Threat Hunting: Finding Attackers Before They Strike

# Threat Hunting: Finding Attackers Before They Strike

Alerts are tactical. A SIEM detects suspicious login; SOC analyst kills the session. Crisis averted—for now.

Threat hunting is strategic. A hunter digs into historical logs and network telemetry, asking: "What _would_ an attacker have done here? Can I find evidence they already did it?" Hunting finds compromises that alarms missed—the silent exfiltration, the dormant backdoor, the persistence mechanism waiting to activate.

The difference: Alerts catch attacks in motion. Hunting catches attacks in hiding.

Alert-Driven Security vs. Hunting

**Alert-Driven (reactive):**

SIEM rule fires on suspicious pattern

Analyst investigates alert

If confirmed: kill process, reset password, block IP

If false positive: close ticket, move on

_Coverage:_ Only patterns we explicitly configured

**Threat Hunting (proactive):**

Hunter asks: "What TTPs (tactics, techniques, procedures) should I look for?"

Searches logs, network, endpoints for evidence

Constructs timeline of attacker's steps

Finds _multiple_ indicators of compromise, not just one

Prioritizes by business impact and evidence strength

_Coverage:_ Patterns we configured + patterns we hypothesized

Example: An attacker compromised your network 2 months ago. They:

1. Entered via phishing (alert created—dismissed as suspicious external IP) 2. Lived quietly for 4 weeks, exfiltrating data hourly 3. Installed persistence backdoor (SIEM rule missed—tool matched known malware signature, but attacker modified it) 4. Prepared lateral movement (reconnaissance commands, but executed slowly to avoid threshold alerts)

Alerts caught step 1, missed steps 2-4. Hunting would find:

Hourly outbound connections to rare destination IPs (exfiltration)

PowerShell execution patterns consistent with reconnaissance (process parent-child chain analysis)

Unusual scheduled tasks or registry modifications (persistence indicators)

Domain admins querying sensitive data they never touched before (lateral prep)

Threat Hunting Methodology

1. Define Hypotheses

Start with threat intelligence, MITRE ATT&CK framework, or known incidents:

"Attackers in our sector use credential stuffing. Did anyone compromise an account with unusual password reset?"

"Known APT-X uses living-off-the-land. Did any user execute PowerShell for unusual duration?"

"Ransomware-as-a-service observes file encryption patterns. Did any file share or endpoint see bulk encryption?"

"Supply-chain attacks target dependencies. Did our build systems pull from unusual sources?"

2. Search Evidence

Query logs, network telemetry, and endpoint data:

``` SIEM query: Find all outbound connections from finance department to non-business IPs, weekends only Endpoint: Search for PowerShell execution with suspicious arguments (encoded strings, WMI invocations) Network: Analyze DNS queries for typosquatting domains or known C2 infrastructure Historical: Check user login history for geographic impossibilities (New York to Tokyo in 10 minutes) ```

3. Build Timeline

Correlate findings into attack sequence:

2026-03-15 10:22 AM: Phishing email to user@company.com (email logs)

2026-03-15 10:45 AM: Malicious attachment executed (endpoint logs)

2026-03-15 11:00 AM: User credentials used to access file share (network logs)

2026-03-15 11:15 AM: Persistence registry key created (endpoint logs)

2026-04-12 03:22 AM: Daily exfiltration to 185.22.1.1 (network telemetry) _[first time 28 days later]_

4. Assess Confidence & Impact

Not every finding is confirmed compromise:

**Confirmed**: Malware execution + persistence registry key + exfiltration = high confidence

**Probable**: Unusual credential access + file encryption pattern + no business justification = medium-high

**Suspicious**: One-off connection to rare IP + no follow-up activity = low-medium

**False positive**: Finance admin executing PowerShell script they wrote last month = low

Prioritize by:

Confidence (how certain is this malicious?)

Impact (what data/systems accessed?)

Timeline (how long undetected?)

Real-World Hunting Scenarios

Scenario 1: The Silent Exfiltration

SaaS company noticed no alerts, but threat intel flagged their IP range in breach databases. Hunter investigation:

Searched for bulk egress from engineering networks (where secrets live)

Found 1.2 TB transferred to AWS IP (rare, no business justification)

Correlated timing with engineer login from home

Discovered engineer's laptop compromised via supply-chain attack

Timeline: 18 days undetected exfiltration

Prevented: Attacker downloading entire source code repository

**Alert-driven approach:** Missed entirely (no rule configured for this pattern).

**Hunting approach:** Found via hypothesis "engineers accessing unusual resources at night."

Scenario 2: Lateral Movement in Healthcare

A healthcare system was compromised via medical device. Attacker moved laterally to clinical systems. Hunting discovered:

Unusual PowerShell execution on patient-facing workstations

Impossible geography (medical device in clinic + systems accessed from different continent)

Domain admin credentials used from medical device network

Access to patient databases 2 weeks before alert

**Impact:** 10K+ patient records accessed; HIPAA breach.

**Detection:** Hunting found lateral movement chain before data loss escalated.

Scenario 3: Persistence Hidden in Legitimate Tools

Attacker installed persistence via Windows scheduled task, but disguised it as system maintenance. Alert-driven SOC ignored it (legitimate process, expected schedule). Hunter questioned:

"Do we have a legitimate task that runs `powershell.exe` at 3 AM daily?"

Investigation revealed: Task added by attacker, not Windows

Task contained command to reconnect to C2 server if connection dropped

Removed persistence; found attacker had maintained access for 200+ days

Tools for Threat Hunting

**SIEM (Splunk, ELK, Datadog):**

Query logs across all sources

Build dashboards for unusual patterns

Historical search (90–365 days back)

**Endpoint tools (EDR, osquery):**

Process execution history

File access patterns

Network connections from endpoints

**Network telemetry (DNS, proxy, firewall):**

Outbound connections (IPs, domains, ports)

DNS resolution history

Geolocation anomalies

**Threat intelligence (feeds, MITRE ATT&CK):**

Known C2 infrastructure

APT behavior patterns

Vulnerability exploitation chains

**Forensic tools (Timeline tools, memory analysis):**

Deep dive into suspicious systems

Recover deleted files, cleared logs

Memory injection detection

Hunting Program Roadmap

Phase 1: Establish Baseline (Month 1)

Choose hunting platform (SIEM + EDR + TI feeds)

Define your "normal" (baseline network/endpoint behavior)

Review recent security incidents, determine root causes

Identify 3-5 TTPs to hunt first (e.g., lateral movement, persistence, exfiltration)

Phase 2: Build Hunts (Months 2-4)

Formalize hypotheses (document why you're hunting this)

Write detection queries (SIEM, EDR, network)

Test on known-good and known-bad samples

Document false-positive thresholds

Schedule routine hunts (weekly, monthly, quarterly)

Phase 3: Operationalize (Months 5-6 and ongoing)

Assign hunt ownership (rotate team members)

Publish findings (metrics, statistics, confirmed compromises)

Feed results back into detection rules (automate successful hunts)

Conduct post-hunt reviews (what did we learn? What's our next hypothesis?)

Hunting Metrics

Track your hunting program:

**Hunts executed**: How many hypotheses tested?

**Confirmed compromises**: How many actual breaches detected?

**Time to discovery**: How long before attackers detected?

**False-positive rate**: Are we spending time on noise?

**Automation percentage**: How many hunts automated into SIEM rules?

Good programs:

20–50 hunts per quarter

1–3 confirmed compromises per quarter (industry-dependent)

50–80% of successful hunts automated

<5% false-positive rate

Integration with Managed Security

Threat hunting requires expertise and continuous execution. Managed threat hunting services:

Execute hunts 24/7

Build domain expertise on your threat landscape

Integrate with incident response (confirmed threats → immediate containment)

Feed results into continuous detection (successful hunts → new SIEM rules)

Report on trends (what attacks are increasing? What TTPs prevalent in your sector?)

Sentos' managed threat hunting integrates with your SIEM, EDR, and threat intelligence to hunt continuously, detect silent compromises, and prioritize remediation by business impact.

The Bottom Line

Alerts tell you about attacks in progress. Hunting tells you about attacks that succeeded. The difference is measured in hours vs. months, and in recovered data vs. stolen data.

Start hunting if you haven't. And if you lack in-house expertise, a managed threat hunting partner can operationalize it—turning your logs and telemetry into intelligence about adversaries already inside your network.