Threat Hunting is the proactive search for cyber threats that are lurking undetected in a network. Unlike Incident Response, which reacts to an alert, hunting starts with an assumption: "The network is already compromised."
To avoid aimlessly looking through logs, professional hunters use the Hypothesis-Driven approach.
The Hunting Loop
1. Hypothesis Generation
Create a statement about a specific threat based on Strategic Intelligence.
- Bad Hypothesis: "Let's look for anomalies." (Too vague).
- Good Hypothesis: "If APT29 is in our network, they might be using 'Pass-the-Hash' techniques for lateral movement."
2. Data Collection
Identify which logs are needed to prove or disprove the hypothesis.
- For 'Pass-the-Hash', you need Windows Security Event Logs (Event ID 4624, 4625).
3. Investigation & Analysis
Query the SIEM or EDR using the specific criteria.
- Look for Logon Type 3 (Network Logon) with NTLM authentication from non-standard workstations.
4. Resolution
- If a threat is found: Trigger the Incident Response plan.
- If no threat is found: The hunt is successful because it proved the network is clean of that specific technique.
5. Operationalization
This is the most important step. If the hunt revealed a gap in detection, create a new automated alert so you never have to hunt for this manually again.