logs Explorer or AWS Cloudwatch.
Security alerts triggered by AWS Guard Duty, GCP Security Command Center, Antivirus/EDR, Shodan.io, Vulnerability management findings, Container Scanning findings, Cloud Security Posture Management (CSPM) findings.
Malware reverse-engineering analyses, like those published by Patrick Wardle at https://objective-see.org/
Google Workspace logs
Network traffic logs, like netflow, vpn logs, DHCP logs, DNS query logging, or wifi logs

And this is where we come to the difficult part. It takes everything we know and more to comb through mountains of data in search of the “needle in a haystack”. Sometimes we use advanced features in spreadsheets. Sometimes we’re writing compound queries in search languages. Sometimes we have to write custom tools in python or bash/zsh. Whatever tools we use for analytics, it always takes us outside our comfort zone. That’s kind of the point.

Types of Threat Hunts

There are 5 categories of threat hunts.

Data-driven — Based on automated alerts that have been triggered, typically showing Indicators of Compromise (IOC).
Intel-driven — Informed by threat intel, often containing Indicators of Attack (IOA).
TTP-driven — Focuses on adversary’s Tactics, Techniques & Procedures (TTP).
Entity-driven — Focuses on high value targets, like critical intellectual property, or specific IT assets. Sometimes referred to as the “Crown Jewels Analysis”.
Hybrid — Combines some or all of the above, the most effective of all.

Venn diagram of the five types of threat hunts.

Templatize for Consistency

Diving into a threat hunt, things can get confused and chaotic pretty quickly. Each turn down a rabbit hole risks losing sight of the goal if you don’t structure the hunt and record your findings. I suggest using a report template to make sure you don’t miss anything important. As you proceed and get more hunts under your belt, you’ll be building up a corpus of work that can be presented in a consistent format. You should of course create your own template that reflects what is most valuable to you, but here’s something to get you started — Threat Hunt Report Template. Feel free to make a copy of it.

The Sqrrl Threat Hunting Maturity Model

The Sqrrl Threat Hunting Maturity Model (HMM) is a benchmark used to score the maturity of an organization’s threat hunting capabilities. It’s great for reporting your progress to your leadership team or governance group. And it’s also great for identifying gaps. Using it this way will help focus your training and program development efforts which can help to make sure you are moving in the right direction. However, most businesses of any size these days don’t have simple architectural structures or data flow diagrams. They are often very decentralized with mobile workforces; with some IT resources in cloud environments and some on-prem. And there are probably going to be different levels of maturity in different sectors of your tech estate. So it might be more helpful to evaluate yourself differently in different areas, rather than just estimating your overall maturity score. For example, you might be capable of much more when it comes to threat hunting in your cloud environment than you are in your productivity suite (Google Workspace, Trello, Mural, Slack, Microsoft Teams, etc.).

Go Slow and Steady

Each threat hunt should be a learning experience. Keep track of your findings and lessons learned so that each hunt builds on previous ones. When you conclude a threat hunt, showcase them to the rest of your team so you upskill as a group.

Threat hunting as a function of any cybersecurity program is a sign of maturity. Whether you are just starting out, or you’re trying to figure out how to get started, you’ll be setting yourself up for success by creating some good structure around it.

Threat hunting doesn’t necessarily require any expensive software licenses, or any new resources that you probably don’t already have. It is an excellent initiative to invest in during lean times, as far as people and work cycles. And if you design your threat hunting program on a model of continuous improvement you’ll be enriching yourself as a professional at the same time you grow the capabilities of your cybersecurity team.