Cyber Hunting: Through the Cyber Kill Chain

Rackspace security analyst at work in the company's Customer Security Operations Center.

Cyber hunting is a critical component of any security operations center’s attempts to provide a proactive approach to threat detection.

While hunting for threats itself is not a new concept, its execution is constantly evolving. The current inception of threat hunting has been driven by improved processing capabilities of big data and the advent of advanced statistical analysis and machine learning.

Many frameworks and methodologies have been created around modern cyber threat hunting. Some of these particular implementations are specialized for specific environments, circumstances or data sources, while others are more generic, applicable to any situation.

The one thing which the majority of these methodologies have in common, however, is the fact that they all leverage or reference an attacker lifecycle in some way.

The attacker lifecycle

The cyber kill chain is an industry-wide de-facto standard for modeling threats within the cyber ecosystem. The kill chain was originally created by several researchers at the Lockheed Martin Corporation as part of a methodology to more appropriately model and defend against increasingly advanced adversaries.

The primary benefit of approaching defensive cyber operations from the perspective of the kill chain is a disciplined framework to focus and scope intelligence-driven defensive operations such as cyber threat hunting.

Scoping hunt missions

The cyber kill chain is broken down into the following categories:

  • Reconnaissance
  • Weaponization
  • Delivery
  • Exploitation
  • Installation
  • Command and control (C2)
  • Actions on objectives

As alluded to in this blog post, Rackspace cyber analysts participate in both targeted and generic hunts. The kill chain is leveraged through both approaches.

The best way to understand the advantage of leveraging the kill chain for hunting is to explore the details as an example.

The hunt

First, we must determine the data sources relevant to the hunt. This may include system logs, security event data and host-level information (such as data from SysMon). Next, the extent of the data sources must also be established, and whether it includes the entire enterprise, a certain subnet or just a subset of individual systems. This is easily accomplished if the data is rolled up into Splunk, ELK or another type of security information and event management.

One of the primary advantages of a managed security service provider with multiple customers is an expanded, diverse data set for which to make comparisons. While this adds some complication in baselining, it significantly increases the value of the data set for comparative analysis when identifying suspicious activity based on anomalies.

With targeted hunting, the pre-defined scope of potential adversaries and their historically attributable tactics, techniques and procedures are taken into account and broken out into their respective categories within the cyber kill chain. This allows analysts to focus on appropriate data sources necessary for locating indicators of compromise, indicators of activity, or anything else of relevance.

When conducting generic hunting, analysts can appropriately scope the focus of individual hunt missions based on the categories of the cyber kill chain. Furthermore, analysts can choose to look for specific identifiers within the respective category chosen, within the larger data set or a combination of the two. Anomaly-based generic hunting requires multiple successive pivots to systematically filter out more data and lower the noise floor.

Additionally, we must determine the window of time to focus on. For generic hunting, these missions are usually executed on cyclical rotations, ensuring activity from any given timeframe gets coverage. Also, analysts can start hunting very broadly within the defined scope, making a series of pivots on the data returned until it reaches a manageable size for the analyst to peruse through, line by line.

Should any indicators or suspicious items be found, analysts can then shift the focus laterally across the cyber kill chain to establish more evidence of an attack or escalate to a senior analyst to carry out the investigation. If activity is caught early enough, it is even possible to hinder interactive attacker activity in progress.


Cyber threat hunting is critical to effectively identifying potential threats or compromises by taking a proactive approach. There are many different methodologies and techniques to guide cyber hunt missions, but the right one should be dictated by specific circumstances.

Regardless of how it is executed, examining the environment through the attacker lifecycle will help guide the mission’s scope and provide additional insight which might not have been considered.

Taking a proactive approach to securing and detecting malicious activity within your environment is paramount in today’s technologically-dependent landscape. Hunting through an attacker lifecycle or the cyber kill chain will allow you to identify and stop threats which traditional signature-based methods might miss.

Leveraging an existing security organization already equipped with the tools, processes and expertise is the quickest, and often times least expensive way to getting started with cyber threat hunting in your environment.

This article has been a high-level review of cyber threat hunting through the cyber kill chain. For a more in-depth analysis and review, with specific examples, please refer to the author’s additional article here.

Justin Ibarra is a team lead and senior cyber security analyst for the customer security operations center for Rackspace Managed Security, and is responsible for all ongoing security operations and incidents within the CSOC during his shift. Justin has over ten years of experience across a broad range within the cyber security and information technology spectrum, including incident handling and response, network security, network operations and management and systems administration. Prior to joining Rackspace, Justin spent time in a diverse array of environments, ranging from worldwide enterprises to remote, tactical networks including cyber centers, SOCs, NOCs, NOSCs and TOCs within the military and DoD. Justin received a bachelor's and Master of Science in cyber security from the University of Texas at San Antonio.


Please enter your comment!
Please enter your name here