4 tips for better threat hunting against cyber attacks


Threat hunting has gotten a lot of publicity lately, but even with all the coverage in the security trade press it’s still largely misunderstood. Threat hunting is not about identifying random zero-day attacks.

At its best, threat hunting uses software tools, network data, a solid methodology and automated metrics to ferret out information on targeted attacks by threat actors. These are the type of attacks in which threat actors plan to not spend several days, but months or years infiltrating your network, systems and databases.

When threat hunters do their job, the organization will learn both the nature of the attack, plus the motivations of the threat actors.

Was it a nation-state operation? Was it part of a complex corporate espionage program? Or was the attack strictly cyber criminals seeking financial gain? If money was the primary motivator, how will the bad threat actor monetize the information they are stealing?

Many organizations are challenged with building an effective threat hunting presence on staff. Here are four building blocks for developing an effective threat hunting program:

  1. Find, retain and train talent. Effective threat hunting requires skilled people. You’ll want to start by hiring at least two experienced threat hunters to supplement existing Incident Response capabilities. Then to further build your team, look for people with experience in digital forensics and incident response as well as people who understand how intrusions occur and the type of artifacts that are left as subtle traces of an intrusion. You need people who understand how threat actors quietly move laterally throughout an organization and what mechanisms they use to mask their activities.
  2. Provide access to quality data. The data may start with threat intelligence, but threat hunters will need data from a broad cross-section of sources: end-point logs and volatile network data, firewalls, NetFlow and DNS information, as well as data sources being aggregated into a SIEM. By providing this data the threat hunters will have visibility across the enterprise so the they can quantify what’s going on to develop appropriate tactical and strategic plans to counter the actions of the threat actor.
  3. Deploy a consistent methodology. Threat hunters must all work in concert with one another. It doesn’t work if they are all working off different scripts. There are four aspects to the methodology: consistency of purpose, developing detailed documentation, using standard methods of communication for sharing information and relevancy (for example, daily scrum calls to review what was learned in the last day) and making sure the information being pursued relates back to the incident under review.
  4. Deliver high-value metrics. Organizations need to achieve ROI from their threat hunting activities. For the most part, the metrics that are of the most value include whether the dwell time of the threat actors inside the network has been reduced, along with the ability of the organization to reduce the time it takes to remediate and repair a breach.

Through our Managed Endpoint Threat Detection and Response services, DXC has extensive experience managing threat hunting programs for a wide range of organizations. Our seasoned threat hunters apply tools and practices they’ve adopted from solving real-world breaches around the world. To succeed in this dynamic threat environment, it takes skill and commitment to build and maintain an effective program.

Kevin Whartenby is the Security Advisory Services Manager for Intelligent Security Operations for DXC Technology within the Americas Region. In his current role, Kevin drives an organization that’s responsible for the delivery of Digital Forensic Investigations, SIEM Advisory, Security Operations Advisory Services, e-Discovery and a variety of consultative information security services for trade clients. Kevin has been with DXC. Technology for more than twenty years and has held a variety of technical, consulting and managerial positions in United States Public Sector, US Solution Centers and Global Information Security.


5 tips to better detect and respond to advanced endpoint threats

How to avoid a ransomware attack

Defensive strategies for protecting IoT


  1. […] 4 tips for better threat hunting against cyber attacks […]

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.