What is Cyber Threat Hunting?



Cyber threat hunting is a forward looking approach to internet security in which threat hunters proactively search for security risks concealed within an organization’s network. Unlike more passive cyber security hunting strategies like automated threat detection systems, cyber hunting actively seeks out previously undetected, unknown, or non-remediated threats that could have evaded your network’s automated defense systems.

Drive SOC efficiency with ArcSight SIEM as a Service by OpenText™

Watch this LIVE DEMO to learn how ArcSight SIEM as a Service can help you increase operational efficiency while reducing exposure time to threats by utilizing our intelligent threat hunting, log management, and compliance capabilities.

Cyber Threat Hunting

What is Hybrid IT?

Today’s cybercriminals are becoming more sophisticated than ever, which means cyber threat hunting is an essential component of robust network, endpoint, and dataset security strategies. If an advanced external attacker or insider threat can elude initial network defense systems, they could remain undetected for months. During this time, they could gather sensitive data, compromise confidential information, or secure login credentials that enable them to sneak laterally across your networking environment.

Security personnel can no longer afford to sit back and wait for automated cyber threat detection systems to notify them of an impending attack. To remain steadfast, cyber threat hunting enables your IT security teams to proactively identify potential vulnerabilities or threats before an attack can cause damage.

How Does Cyber Threat Hunting Work?

Cyber threat hunting works by combining the human element with a software solution’s big data processing power. Human threat hunters–whose purpose is to use solutions and intelligence/data to find adversaries who may evade typical defenses by using techniques such as living off the land–lean on data from complex security monitoring and analytics tools to help them proactively identify and neutralize threats.

Human intuition, strategic and ethical thinking, and creative problem solving play an integral role in the cyber hunting process. These human characteristics enable organizations to implement threat resolutions faster and more accurately than solely relying on automated threat detection tools.

What's Required to Start Threat Hunting?

For cyber threat hunting to work, threat hunters must first establish a baseline of anticipated or authorized events to better identify anomalies. Using this baseline and the latest threat intelligence, threat hunters can then comb through security data and information collected by threat detection technologies. These technologies can include security information and event management solutions (SIEM)managed detection and response (MDR), or other security analytics tools.

Once equipped with data from varied sources such as endpoint, network and cloud data, threat hunters can scour your systems for potential risks, suspicious activities, or triggers that deviate from the normal. If a threat is identified or known threat intelligence indicates new potential threats, threat hunters can develop hypotheses and in-depth network investigations. During these investigations, threat hunters attempt to discover whether a threat is malicious or benign, or whether the network is safeguarded adequately from new types of cyber threats.

Is Threat Hunting a Part of Threat Intelligence?

Cyber Threat Intelligence is a focus on the analysis, collection and prioritization of data to improve our understanding of threats facing a business.

Threat Hunting Investigation Types

There are three core threat hunting investigation types, including:

  • Unstructured: Based on a trigger or indicator of compromise (IoC), threat hunters use unstructured hunting to search for any noticeable patterns throughout the network both before and after a trigger or IoC was found.
  • Situational or Threat Intelligence Based: Hypotheses are derived from situational circumstances, such as vulnerabilities discovered during a network risk assessment. The latest threat intelligence can also lead to cyber threat hunting, as threat hunters can reference internal or crowdsourced data on cyberattack trends or TTPs of attackers when analyzing their network.

In all three of these investigation types, threat hunters search through events for anomalies, weaknesses, or suspicious activity outside of anticipated or authorized events. If any security gaps or unusual activity are found, hunters can then patch the network before a cyberattack occurs or reoccurs.

The 4 Steps of Cyber Threat Hunting


To effectively initiate a cyber threat hunting program, there are four steps your security personnel should follow:

  • Develop a hypothesis: Cyber security hunting begins with developing a threat hypothesis. This hypothesis could be based on risks or vulnerabilities that might exist within the organization’s infrastructure, current threat intelligence or attacker TTPs, or from suspicious activity or a trigger that deviates from standard baseline activity. A threat hunter can also use their knowledge, experience, and creative problem solving skills to establish a threat hypothesis and decide on a path forward to test it.
  • Begin the investigation: During an investigation, a threat hunter can lean on complex and historical datasets derived from threat hunting solutions such as SIEM, MDR and User Entity Behavior Analytics (UEBA). The investigation will push forward until the hypothesis is confirmed and anomalies are detected, or the hypothesis is found to be benign.
  • Discover New Patterns: Deploying a quick and efficient response is the next step when anomalies or malicious activity are found. This could include disabling users, blocking IP addresses, implementing security patches, altering network configurations, updating authorization privileges, or introducing new identification requirements. As your security teams work to resolve network threats proactively, they will inherently learn the tactics, techniques and procedures of threat actors and how they can mitigate against these threats in the future.
  • Respond, Enrich & Automate: The job of threat hunting is never ending, as cybercriminals are always advancing and creating new network threats. Cyber threat hunting should become an everyday practice within your organization, operating alongside automated threat detection technologies and your security team's current threat identification and remediation processes.

What Are the Top Challenges of Cyber Security Hunting?

Because cyber security hunting takes a proactive, hands-on approach to threat detection and remediation, some organizations face significant challenges when implementing this security practice. For a cyber hunting program to be successful, an organization must have three key components working in harmony:

  • Collecting comprehensive data: To properly seek out threats, hunters must have access to a wealth of data (both current and historical data) that provides visibility across an entire infrastructure. Without this aggregated data, threat hunters won’t be able to create informed threat hypotheses based on your endpoints, network or Cloud infrastructure.
  • Staying up-to-date with threat intelligence: Threat hunters must be equipped with the most up-to-date threat intelligence, enabling them to compare current cyberattack trends with internal data. Without knowing what new or trending threats exist, threat hunters won’t have the necessary information to analyze potential network threats correctly.

Deploying all three of these components and ensuring they seamlessly work together requires many organizational resources. Unfortunately, some security teams don’t have access to the right tools, personnel, or information to establish a full-scale cyber threat hunting program.

Discover Managed Cyber Threat Hunting with CyberRes by OpenText

Successfully protecting your organization’s infrastructure requires a proactive approach rather than a reactive one. Gone are the days in which automated threat detection technologies are enough on their own to safeguard confidential data or information. Instead, your security teams must implement an ongoing cyber threat hunting program that enables them to create informed hypotheses and pinpoint network anomalies, risks, or suspicious activity before an external attacker or insider threat can cause damage.

Searching for security operations software to help you get a cyber threat hunting program up and running with minimal resources? CyberRes provides a holistic platform that supports a hypothesis-driven threat hunting process such as: actionable threat intelligence, User Entity Behavior Analytics, ArcSight Security Orchestration Automation and Response (SOAR) by OpenText™, and a big data analytics-based forensic search and visualization solution. Using this managed threat hunting platform, you can proactively detect anomalies and remediate threats quickly and efficiently—all without expending significant organizational resources.



ArcSight by OpenText™ Threat Hunting
Video: Threat Hunting with ArcSight SaaS
ArcSight for Preemptive Threat Detection
Recent Advances with Arcsight
Intelligently adapt your SecOps resources for greater operational efficiency and a more resilient security organization
ArcSight for Exposure Time Reduction
Accelerating Trusted, Secure Electronic Healthcare
CyberRes Galaxy Threat Acceleration Program Plus
Layered Analytics for Faster Detection and Increased Productivity
ArcSight Intelligence Behavioral Analytics
Infographic: Inside Data Breaches - How Long Does It Take to Discover a Breach?
Infographic: The Insider Threat Report
Infographic: A Guide to Insider Threats
White Paper: Application Security Framework for Zero Trust
White Paper: Enhancing ArcSight with Threat Intelligence
White Paper: We Uncover the Threats that Matter
White Paper: A Business Case for ArcSight Security Orchestration, Automation and Response (SOAR) platform
White Paper: Security Orchestration, Automation and Response (SOAR) for SOC Analysts and Security Engineers
White Paper: Artificial Intelligence and Machine Learning for Cyber Security Threats101
Video: Using Threat Intelligence with ArcSight SOAR
Video: Machine Learning + ESM for Oil/Gas Pipeline Threat Detection
Video: The ArcSight End-to-End Secops Demo
Video: Threat Hunting with CIRCL MISP
Video: Preemptive Threat Detection w/ Ramsés Gallego
Video: Stopping Insider Threats w/ ArcSight Behavioral Analytics
Video: A Day in the Life of an Analyst using ArcSight Recon + Intelligence
What is an Insider Threat?
What is Behaviorial Analytics?
What is DevSecOps?
What is a Security Operations Center (SOC)?
What is Threat Intelligence?
Why threat hunting is key to cyber resilience—and how to get started
4 tips to get your game on with threat hunting
How a modern SOC can make your threat hunting smarter
5 ways to build in cyber resilience with intelligent threat operation
Relief is coming for your security team: 6 ways AI is a game-changer
How To: ArcSight Recon Threat Hunting Searches
How To: Threat Hunting APTs and Threat Groups with ArcSight Recon
Video: Fireside Chat: Threat Hunting – Stories from the Trenches
Video: Threat Hunting - Driven By Human and Machine Partnership
Blog: ArcSight SIEM as a Service, Log Management and Compliance
Empower your security operations with ArcSight SIEM as a Service
Learn more Proactive Threat Hunting from Our Experts
Insider Threat Prevention Hub

Related Products

Cyber Threat Hunting

Get started today.