Group Purchasing
Group Purchasing

The Who, What, Where, When, Why and How of Effective Threat Hunting

The Who, What, Where, When, Why and How of Effective Threat Hunting (PDF, 1.70MB)Published: 16 Feb, 2016
Created by:
Rob T. LeeRobert M. Lee
Rob T. Lee & Robert M. Lee

The Who, What, Where, When, Why and How of Effective Threat Hunting, published by SANS Institute in February 2016, defines cyber threat hunting as a focused, iterative approach to searching out, identifying and understanding adversaries already inside an organization's network. Written by Robert M. Lee and Rob T. Lee, the paper covers what threat hunting is, why it matters, when and where it fits into an organization's security maturity, and how to structure a hunting program.

Key findings:

  • Threat hunting is defined as a focused and iterative approach to searching out, identifying and understanding adversaries internal to the defender's own network
  • An adversary must have three characteristics to qualify as a threat: intent, capability and opportunity
  • Threat hunting sits within the "active defense" category of the Sliding Scale of Cyber Security, alongside architecture, passive defense, intelligence and offense
  • The Hunting Maturity Model (HMM) defines five levels of hunting capability: initial, minimal, procedural, innovative and leading
  • Organizations at HMM level 0 rely primarily on automated alerting and are not yet hunting; hunting begins at HMM level 1 with threat intelligence indicator searches
  • Threat hunting cannot be fully automated; repeatable tasks can be automated, but human analysts with instincts and inquisitive minds remain essential
  • Effective hunting requires two things: sufficient data to search (flow records, logs, alerts, system events, memory dumps) and the tools to sort through it (search, visualization, machine learning)
  • The Cyber Kill Chain and the Diamond Model of Intrusion Analysis both feed into the Active Cyber Defense Cycle, which consists of four phases: threat intelligence consumption, asset identification and network security monitoring, incident response, and threat and environment manipulation
  • Threat hunters are most effective when dedicated to actively pursuing adversaries rather than restricted to alert response or network maintenance duties
  • A strong hunter profile combines active defense experience (enterprise security, incident response) with intelligence analyst tradecraft, including hypothesis generation and awareness of cognitive biases like anchoring

The paper argues that threat hunting is not a single state but a progression tied to an organization's broader security maturity. Prevention tools alone cannot stop focused human adversaries, so the paper frames hunting as a necessary complement: a proactive, hypothesis-driven search for intrusions already underway, rather than a reactive wait for alerts. Its central point is that hunting effectiveness scales with investment in data collection, analytical tooling and skilled, empowered analysts. This is a conceptual whitepaper rather than a data survey; it draws on established industry frameworks (the Hunting Maturity Model, the Sliding Scale of Cyber Security, the Cyber Kill Chain, the Diamond Model of Intrusion Analysis) rather than primary survey data, and is written by two named SANS-affiliated authors.

FAQ

Meet the expert