Naturally, we all want to detect every threat to our network as soon as it manifests itself. That’s why we spend a ton of money every year on tools that detect things automatically.
But what do we do when automatic detection isn’t enough? Perhaps there’s a new attack that doesn’t yet have a detection signature, or maybe the threat you’re after can’t really be found using traditional detection methods. Are the tools you use less effective than you assumed they were? Do they struggle to keep up with the evolution of attacker techniques?
These scenarios are great examples of where threat hunting comes into play. With hunting, you send your most experienced analysts into the unknown, searching for threats that the machines failed to find. You send your most experienced because, to be successful, the hunter is going to need to know how to coax data out of your toolset. They’re also going to need an intimate knowledge of different types of malware, exploits and network protocols to navigate that vast heap of data consisting of logs, metadata and PCAP.