Explore methodologies to help uncover stealthy attackers like advanced persistent threats (APTs) that bypass traditional security defenses and lurk undetected in even the most fortified networks.

Cyberattacks are evolving and so are security solutions, in today's complex threat IT landscape, organizations are installing numerous security tools to protect their environments. Tools such as SIEM and SOAR can aggregate information from different security solutions such as IPS/IDS, EDR/XDR and firewalls in addition to external threat intelligence sources, which provide a unified view for SOC team to monitor digital interactions.

Despite all installed solutions, cyber attackers still find numerous methods to infiltrate even the most protected environments.

The new prevalence of advanced persistent threats (APTs), attacks which are greatly sponsored by nation-states, allow threat actors to remain hidden for months and even years in a target network, trying to exfiltrate highly sensitive data or plant malware, such as ransomware, to cause the most severe damage to impacted organizations. APT attacks are the primary target for threat hunters, in addition to other emerging threats that traditional security solutions failed to stop at the gates.

Define threat hunting

Threat hunting (also known as cyberthreat hunting) is a proactive approach where threat hunters try to locate unknown attackers or reveal ongoing attacks in their computer networks. 

Threat hunting has become an integral component of any cybersecurity defense strategy, as it allows organizations to detect unknown threats, insider attacks, in addition to other types of cyberattacks that have gone unnoticed in the past. 

While automated security solutions, such as SIEM and SOAR, in addition to a vigilant SOC team, can capture most cyberthreats, there are types of attacks that can surpass traditional security solutions and remain undetected for an extended amount of time. According to the IBM "Cost of a data breach” report, it takes an average of 194 days to identify that a data breach has occurred. The longer the attacker remains undetected, the more damage they can cause to the organization's data and reputation.

Once an attacker has successfully surpassed an organization's security solutions and planted themselves within the target IT environment, most organizations do not have the capability to detect threat actors and remove them from the network. This makes threat hunting very important to remove and stop ongoing advanced cyberattacks.

Finally, it is worth noting that threat hunting is not a replacement for automated detection solutions, but rather a complementary process that enhances organizations' detection capabilities.

Threat hunting methodologies

As we said, in threat hunting, we assume adversaries exist in our IT environment. Based on this hypothesis, threat hunters can begin executing their investigations to find threat actors: 

Hypothesis-driven investigation

In hypothesis-driven investigations, threat hunters initiate their investigations based on newly identified threats that were found in crowdsourced attack data (such as threat intelligence feeds, industry reports, or malware analysis). Hunters then formulate hypotheses based on the attackers' tactics, techniques and procedures (also known as TTPs) and search for evidence within their systems.

The hypothesis-driven investigation is composed of the following steps:

  • Identify a new threat — Threat hunters analyze threat sources such as cyber threat intelligence (CTI) feeds, industry reports and malware analysis samples, to detect emerging attack patterns. For example, a new malware campaign uses LSASS memory dumping to steal credentials.
  • Formulate a hypothesis — Based on the previous hypothesis, threat hunters formulate their hypothesis: “An adversary may be using LSASS dumping tools like Mimikatz in our network to steal users' account credentials.”
  • Investigate the Environment — Hunters begin searching within their IT environment to find relevant signs of the identified TTP in their logs, EDR or network traffic.
  • Validate or refuse the hypothesis — If evidence is found, it confirms the existence of such malicious activity and the incident response (IR) is triggered. If not, hunters may refine the hypothesis (e.g., pivot to related TTPs such as checking for lateral movement after credential theft) or move to another threat. 

Investigation based on known indicators of compromise or indicators of attack

This approach to threat hunting relies on tactical threat intelligence — such as malware hashes, malicious IPs, domains, or behavioral patterns — to detect ongoing or past attacks. Unlike hypothesis-driven hunting (which starts with a behavioral hypothesis), IOC/IOA-based hunting begins with concrete evidence of known malicious activity.

Indicators of compromise (IOCs)

These are digital artifacts that show a system has been compromised. These artifacts are static and help in detecting past intrusion accidents.

Examples:

  • Malware file hashes (e.g., SHA-256 or MD5: f3f0c6e992b7562598d9865b6fe8b3a6)
  • Malicious IPs/Domains (e.g., 185.143.223.10, darknessgate[.]com)
  • Suspicious registry keys (e.g., HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Malware)
  • Known malicious email attachments (invoice.PDF.exe)

Indicators of attack (IOAs)

These are not static artifacts as they focus on malicious behavior and help reveal ongoing attacks against the system. 

Examples:

  • Process injection (explorer.exe spawning cmd.exe with suspicious command-line arguments, or winlogon.exe launching notepad.exe).
  • Lateral movement (SMB connections to multiple servers within a short timeframe or RDP connections from unusual internal hosts).
  • Data exfiltration (HTTPS uploads to cloud storage services during off-hours or large volumes of data sent to unknown external IPs).

How does IOC/IOA-based hunting work?

There are different steps involved here:

  1. Gather threat intelligence — We can gather threat data from different sources, such as OSINT, commercial threat feeds (e.g., VirusTotal, AlienVault OTX) and internal incident data (e.g., past breaches, malware samples).
  2. Extract IOCs/IOAs — In this step, we convert threat data into a usable format (e.g., SIEM rules, YARA rules). For example, IOC: C2 Server IP: 213.192.105.77 or IOA: Suspicious PowerShell execution with Base64-encoded commands
  3. Start hunting — Search for matches to the discovered IOC and IOA across your IT environment, such as:
    1. Firewall/Proxy logs (connections to malicious IPs)
    2. Checking EDR/XDR telemetry for unusual process executions
    3. Check Email gateways for phishing emails with known malicious attachments
  4. Validate & escalate — If a match is found, then determine if it is a false positive or legitimate. For example, finding a host that has established a connection with a malicious IP address, which is known to be a ransomware C2 server, then do the following:
    1. Isolate the host
    2. Check for additional malware
    3. Inspect your network for lateral movement
  5. Create automated rules — To stop future attacks automatically, turn your discovered IOC and IOA into SIEM alerts, EDR rules, or firewall block lists for automated blocking.  

Using advanced analytics and ML investigations

This approach uses big data analysis, statistical models and machine learning (ML) to spot sneaky threats that traditional tools might miss — like specific indicators or expected behaviors. Instead of only looking for known patterns, ML finds unusual activity that could be signs of malicious activity, which analysts can then check out.

How does ML-driven threat hunting work?

This approach suggests doing the following steps:

  1. Data collections — Collect threat data from different sources such as: Endpoint logs, network traffic and authentication logs (e.g., Okta, Active Directory).
  2. Preprocessing — In this step, we normalize data (such as converting IP addresses to geolocation) and remove noise (e.g., filtering known benign processes).
  3. Feature engineering — In this step, we extract meaningful attributes for ML models. For example, for malware detection, we extract API calls, file entropy and process tree relationships, and for network anomalies, we extract packet size, protocol deviations and unusual ports.
  4. Model training & detection — In this step, we train the ML models on the extracted attack patterns. For example, “this log entry = malware".
  5. Analyst investigation — ML models help the SOC team reduce millions of events to a small list of high-risk anomalies.

Effective threat hunting requires following a multi-layered approach that combines hypothesis-driven investigations, IOC/IOA-based searches, and advanced analytics. By implementing these methodologies, organizations can proactively identify hidden adversaries that bypass traditional security controls. The key to successful threat hunting lies in the continuous refinement of techniques, using quality threat intelligence, and integrating findings into automated detection systems to strengthen the overall cybersecurity posture of the organization.

Proactive protection with Silo

Threat hunting requires investigators to move fluidly through systems and stay undetected. Advanced cyberthreat hunters depend on Silo for airtight isolation, global masking, accelerated insights and easy-to-audit oversight. Learn more about how Silo can rapidly increase results of an investigation without tipping off the target.

Start your free trial today.

Tags
Threat intelligence