About this document
The cyber defense strategies adopted by organizations are often evolving to meet the challenges placed upon them by internal and external business drivers. Chief among those drivers are threat actors who have consistently demonstrated an ability to lurk within organizational networks for excessive periods of time prior to their detection and eventual expulsion.
These repeated occurrences of excessive adversarial dwell time have fueled schools of thought that to effectively manage an information security program, leaders must acknowledge that fundamental cyber solutions such as firewalls, endpoint protection, and anti-malware products are defeatable by motivated threat actors.
This acknowledgment has contributed to the adoption of practices affectionately referred to as Cyber Threat Hunting (“Threat Hunting” or “Hunting”) within the cyber security community. We can define threat hunting as a focused and iterative approach to searching out, identifying and understanding adversaries internal to the defender’s networks. (Lee, SANS). This practice is usually performed based on a hypothesis, rather than triggered by an event or observations within the defender’s network.
While models for threat hunting have been developed for both commercial and scholarly publication, a de facto standard has yet to emerge at the time of this document’s release.
The following is Polarity's perspective on the various phases of threat hunting.