Threat hunting. It’s a term thrown around a lot in cybersecurity, but what does it really mean to proactively search for hidden threats in your network? More importantly, how do you do it effectively?

Many security teams lean heavily on indicator-based hunting – searching for known “bad stuff” like malicious file hashes, IP addresses, or domain names found on threat intel feeds. It makes sense; if something is confirmed malicious elsewhere, you want to know if it’s knocking on your door.

But what about the threats that aren’t on a list yet? The custom malware, the novel techniques, the “living off the land” attacks using legitimate tools? That’s where behavioral threat hunting comes in.

Today, we’re diving into both approaches. We’ll explore why simply checking blacklists isn’t enough and how combining indicator sweeps with behavioral analysis builds a far more resilient and effective threat hunting program.

Setting the Stage: The Pyramid of Pain

Before we jump into examples, let’s talk about a foundational concept: David Bianco’s Pyramid of Pain. Imagine a pyramid. At the easy-to-climb base, you have things attackers can change trivially – like file hash values. Move up, and you hit IP addresses and domain names, slightly more annoying for them to swap out. Higher still are network and host artifacts (the digital footprints left behind). Near the top are the tools attackers use. Finally, at the peak, are their TTPs (Tactics, Techniques, and Procedures) – their methods and behaviors.

The core idea? As you climb the pyramid, detecting and blocking at higher levels causes attackers significantly more pain, forcing them to change their fundamental strategies, not just swap out a cheap indicator. Both indicator and behavioral hunting can operate at all levels, but behavioral hunting truly shines as you move up that pyramid.

Layer by Layer: Indicator vs. Behavioral Hunting in Action

Let’s walk through the pyramid layers and see how these two hunting styles compare.

1. Hash Values (The Base Camp)

• Indicator Approach: “I have a list of known malicious hashes (like for the tool PSExec, which many threat groups use). Let’s sweep the network to see if any files match these hashes.”
• Limitation: Attackers can easily change a file’s hash by recompiling or making tiny modifications. If they use a slightly altered version of PSExec, your hash-only hunt misses it completely.
• Behavioral Approach: “We know what our standard, approved version of PSExec looks like (its hash, its file signature). Let’s hunt for versions of PSExec that don’t match our baseline.” Or, “Let’s use YARA rules that look for characteristics of PSExec functionality, not just a specific hash.”
• Why Combine? Even with behavioral hunting, knowing your expected hashes is valuable. Finding a deviation from that expected hash is a strong behavioral signal. Hashes, when matched, offer high confidence (barring rare hash collisions). They’re also useful when network encryption or file extraction limits might prevent deeper inspection at the boundary.

2. IP Addresses (Gaining Altitude)

• Indicator Approach: “CISA Alert AA22-296A mentioned a specific Turkish IP address used in attacks. Let’s search all our logs for connections to or from that IP.”
• Limitation: Attackers rotate IPs constantly. They use VPNs, Tor, and compromised infrastructure. Hunting only for known bad IPs is like playing whack-a-mole.
• Behavioral Approach: “That CISA alert IP was hosted by Turkcell. How often should our network (e.g., a DoD network) be communicating with Turkcell? Does this traffic pattern fit our expected baseline?” This involves enriching IP data:
  
  • What’s the Autonomous System Number (ASN)? Who owns the IP block?
  • Is it associated with unusual registrar data?
  • Does the IP belong to an industry or geography we don’t normally interact with (e.g., a compromised university IP attacking a financial institution)?
• Why Combine? The specific indicator (the IP from the alert) provides a starting point. The behavioral analysis (checking if that IP belongs) provides context and helps uncover other suspicious IPs that aren’t on any list yet but exhibit similar unusual characteristics.

3. Domain Names (Navigating Tricky Terrain)

• Indicator Approach: “That same CISA alert mentioned ColumbusAirports.MicrosoftOnline.host being used. Let’s sweep DNS logs, proxy logs, and endpoint data for any mention of this domain.”
• Limitation: Like IPs, malicious domains can be short-lived. Attackers use domain generation algorithms (DGAs) and fast-flux DNS. Relying solely on known bad domains means you’re always a step behind.
• Behavioral Approach: “Okay, an attacker registered this domain. Let’s look beyond the name”:
  
  • What IP does it resolve to? Where is it hosted (e.g., LeaseWeb, as in the example)?
  • What protocols are used to communicate with it? Is someone unexpectedly using SMB straight out to this external domain?
  • Who registered it? When? Does the registration info look suspicious?
  • Who inside our network is communicating with it? Does it make sense for HR or finance systems to talk to this domain?
  • Is it using TLS? (Even if encrypted, the DNS lookup and connection patterns are still valuable).
• Why Combine? The known bad domain is a concrete lead. The behavioral hunt examines the context and usage patterns surrounding that domain (and others like it), potentially revealing C2 infrastructure or data exfiltration channels even if the specific indicator changes.

4. Network & Host Artifacts (Finding Footprints)

• Indicator Approach: “Let’s search network traffic (PCAPs, NetFlow, Zeek logs) and endpoint logs for known bad IPs, domains, hashes, or even specific User-Agent strings (like the default Nmap scanner string).”
• Limitation: Static indicators are brittle. Attackers often customize user agents and avoid easily identifiable markers.
• Behavioral Approach: “Instead of just the PSExec hash, let’s look for the typical network and host activity generated when PSExec runs (e.g., specific service creation events on the endpoint, certain types of SMB traffic patterns). Do we see these behaviors associated with unusual source/destination IPs or accounts, or happening at odd times?” This involves looking for patterns and anomalies:
  
  • Unusual process execution chains.
  • Connections to unexpected ports or geolocations.
  • Data transfers exceeding normal baselines.
  • Logon activity outside business hours or from unusual locations.
• Why Combine? Indicators provide sharp, specific alerts within the noise. Behavioral analysis provides the wider context, helping you spot the technique (e.g., lateral movement using some tool) even if the specific indicator (the exact hash of that tool) is unknown or modified.

5. Tools (Examining the Attacker’s Kit)

• Indicator Approach: “APT29 uses tools packed with PyInstaller. Let’s use a YARA rule designed to detect PyInstaller artifacts in files across our network.”
• Limitation: Smart attackers know about common detection rules. They might pack their executables differently, strip out tell-tale strings, or use tools that don’t have good signatures. Also, legitimate software might use PyInstaller, creating noise.
• Behavioral Approach: “Okay, PyInstaller is one artifact. But how does APT29 typically use tools like this? What techniques does their malware (like OnionDuke, an older example) employ?” Using frameworks like MITRE ATT&CK helps here:
  
  • Does the tool use HTTP/HTTPS for C2?
  • Does it perform string decryption in a specific way?
  • Does it try to contact unusual platforms (like Twitter for C2, as OnionDuke did)?
  • Look for the combination of these behaviors, not just a single tool signature.
• Why Combine? A YARA hit gives you a potential lead (this might be the tool). The behavioral analysis confirms if the activity surrounding that potential tool matches known malicious TTPs, helping filter false positives and catch evasive variants.

6. TTPs (Reaching the Summit: Understanding the ‘How’)

• Indicator Approach: Becomes less distinct here, often relying on sequences of lower-level indicators.
• Behavioral Approach: This is the heartland of behavioral hunting. It’s about understanding the attacker’s playbook. “Regardless of the specific hash, IP, domain, or even tool, how does this attacker achieve persistence? How do they typically move laterally? How do they exfiltrate data?”
  
  • Attackers have constraints. There are only so many ways to dump credentials, escalate privileges, or communicate covertly.
  • Focus on detecting these fundamental techniques and sequences of actions.
  • Mapping observed activities to known MITRE ATT&CK techniques provides a structured way to understand the “what” and “how” of an attack chain.
• Why Combine? TTP analysis connects the dots. Lower-level indicators and behavioral observations (unusual process, weird connection, specific tool artifact) become nodes in a graph representing the attacker’s likely TTPs. This holistic view is the most resilient to attacker changes.

The Bottom Line: Hunt Smarter, Not Just Harder

Indicator-based hunting is essential. It gives you quick wins, leverages community intelligence, and helps find known threats efficiently. Don’t discard your IOC feeds!

But relying only on indicators is like trying to guard a castle by only watching the front gate while ignoring suspicious movements along the walls.

Behavioral hunting complements this by:

• Finding the Unknown: Catching novel malware, zero-days, and custom attacker tools.
• Detecting Misuse: Identifying legitimate tools used for malicious purposes (“living off the land”).
• Adding Context: Understanding the “why” behind an alert, reducing false positives.
• Increasing Resilience: Making detection harder to evade, forcing attackers to change fundamental behaviors (climbing higher on the Pyramid of Pain).

By integrating both indicator sweeps and behavioral analysis into your threat hunting program, you move from simple pattern matching to truly understanding the adversary’s actions within your environment. You’ll hunt smarter, catch more, and build a significantly stronger defense.

Ready to level up your hunt? Start thinking beyond the blacklist.