What qualifies as a “successful” Cyber Threat Hunt?

Connect--But, be very careful

Characteristics of a Successful Hunt Mission


To ensure that the hunt team’s analysts remain focused on relevant and important hunts, analysts must evaluate completed hunts and move all hunts possible to the business case development process.


Should the hunt become a base hunt?

Does the analyst believe the logic used provides repeatable and low-fidelity results that serve as a starting point for future hunts?

–The logic used should be documented in the Master Threat Hunting Database (MTHDB)

Is the malicious actor from within the organization or has unique access?

–This would warrant initiating a follow-on Base Hunt action for potential follow-on intrusions requiring continual monitoring.

Threat Hunters and CTI Analysts

Can the hunt become a rule?

If an analyst determines that a hunt may become a business rule, documentation of the Hunt should be delivered to the business case development process. The information should be formulated into a rule that can be applied to monitoring and alert devices[1] on the network; this too should be transferred to the MTHDB. The hunt team is responsible for documenting the methodology used for inclusion in the MTHDB and providing this information to the business case process personnel.


[1] “Smart” network devices may include firewalls, Intrusion Detection/Prevention Systems, or Security Incident Event Monitoring (SIEM) hardware.

Is the hunt effective?

Hunts may lose their effectiveness over time, and a determination of focusing resources on an activity may divert from other important Hunting priorities. There are several reasons a hunt may lose its effectiveness or further need to be pursued:

  • Creation of a rule covering the same activity may address the threat
  • Completed patching against a known vulnerability may partially or totally mitigate the need for the hunt
  • Improved automated tools or policies may also mitigate the threat
  • Determination that there is no longer an active threat in the IT environment.

Also, Hunting can consume a significant amount of time, and analysts must ensure that their resources remain focused on real and active threats. When a Cybersecurity Threat Intelligence (CTI) analyst determines that a hunt can no longer provide effective results, documentation of the reasoning must be included in the MTHDB for the retirement of the hunt.


Characteristics of a Successful Hunt Mission  

A successful hunt occurs when the threat is identified, isolated, and prevented from conducting its mission. Furthermore, threat patterns are captured, business cases are generated, and the likelihood of any future exploitation by the threat are greatly minimized for any future win.


Coming July 2019

Second Edition