The Evolution of Threat Hunting

December 9, 20196 min readSecurity Posture

Wikipedia defines cyber threat hunting as “the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.” In practice, this is a very manual process where trained “hunters” combine expertise in attacker behavior and techniques with deep knowledge on the networks and assets that they are protecting to iteratively search for and uncover threats that have otherwise gone undetected by deployed security tools. 

Depending on who you ask, threat hunting has been around for upwards of 20 years, with the job title, “threat hunter,” originating in the last 5-6 years. Today, there are nearly 1000 profiles on Linkedin with either a headline or job title matching the term, reflecting simultaneously the explosion of popularity of threat hunting techniques in the enterprise and the “cool factor” of the name. 

IOC Detection

Initially, hunters sought to identify Indicators of Compromise (IOCs). At its simplest, an IOC is evidence that an attack of some sort has occurred. Examples of IOCs include malware infection, unexpected outbound traffic from an internal asset, large outbound data transfers, etc. The goal behind IOC identification is to shrink the 170 day average dwell time before a company detects a threat. The problem with the IOC approach is that it’s completely reactive – the damage has already been done.

IOC Detection Timeline

IOA Detection

This IOC shortcoming has lead infosec teams to move up their detection capabilities, focusing not on “What has happened,” but to “What is happening.” The hunt for Indicators of Attack (IOAs) focuses more on the activities and behaviors that adversaries undertake leading up to an attack, often corresponding to the reconnaissance step of the Cyber Kill Chain. While IOA detection helps to identify threats sooner in the process, its Achilles’ Heel is that detection is still only possible after an initial infiltration event has occurred. 

IOA Detection Timeline

IOR Detection

In light of these challenges, threat hunting teams are increasingly turning their attention to indicators that are observable before the adversary has infiltrated the organization – Indicators of Risk (IORs). As with the IOC and IOA models, the threat hunter starts with hypotheses on how attacks might be conducted, and iterates through testing, but the difference with IORs is that the focus is on conducting this analysis before any attack begins.

IOR Detection Timeline

IORs tell the threat hunter whether the organization is vulnerable to a particular type of attack, not whether or not an attack is happening right then. Let’s look at how this works in practice.

Suppose your organization hosts several of its most mission critical applications on Linux servers running SMB/CIFS. You might hypothesize that attackers would go after these assets, potentially exploiting the SambaCry vulnerability. With an IOA/IOC approach, you need to wait for this vulnerability to be exploited, and then catch the adversary red handed. Using the IOR approach, however, you can check proactively with a simple query – no need to search through old vulnerability scan reports or manually check hundreds of software versions. 

Here’s an example using Balbix. With a single query using the built-in natural language search capability, you can see that there are 105 Linux servers still vulnerable, across a range of different corporate locations.


Consider a more general example, where you simply want to look for critical assets that are unpatched and subject to a broad range of exploits. Another simple search shows 157 critical assets, including Exchange Servers and Domain Controllers that have not been properly patched.

Unpatched Critical Servers

One final example illustrates the human factor involved in the threat. Suppose you suspect that web browsing activities on smartphones connected to the corporate network are exposing individuals in one of your offices to increased risk of being phished. Here we see 59 individuals with iPhones in the Bangalore office with elevated risk of being phished, perhaps an indication that additional security training is in order.

iPhone phishing in Bangalore


Threat Hunting Evolved

Reacting to threats after they’ve happened, or even as they happen, will always be a losing proposition. As the enterprise attack surface continues to grow, proactive cybersecurity posture transformation is the only viable path forward. Balbix can help – take a look.