Threat Hunting Concepts
Not sure you’re ready?
Take the ~3-minute readiness diagnostic and see where you stand.
In classical physics, we assume a closed system remains undisturbed until an external force acts upon it. In traditional cybersecurity, defenders have historically operated under a dangerously similar illusion: the belief that perimeter defenses are impermeable walls, and that silence on the dashboard indicates a secure network. The modern Security Operations Center (SOC) must abandon this fallacy. To track modern adversaries, we begin with a fundamentally different axiom: threat hunting operates on the assumption that a network has already been breached by an advanced persistent threat (APT).

When the adversary is already inside the house, waiting for alarms to trip is a failing strategy. Instead, we must actively search the shadows.
Threat hunting is a proactive process to detect advanced threats evading traditional security measures. It is not an automated alert that lands in your queue; it is a search you initiate. Furthermore, threat hunting is an iterative process; you hunt, you learn, you refine your methods, and you hunt again.
Every hunt begins with a theory. In our discipline, a threat hunting hypothesis is a proposed explanation used as a starting point for further investigation. You do not query terabytes of log data aimlessly; you ask a specific question. We categorize these hypotheses into three primary methodologies:
- Intelligence-Driven Threat Hunting: This method generates hypotheses based on specific threat intelligence reports. If a strategic partner reports that a new ransomware group exploits a specific vulnerability in VPN gateways, your hypothesis becomes: "Our network contains compromised VPN gateways exhibiting this exact post-exploitation behavior."
- Situational-Awareness Driven Threat Hunting: This approach generates hypotheses based on a deep understanding of the organization environment. You know your network's architecture, its critical assets, and its normal rhythms. If you know the financial databases are heavily accessed during the end of the month, a sudden spike in access mid-month prompts a hunt.
- Analytics-Driven Threat Hunting: At scale, human eyes cannot parse gigabytes of traffic efficiently. This method relies on statistical analysis to identify anomalies, and increasingly relies on machine learning to identify anomalies that deviate from mathematical norms.

The Human vs. The Machine
How we execute the hunt depends on the maturity of the threat and the tools at our disposal.
- Automated threat hunting utilizes scripts to continuously search logs for known Indicators of Compromise. This is high-speed, repetitive work.
- Manual threat hunting relies on human intuition to discover anomalous patterns in security event logs. This is the artistry of the SOC analyst. When the scripts fail to flag a subtle data exfiltration because it uses standard HTTP traffic, it is the analyst’s intuition—sensing that the destination or volume is wrong—that uncovers the breach.
Crucial Rule of the Hunt: As you search, you will generate noise. Threat hunters filter out false positives by comparing anomalous activity against baseline network behavior. If you do not know what "normal" looks like, everything looks like an attack.
When an adversary moves through a network, they leave footprints. We classify these footprints into two categories: Indicators of Compromise (IOCs) and Indicators of Attack (IOAs).
Indicators of Compromise (IOCs)
Indicators of Compromise are forensic artifacts from an intrusion. They are the static remnants left behind, and Indicators of Compromise identify malicious activity on a system or network.
Consider the lifecycle of managing these artifacts:
- Collecting Indicators of Compromise requires gathering log data from endpoint detection and response (EDR) tools (to see what processes ran on a workstation) and gathering log data from network traffic analyzers (to see where that workstation communicated).
- Analyzing Indicators of Compromise involves correlating gathered data against threat intelligence feeds. You have a suspicious IP address; does the wider security community recognize it as malicious?
- Applying Indicators of Compromise involves updating security controls to block known malicious artifacts.
Once a new IOC is confirmed, the hunt looks backward as well as forward. Threat hunters query SIEM platforms to identify historical occurrences of newly discovered Indicators of Compromise. If you learn today that a specific IP is malicious, you must check your SIEM to see if any of your hosts communicated with it last month.

File hashes are common Indicators of Compromise, serving as digital fingerprints for malware payloads. Similarly, malicious IP addresses are common Indicators of Compromise, pointing to known adversarial infrastructure.
The Pyramid of Pain
To understand the utility of these indicators, we turn to a conceptual model. The Pyramid of Pain represents the difficulty an adversary faces when a defender relies on different types of threat indicators.
- Hash values are located at the bottom of the Pyramid of Pain. Why? Because attackers can easily change malicious file hash values to evade detection. By flipping a single bit of code, the file hash completely changes, rendering your blocklist useless. It costs the attacker practically nothing to do this.

- Tactics, Techniques, and Procedures (TTPs) are located at the apex of the Pyramid of Pain. TTPs represent the adversary's playbook. If you can detect and block how they execute an attack (their techniques) rather than the specific file they use, you force them to learn entirely new ways of hacking.
Because TTPs are so vital, threat hunters utilize the MITRE ATT&CK framework to map observed adversary behaviors to known tactics. This gives the global security community a shared language to describe how adversaries operate.
Indicators of Attack (IOAs)
While IOCs look at static forensic evidence (like a hash), Indicators of Attack focus on the behavior of an attacker rather than static artifacts left behind.
A perfect example of an IOA in practice is tracking command and control (C2) communication. Once an adversary compromises a machine, that machine must call home for instructions.
- Beaconing is a periodic network transmission from a compromised host to an external command and control server.
- Threat hunters identify beaconing activity by searching for regular outbound network connections with consistent timing intervals. (e.g., a host reaching out to an external server every exactly 60 seconds).
- However, adversaries know we look for mathematical consistency. Therefore, they introduce Jitter, which is an intentional variation in beaconing timing designed to evade automated detection systems. Instead of every 60 seconds, the malware might check in at 52 seconds, then 68 seconds, then 59 seconds. The human analyst must look at the statistical grouping of these connections to spot the hidden heartbeat.
Up to this point, our methods have been purely observational. But the modern SOC does not simply watch; it dictates the terms of engagement.
Active defense involves implementing security measures that actively engage attackers, and simultaneously involves implementing security measures that actively deceive attackers.
Make no mistake about the parameters of this engagement: active defense operations remain strictly within the boundaries of the defending organization network. We do not "hack back" or launch retaliatory strikes against external servers. That is illegal and reckless. Instead, we turn our own network into a hostile environment for the adversary.
The Goals of Active Defense
- The primary goal of active defense is to disrupt adversary operations.
- Active defense aims to increase the cost of an attack for the adversary. (Forcing them to waste time and resources).
- Active defense aims to increase the complexity of an attack for the adversary. (Forcing them to navigate mazes rather than straight lines).
The Arsenal of Deception
How do we implement this? Through cyber deception and carefully constructed traps. Cyber deception utilizes fake network topologies to disorient attackers during the reconnaissance phase. When an attacker scans your network, instead of seeing 50 real servers, they see 50 real servers hidden among 500 fake ones.

At the core of this deception is the honeypot. A honeypot is a decoy computer system designed to attract unauthorized access attempts.
- Honeypots isolate attackers in a controlled environment.
- Because no legitimate user has any business accessing a decoy, any interaction with a honeypot is instantly treated as highly suspicious. Honeypots allow defenders to study attacker tactics without risking production data.

We deploy honeypots in varying degrees of fidelity:
- Low-interaction honeypots simulate basic services to gather limited information about automated attacks. They might emulate an open SSH port to capture the usernames and passwords being used by automated brute-force bots.
- High-interaction honeypots provide fully functional operating systems to capture detailed information about manual attacker behaviors. When a skilled human attacker breaches the network, we want them to land here, so we can watch exactly what commands they type and what TTPs they attempt to deploy.
If one honeypot is good, an entire fake network is better. A honeynet is a network containing multiple honeypots configured to simulate a larger enterprise environment.
Deception extends down to the data level:
- A honeytoken is a piece of decoy data used to track unauthorized access. This could be a fake set of database credentials left in a developer's script. If those credentials are ever used to attempt a login, you know an adversary found them.
- A honeyfile is a fake document designed to generate an alert when accessed, and equally, a honeyfile is a fake document designed to generate an alert when exfiltrated. You might name a file
Q3_Financial_Projections_Unencrypted.pdf. It contains tracking pixels or triggers auditing alarms the moment an attacker tries to read or steal it.

Attrition and Control
Beyond deception, active defense includes mechanisms of pure frustration.
- Tarpits are active defense mechanisms designed to intentionally slow down network connections. When an attacker tries to scan a tarpitted segment of your network, the connection is held open artificially long, reducing their scanning speed from seconds to days.
- Finally, we attack their communication channels. A DNS sinkhole is an active defense mechanism providing false IP addresses for known malicious domain names. If an attacker's malware attempts to resolve
evil-c2-server.com, your DNS server intercepts the request and routes it to a dead, internal IP address (the sinkhole). DNS sinkholes prevent infected internal hosts from communicating with external command and control servers, effectively neutralizing the malware's ability to receive instructions or exfiltrate your data.
Through the rigorous application of threat hunting and active defense, the SOC analyst stops playing the role of the victim waiting for an alert. By understanding how to collect artifacts, analyze behaviors, and trap adversaries in deceptive labyrinths, you reclaim control of the network. The adversary may have breached the perimeter, but they have stepped directly into your arena.