Best Software for 2025 is now live!
View the Winners
Glosario de Tecnología

Threat Hunting

Holly Landis
HL
por Holly Landis
Threat hunting is a cybersecurity technique that continually monitors networks for malicious activity. Learn how organizations stay protected from threats.
DefiniciónSoftware de Threat Hunting

En esta publicación

En esta publicación

What is threat hunting?

Threat hunting is a proactive cybersecurity technique that regularly monitors networks and devices for potential cyber threats.

After bypassing a network’s first levels of security, criminals can easily go undetected, lurking for weeks, possibly months, before attacking or being discovered. Unlike threat detection, which is a more reactive approach, threat hunting anticipates where within the system these cyber criminals could be.

Through active monitoring using security information and event management (SIEM) software, IT and security teams identify suspicious activity and take action before a cyberattack takes place.

Software de Threat Hunting
Software que menciona a threat hunting como una característica o término.
Carbon Black EDR
Carbon Black EDR
CrowdStrike Falcon Endpoint Protection Platform
CrowdStrike Falcon Endpoint Protection Platform
Sophos MDR
Sophos MDR
Microsoft Sentinel
Microsoft Sentinel
Huntress Managed EDR
Huntress Managed EDR
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint

Types of threat hunting

Any threat hunting exercise assumes that cybercriminals are already within the network or device’s system. Investigations into these possible intruders fall into one of three categories. 

  • Hypothesis-driven is usually triggered by a new threat identified in a wider market. This could be industry-specific or based on the technologies a company is currently using. IT teams will gather information, usually through crowdsourcing, then investigate their own systems to see if anything suspicious has occurred.
  • Known indicators of compromise or attack go a step beyond hypothesis-driven investigations and use threat intelligence data to understand the motives or goals behind a possible attack. Indicators of compromise (IOCs) or indicators of attack (IOAs) are mapped and used as triggers for future malicious activity.
  • Machine learning uses data analysis techniques to review large amounts of information as a way of training artificial intelligence (AI) programs to detect inconsistencies and irregularities in data that could possibly suggest malicious activity.

Steps for a threat hunting investigation

Regardless of the threat hunting methodology used, companies have to complete five critical steps to ensure a successful investigation. 

Steps for a Threat Hunting Investigation

  • Building a hypothesis. Like any scientific experiment, threat hunting requires a hypothesis to predict an attacker’s behavior. Ideas should be discussed across the team as they gather information about potential threats or types of activity to watch for.
  • Collecting and processing data. Assembling and centralizing data in SIEM software gives teams with a history of threats valuable insights that can inform future responses.
  • Setting a trigger. This is one of the most important parts of a threat hunt. Once a trigger is established, tracking searches for anomalies in the device or network. Any unusual behavior that’s triggered prompts teams to take further action.
  • Investigating the threat. If any malicious activity is found, teams look further into the trouble and determine their next steps.
  • Responding to the threat. At this point, the business’s emergency response plan should be rolled out to shut down any malicious activity, recover lost data, and patch security breaches.

Benefits of threat hunting

Taking a proactive stance toward cybersecurity is an organization’s best defense against criminals and the possibility of data loss. Threat hunting is also useful when it comes to:

  • Improving threat response times. As teams actively monitor for threats around the clock, they can quickly catch and deal with any shady activity. 
  • Reducing risk to the business. All digitally-run companies take risks with their information, but threat hunting can curb many of these by continually looking for and acting on problems before they escalate. Instead of a business losing all its data, threat hunters can prevent attacks or shut them down before too much information is lost.
  • Staying updated on the latest cyber threats. Proactive IT teams are more aware of current threats when they engage in threat hunting. Information and research is widely shared in cybersecurity communities, meaning teams stay updated on the most menacing activities.

Best practices for threat hunting

Organizations' threats are ever-changing, but establishing routines and best practices around threat hunting makes combating any cybersecurity issues much easier. Businesses should consider implementing best practices such as:

  • Establishing what’s normal for the company. Determining a baseline is essential when setting up new investigative systems. This means teams see when activity outside the norm takes place, which triggers further action.
  • Following a standard procedure. Many cybersecurity teams follow an effective workflow: observe, orient, decide, act (OODA). This naturally allows discussion and action to move swiftly when malicious activity arises.
  • Providing sufficient staff and resources. Effective cybersecurity protections can only happen when IT teams feel adequately supported. Having the necessary staff on the team to manage threats and act when problems happen significantly improves response times. Resources are also important, so training and software must also be considered.

Protect your business from malicious activity and cyber criminals with risk-based vulnerability management software.

Holly Landis
HL

Holly Landis

Holly Landis is a freelance writer for G2. She also specializes in being a digital marketing consultant, focusing in on-page SEO, copy, and content writing. She works with SMEs and creative businesses that want to be more intentional with their digital strategies and grow organically on channels they own. As a Brit now living in the USA, you'll usually find her drinking copious amounts of tea in her cherished Anne Boleyn mug while watching endless reruns of Parks and Rec.

security information and event management (SIEM) software
Is that a threat?
Find the best security information and event management (SIEM) software to identify threats and vulnerabilities in systems and endpoints.
Browse software
security information and event management (SIEM) software
Is that a threat?
Find the best security information and event management (SIEM) software to identify threats and vulnerabilities in systems and endpoints.
Browse software

Software de Threat Hunting

Esta lista muestra el software principal que menciona threat hunting más en G2.

Carbon Black EDR

Carbon Black EDR es una solución de respuesta a incidentes y búsqueda de amenazas diseñada para equipos de seguridad con entornos fuera de línea o requisitos locales. Carbon Black EDR registra y almacena continuamente datos completos de actividad de los endpoints, para que los profesionales de seguridad puedan buscar amenazas en tiempo real y visualizar la cadena completa de ataque. Los principales equipos SOC, firmas de IR y MSSP han adoptado Carbon Black EDR como un componente central de su pila de capacidades de detección y respuesta. Carbon Black EDR está disponible a través de MSSP o directamente a través de implementación local, nube privada virtual o software como servicio.

CrowdStrike Falcon Endpoint Protection Platform

La protección de endpoints de CrowdStrike Falcon unifica las tecnologías necesarias para detener con éxito las brechas: antivirus de próxima generación, detección y respuesta de endpoints, higiene de TI, caza de amenazas 24/7 e inteligencia de amenazas. Se combinan para proporcionar prevención continua de brechas en un solo agente.

Sophos MDR

Sophos ofrece soluciones nativas de la nube y mejoradas con IA que aseguran los endpoints (portátiles, servidores y dispositivos móviles) y redes contra tácticas y técnicas cibercriminales en evolución, incluyendo brechas automatizadas y de adversarios activos, ransomware, malware, exploits, exfiltración de datos, phishing y más.

Microsoft Sentinel

Microsoft Azure Sentinel es un SIEM nativo de la nube que proporciona análisis de seguridad inteligente para toda su empresa, impulsado por IA.

Huntress Managed EDR

La plataforma de seguridad gestionada Huntress combina la detección automatizada con cazadores de amenazas humanos, proporcionando el software y la experiencia necesarios para detener ataques avanzados.

Microsoft Defender for Endpoint

Microsoft Defender para Endpoint es una plataforma unificada para la protección preventiva, la detección posterior a la violación, la investigación automatizada y la respuesta.

Cynet - All-in-One Cybersecurity Platform

AutoXDR™ converge múltiples tecnologías (EPP, EDR, UBA, Deception, Network Analytics y gestión de vulnerabilidades), con un equipo SWAT cibernético 24/7, para proporcionar una visibilidad sin igual y defender todos los dominios de su red interna: endpoints, red, archivos y usuarios, de todo tipo de ataques.

Intezer

Automatiza tu análisis de malware. Obtén respuestas rápidamente sobre cualquier archivo sospechoso, URL, punto final o volcado de memoria.

Trend Vision One

Trend Micro Vision One (XDR) recopila y correlaciona datos de actividad profunda a través de múltiples vectores: correo electrónico, endpoints, servidores, cargas de trabajo en la nube y redes, lo que permite un nivel de detección e investigación que es difícil o imposible de lograr con SIEM o soluciones puntuales individuales.

LogRhythm SIEM

LogRhythm empodera a las organizaciones en seis continentes para reducir con éxito el riesgo al detectar, responder y neutralizar rápidamente las ciberamenazas dañinas.

SentinelOne Singularity

SentinelOne predice comportamientos maliciosos en todos los vectores, elimina rápidamente las amenazas con un protocolo de respuesta a incidentes completamente automatizado y adapta las defensas contra los ataques cibernéticos más avanzados.

Kaspersky Managed Detection and Response
Microsoft Defender XDR

A medida que las amenazas se vuelven más complejas y persistentes, las alertas aumentan y los equipos de seguridad se ven abrumados. Microsoft 365 Defender, parte de la solución XDR de Microsoft, aprovecha el portafolio de seguridad de Microsoft 365 para analizar automáticamente los datos de amenazas a través de dominios, construyendo una imagen completa de cada ataque en un solo panel de control. Con esta amplitud y profundidad de claridad, los defensores ahora pueden centrarse en amenazas críticas y buscar brechas sofisticadas, confiando en que la poderosa automatización en Microsoft 365 Defender detecta y detiene ataques en cualquier parte de la cadena de eliminación y devuelve a la organización a un estado seguro.

eSentire

eSentire MDR está diseñado para mantener a las organizaciones seguras de los ciberataques en constante evolución que la tecnología por sí sola no puede prevenir.

Blackpoint Cyber

Deje que el equipo SOC gestionado de Blackpoint supervise su red para que pueda concentrarse en dirigir su negocio.

Microsoft Defender for Business

Incluso el negocio más pequeño puede ser un objetivo para un ataque de ciberseguridad. Obtenga seguridad de punto final de nivel empresarial que sea rentable y fácil de usar, diseñada especialmente para empresas con hasta 300 empleados.

Splunk Enterprise Security

Splunk Enterprise Security (ES) es un software SIEM que proporciona información sobre los datos de máquina generados a partir de tecnologías de seguridad como la red, el endpoint, el acceso, el malware, la vulnerabilidad y la información de identidad para que los equipos de seguridad puedan detectar y responder rápidamente a ataques internos y externos para simplificar la gestión de amenazas mientras minimizan el riesgo y protegen el negocio.