Threat Hunting I: Let’s Go Hunt Some Threats

Adam Goss
5 min readJul 18, 2022

How do you think computers are secured nowadays?

You might think with firewalls or anti-virus solutions like Windows Defender. If you want to get fancy perhaps a VPN like [insert name of VPN which keeps coming up every time I want to watch a YouTube video] or something cool like a Yubikey / fingerprint scanner to unlock your computer. If you work for an enterprise you might answer with “DDoS (Distributed Denial of Service) protection”, “an email gateway to filter malicious emails”, or “a really expensive Microsoft product”.

Either way, all of these security solutions — and many others like IDS (Intrusion Detection Systems), EDR (Endpoint Detection Response), and WAF (Web Application Firewall) — are passive defenses that a security team will put up to stop an attacker gaining access to their systems. You can think of them as walls designed to block entry and protect your precious treasure. In cyber security, they are means of ensuring the confidentiality, integrity, and availability of data (the fabled CIA triad).

The walls are good. If I was a medieval king and my castle was being besieged then I would want to be behind a few walls. However, I would also want to fight back and defend my castle! This is where threat hunting comes into play. Threat hunting is “the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions” (TechRepublic). It’s the blue team’s equivalent of actively defending their castle from an ongoing siege.

The “blue team” is the name given to the people trying to defend an organisation, while the “red team” is the name given to attackers.

A threat hunter will investigate a bad guy’s or girl’s (women can be criminals too) activity before there has been a warning of a potential threat from one of the many systems organizations use to protect themselves.

They do this in numerous ways. They could think like an attacker and try to emulate what they would do to breach an organization, and then search for this activity. They could use analytics with machine learning or UEBA (User and Entity Behaviour Analytics) to calculate risky or uncommon behavior patterns among users and then investigate these users. They could use threat…

Adam Goss

Cyber Security Professional | Red Teamer | Adversary Emulator | Malware Analysis | Threat Hunter | Threat Intelligence