Cyber Hunting: Proactive Detection of Cyber Threats

Rackspace security analyst at work in the security operations center

In the day and age of expanding technologies designed and developed to enable rapidly growing business, the security methods of the past are long behind us. The era of defending our perimeters and “setting and forgetting” tools to protect our environments is over.

As technology has grown to enable new businesses opportunities, we’ve increased our attack surface — the technology footprint exploitable by cyber attackers to gain access to our data and our businesses. While we’ve found new ways of executing our business, we’ve also created new business opportunity for cyber threats.

The threats we face today are organized, motivated, well trained, well equipped and are often backed by nation states or organized crime syndicates. Threats of this sophistication require a new approach to security, with the assumption that it’s not if you will be compromised, but when.

The methods often used by advanced adversaries are undetectable by tools and require expertise and human intelligence to detect. These concepts have led to the birth of cyber hunting.

What is cyber hunting?

Cyber hunting is the proactive, human analysis of all activity occurring within your tech footprint and contextualizing that activity to your business to best identify anomalies that could be indicative of a malicious action.

This is achieved by gathering detailed sets of data from throughout your environment such as system, network infrastructure and application logs, as well as raw event data from security tooling. That data is then aggregated into single location to be reviewed and hunted by skilled security analysts.

There are two main types of cyber hunt missions Rackspace cyber analysts typically execute: generic and targeted hunts.

Generic hunts are generalized towards identifying known malicious activities and tactics, techniques, and procedures which cross all adversarial groups and industries. Essentially, the activities sought in generic hunt missions are those that are negative no matter who the attacker is or what their motivations may be.

Targeted hunts, however, are more focused and detail-oriented, and include a significant amount of prep work before the missions are executed. The process of a targeted hunt starts with understanding the business that the mission is focusing on:

  • What industry is this business in?
  • What are potential adversarial motivations?
  • What data is critical to their business?
  • What technologies are in their attack surface?
  • Are any of your organization’s existing technologies targeted by an adversary?

Once these questions have been answered, research is done to specifically identify which adversaries would be interested in targeting this business, what the tactics, techniques and procedures of that specific adversary are, how to formulate a hunt mission plan based on them,  behavioral indicators that have been identified through research, and then how to execute the mission itself specifically looking for known activities used by the adversary throughout their attack lifecycle.

Why is this important?

Cyber hunting is, in a sense, an investigative and forensic approach to cyber threat identification. Cyber hunting capabilities focus on adversary tactics, techniques and procedures early in the attacker lifecycle, thereby speeding detection in the attack and allowing for earlier response.

This reduces the risk of the attacker achieving their objectives and causing harm to your business. Most importantly, cyber hunting enables the identification of activities that often go undetected and are missed by tools. In this way, it fills a capability gap from detecting commodity threats to more sophisticated and advanced adversaries.

Expertise for a new normal

The visibility and detection capability enabled by cyber hunting, through cyber security analyst expertise, is something that cannot be replicated by a tool or machine. Security analysts’ experience and expertise allow them to use their own intellect and method of executing a cyber hunt, pivot through data and pick out anomalies, which in most cases would be passed off as legitimate administrative activity.

As we continue to develop new technologies to support and enable our businesses, we will continue to grow opportunities for adversaries to exploit and gain access to data that is critical to us. A new strategy is necessary to combat our cyber threats, and it starts with investing in security professionals and reducing reliance on tools and machines to protect what is most important to our businesses.

Visit Rackspace to find out more about how our cyber hunters can help keep your business safe, inside and out. And check out the Deep Dive interview I did on “Cyber Hunting: The Anatomy of an Attack”. You’ll hear first-hand why many traditional perimeter security approaches are no longer effective against evolved cyber-attacks.

Travis Mercier is the manager of the customer security operations center for Rackspace Managed Security, where he's responsible for day-to-day operations. Travis has more than 10 years of experience concentrated in information technology, cyber security operations and cyber defense centers, incident response, security monitoring, cyber hunting, digital forensics and cyber threat management. Prior to his current role, Travis performed large-scale security operations center build outs, incident response, malware and cyber hunting, as well as digital forensics for CrowdStrike, Inc. and Ernst and Young. Travis also led SOCs for two Fortune 100 organizations and has operated in five Fortune 100 SOCs.


  1. I found this article very useful in explaining cyber warfare to an individual has no real background or knowledge in this area. To me and simplified, cyber hunting is a tool to seek out and destroy before an opponent seeks you out and destroys you. The use of term “forensic” is very important. I may be mistaken but to me what your work has to be forensic defensible or to be able to stand up in a court of law if it ever reaches that level. I can further interpret that as being able to successfully identifying eliminate the attacker and know that you have accomplished that goal.
    Thank you for an interesting article.

    • Using more sophisticated and complex passwords can help thwart attackers ability to guess passwords and grab low hanging fruit to ultimately gain access to accounts to use for what ever means desired. However, it will not stop advanced adversaries from exploiting vulnerabilities and exhausting every means necessary to gain access to a targeted environment to live out their attack and achieve their objectives.

      All good security practices, like complex passwords, aid in complicating an adversary in their attack, but the threats we encounter today are well organized and well resourced with a sophisticated and persistent plan of attack that will in time be successful. Knowing that success is imminent it’s important how you prepare and position your entire security program and operation to effectively detect, respond, and remove the threat when it’s active.

      All good security practices


Please enter your comment!
Please enter your name here