Threat Hunting - How proactive cyber security can prevent attacks

Cyber attacks are becoming ever more sophisticated and traditional security measures are increasingly reaching their limits. But instead of simply reacting to alerts, many companies are now turning to threat hunting - a proactive method of detecting threats before they can cause damage.

In this interview, we speak to David Macamo, Senior SOC Analyst at suresecure. He provides exciting insights into the world of threat hunting, explains why conventional security tools alone are not enough and which methods and tools companies can use to detect cyber attacks at an early stage.

suresecure: David, thank you for taking the time! IT security is a huge topic today and yet many companies still rely on reactive measures. In other words, they wait until something happens instead of actively looking for threats. Can you explain to us exactly what threat hunting is and why it is so important today?

David: Thank you for inviting us! Threat hunting is a proactive approach to IT security. This means that security experts specifically search for threats before they can cause any damage. Traditional security measures such as firewalls or anti-virus programmes only react once an attack is already underway. With threat hunting, on the other hand, analysts analyse suspicious patterns in the network in order to detect potential attackers at an early stage. They rely on hypotheses, threat intelligence and anomaly detection to detect threats that may be overlooked by automated security systems.

suresecure: Many companies rely on security tools such as SIEM or endpoint protection systems to automatically detect threats. What makes threat hunting different or better?

David: Traditional security solutions are often rule-based. They recognise threats based on signatures or known attack patterns. The problem is that if an attacker uses a new, as yet unknown technique or disguises themselves particularly skilfully, these systems may not notice them. Threat hunting exists precisely for such cases. Here, analysts specifically look for behavioural patterns, unusual activities or deviations from the norm - things that are difficult for a machine to assess, but can be very noticeable to a trained human.

suresecure: Let's run through this using a concrete example. How would a threat hunter go about detecting a hidden attacker?

David: Imagine an attacker has logged into a company network with stolen credentials. He behaves cautiously, uses legitimate tools and avoids anything that could immediately trigger an alarm. A classic firewall or SIEM system could interpret this as a normal login. However, a threat hunter would look closely at when and where the user logs in, which systems they use and whether their behaviour deviates from the norm. For example: Is an employee who normally works from Germany suddenly logging in from another continent in the middle of the night? Are they accessing data that is not part of their typical tasks? Such deviations are a clear warning signal that requires a closer look.

suresecure: Attacks are becoming increasingly sophisticated, hackers are constantly evolving. Why is threat hunting more important than ever today?

David: The threat landscape is changing rapidly. Attackers are using increasingly sophisticated techniques to remain undetected. Studies show that cybercriminals can often operate undetected in a network for weeks or even months. This gives them plenty of time to gather information, exploit security vulnerabilities or infiltrate malicious code. Conventional security tools are good, but not perfect. Threat hunting helps to detect hidden attackers before they can cause serious damage. It is a kind of "early warning system" for threats that remain under the radar.

suresecure: You already have many years of experience with event logs and SIEM systems. How has your work changed over time?

David: Honestly? A few years ago, I mainly used logs to investigate errors or technical problems after the fact. You only looked at event logs when it was already too late. Today, things are different: logs are a goldmine for security analyses. With the right tools and techniques, suspicious activities can be recognised in real time. The ability to recognise patterns in large amounts of data is one of the most important skills in IT security today - and it is becoming increasingly important.

suresecure: What specific methods are used in threat hunting? How do the analysts proceed?

David: There are three main approaches that we use:

Hypothesis-based hunting: Here we work with assumptions based on threat intelligence. For example, we could investigate whether suspicious PowerShell activities can be differentiated from legitimate administrator activities.
Indicator-based hunting: We specifically search for known Indicators of Compromise (IoCs), i.e. indications of compromise. These can be suspicious IP addresses, malware hash values or known C2 servers.
Anomaly-based hunting: Here we focus on unusual activities. A user suddenly accessing sensitive data at unusual times would be an example of a potential threat.
suresecure: Which tools do you personally prefer to use for your work?

David: There are many great tools out there, but I definitely have a few favourites. Splunk is perfect for log analyses, queries and dashboards. Google-SecOps is extremely powerful when it comes to real-time threat detection and forensic analysis. For analysing network traffic, I often use Wireshark and Zeek - both provide extremely detailed insights into the traffic. Each of these tools has its own purpose, and the best strategy is to combine them wisely.

suresecure: When companies want to get started with threat hunting, what should they pay particular attention to?

David: The most important thing is a competent and trained team. Automated tools are great, but ultimately it comes down to the people who operate them. In addition, companies need to manage their log data sensibly and implement a powerful SIEM system. Threat intelligence is another important point - the better you know about current threats, the more targeted you can search for them. And very importantly, threat hunting is not a one-off project, but an ongoing process. You have to keep at it.

suresecure: Finally, a question about the future: will threat hunting eventually be replaced by even more intelligent technologies?

David: No, rather supplemented than replaced. Automated systems are getting better and better, but the attackers are developing just as quickly. It's a constant arms race. Threat hunting will always play an important role because it starts where machines reach their limits. The best strategy is a mix of technology and human expertise. Companies that combine both have the best chance of protecting themselves against modern cyber threats.

suresecure: David, thank you very much for your exciting insights!

David: You're very welcome! I hope that more and more companies realise how important proactive security measures are. Threat hunting is a real game changer when done right.