What does a Threat Hunter do?
A Threat Hunter ‘hunts’ for potential cybersecurity threats that have bypassed existing security controls and solutions within a security environment. The goal of threat hunting is to gather actionable intelligence to improve threat detection using tools and techniques for efficient and effective monitoring, analysis, and incident response. A Threat Hunter works under the assumption compromise has already occurred and threats are already inside the security environment. A properly conducted threat hunt will include a hypothesis and preliminary research to define the scope of the hunt and potential findings prior to the actual act of hunting.
After the research phase is conducted, the Threat Hunter will initiate the hunt, using data from the network security environment, including log sources, endpoint telemetry, ingested data from the SIEM, and their security experience. With research and a hypothesis, the threat hunt initiates, with the goal of proving or disproving the hypothesis at the conclusion of the threat hunt. At the end of the hunt, the Threat Hunter will follow a standard operating procedure to report findings and recommendations to improve alert fidelity, threat detection, response playbooks, automated response, vulnerability management, and programmatic security gaps.