Gartner describes Threat Hunting as follows:
“To hunt for security threats means to look for traces of attackers, past and present, in the IT environment. Organizations that employ threat hunting use an analyst-centric process to uncover hidden, advanced threats missed by automated, preventative [sic] and detective controls.”
According to the SANS 2019 Threat Hunting Survey, “Threat hunters leverage tools—and a whole lot of experience—to actively sift through network and endpoint data, always looking for suspicious outliers or traces of an ongoing attack.”
The challenges of effective threat hunting include the lack of well-established methodologies that would enable a team to ramp up quickly and increase confidence that they’re doing it “right.” There’s also a general lack of experienced security analysts who have the skills to successfully flush out attacks. While these pose a challenge, perhaps the hardest part is that many hunters rely on legacy tools and systems such as log files, SIEM analytics, and IDPS, which simply don’t provide the data and insights needed to detect malicious activity in your network.