OT Threat Hunting Isn’t About Finding Bad Guys. It’s About Knowing What “Normal” Looks Like. 

OT Threat Hunting Isn’t About Finding Bad Guys. It’s About Knowing What “Normal” Looks Like. 

Threat hunting has a branding problem. 

The term sounds active, aggressive, and adversary-focused. It suggests a team of defenders moving through an environment, looking for hidden attackers and smoking them out before damage is done. 

That picture isn’t entirely wrong. But in operational technology environments, it misses the point. 

In a recent OT Office Hours conversation, Joe Slowik joined Insane Cyber to talk through what threat hunting really looks like in industrial environments. The discussion covered AI, asset inventory, incident response, living-off-the-land techniques, encrypted traffic, NetFlow, and the messy reality of trying to defend systems where uptime matters and “normal” is rarely simple. 

But one theme kept coming back: effective OT threat hunting starts with understanding your own environment. 

Not the attacker’s environment. Not a theoretical kill chain. Not the latest report about a nation-state actor. Your environment. 

Because if you don’t know what normal looks like, you can’t reliably spot what doesn’t belong. 

Threat Hunting is not a Magic Adversary-Finding Machine 

One of the biggest misconceptions around threat hunting is that it is purely proactive. 

The story usually goes something like this: instead of waiting for alerts, defenders go out and hunt for attackers before they cause harm. That sounds good in a conference talk. It sounds good in a budget request. It sounds good in a maturity model. 

But there is a practical problem: what exactly are you hunting for? 

As Joe pointed out, a threat hunt can help interrupt adversary activity, but the adversary has to be present in the first place. If the only way to prove the value of a hunting program is to find active intrusions, then the program’s success depends on the organization already being compromised. That is not a healthy metric. 

A better way to think about threat hunting is as a bridge between threat intelligence and durable detection. 

Threat intelligence gives defenders ideas about what adversaries may do. Threat hunting tests whether available data can reveal those behaviors. The output should not just be a one-time finding. The output should help build persistent detection logic, refine the monitoring strategy, and improve the organization’s ability to see the next attempt. 

That shift matters in OT. 

Industrial environments often have limited visibility, long equipment lifecycles, vendor-specific protocols, fragile processes, and operational constraints that make security work harder than it looks from the outside. A hunt that simply says “we found something weird” and throws it over the fence to operations is not helpful. 

A good OT hunt adds context. It asks better questions. It narrows uncertainty. 

Visibility is Still the Foundation 

It is almost impossible to talk about OT security without saying some version of “you can’t protect what you can’t see.” 

It is also almost impossible to overstate how hard that problem remains. 

Asset inventory sounds basic until you try to do it in a real plant, utility, manufacturing site, or remote industrial environment. The design documentation may not match the current state. Configuration drift happens. Shadow IT happens. Temporary changes become permanent. A system that looked one way on day one may look very different on day 365, day 900, or day 1,800. 

That is why visibility cannot be treated as a one-time project. 

For OT threat hunting, visibility means understanding what data exists, what it can tell you, and just as importantly, what it cannot tell you. A packet capture, a NetFlow record, firewall logs, engineering workstation activity, historian traffic, and controller communications all answer different questions. 

The danger is assuming your tooling sees more than it does. 

If a team launches a hunt without understanding those visibility gaps, the results can create false confidence. They may conclude there is no evidence of malicious activity when the truth is simpler: they did not have the right data to see it. 

In OT, that distinction matters. 

Behavioral Detection is Powerful, but it Comes with Tradeoffs 

Security teams have been told for years to move beyond indicators of compromise and focus on behaviors. 

That advice is directionally right. It is also often oversimplified. 

Indicators are specific. A hash, IP address, domain, or file name can be useful when you are looking for a known thing. But indicators are narrow. They are easy for adversaries to change, and they tend to miss variations of the same activity. 

Behaviors operate at a higher level. They ask what the adversary is trying to do, not just which specific artifact they used last time. 

That is especially important as adversaries get better at blending in. 

Joe noted that many higher-end actors have moved away from custom, exotic, easily flagged tooling until the very final stages of an operation. Instead, they increasingly operate in ways that resemble legitimate administrators, engineers, or system operators. This living-off-the-land approach makes detection much harder, especially in OT environments that do not have strong endpoint telemetry or high-fidelity collection. 

But behavioral detection is not free. 

The more flexible the detection, the more likely it is to catch edge cases, variations, and unknown activity. It is also more likely to generate benign findings. The more specific the detection, the more confidence you may have in a match, but the more likely you are to miss related activity. 

Threat hunting lives in that tension. 

The job is not simply to write a broad query and call every result suspicious. The job is to refine, enrich, and interpret findings in an operational context. 

AI is Changing the Workflow on Both Sides 

No modern security conversation can avoid AI, and OT is no exception. 

For defenders, AI can be a useful assistant. It can speed up research, summarize information, help generate hypotheses, and support analysis workflows. For experienced practitioners, that can be valuable. 

The risk comes when users treat AI output as authoritative. 

Joe described using AI as a research assistant, but also being a hard customer. When a model misses a known incident, fails to cite a source, or produces an incomplete answer, an experienced analyst can challenge it. A junior analyst may not know what was missed. 

That is the core issue. 

AI can help people move faster, but it does not replace domain expertise. In OT, that expertise includes understanding protocols, process behavior, engineering workflows, safety implications, and the difference between something that is merely unusual and something that is operationally dangerous. 

On the adversary side, AI is already lowering the barrier for less skilled actors. A low-skill attacker no longer needs deep knowledge of a water treatment device, industrial protocol, or default credential pattern if they can ask a model for guidance. That does not magically turn them into elite operators, but it can help them operate above their natural skill level. 

That should concern defenders. 

Not because AI creates a brand-new class of unstoppable adversary, but because it makes mediocre adversaries more capable. 

When a hunt finds something, context is everything 

Finding suspicious activity is not the end of a hunt. In many ways, it is where the hard part begins. 

In OT, a finding cannot simply be tossed to the SOC or plant team with a note that says “please investigate.” That approach burns trust quickly. 

A useful threat hunt finding should explain what was observed, why it matters, how it relates to the environment, and whether it appears consistent with known operations. The hunter needs to refine the question before escalating it. 

That requires both technical and operational understanding. 

A suspicious protocol command may be alarming in one context and routine in another. A strange connection may be a sign of compromise, or it may be part of a maintenance workflow nobody documented properly. A behavior that looks like lateral movement in IT may have a different explanation in an engineering environment. 

The goal is not to eliminate uncertainty. That is rarely possible. 

The goal is to reduce uncertainty enough that responders and operators can make better decisions. 

NetFlow still Deserves Respect 

When asked about a favorite dataset, Joe gave a simple answer: NetFlow. 

That may surprise people who expect a more exotic answer. But traffic metadata can still tell defenders a lot. 

Who is talking to whom? Over what ports? How often? In which direction? Is the communication east-west or north-south? Is the pattern consistent with what should happen in this part of the environment? 

In many OT environments, defenders may not have full packet capture everywhere. They may not have endpoint telemetry on every asset. They may not have modern detection coverage across legacy systems. 

But they may have flow data. 

Used well, that data can reveal relationships, patterns, and anomalies that deserve investigation. It may not answer every question, but it can help defenders ask better ones. 

For OT security, that is often where progress starts. 

The Next Visibility Challenge: Encryption 

Security teams are trained to think of encryption as good. In many cases, it is. 

But in OT environments, the question is not always that simple. 

If encryption prevents defenders from seeing whether a malicious command was sent, it can reduce detection capability. That does not mean industrial environments should avoid encryption categorically. It means teams need to think clearly about what problem they are solving. 

If an attacker is already in a position to observe or manipulate traffic inside a sensitive OT environment, the organization already has a serious problem. Encrypting that traffic may protect confidentiality, but it may also make it harder for defenders to inspect activity and detect abuse. 

The point is not that encryption is bad. 

The point is that “more secure” cannot mean “less visible” without a serious discussion about tradeoffs. 

The Hunter Mindset is Learned 

Threat hunting is not an entry-level function in the way many people want it to be. 

That does not mean newer practitioners cannot participate in hunts. They can, and they should. But effective hunting requires a mix of critical thinking, technical skill, operational awareness, and comfort with ambiguity. 

A good hunter asks questions, understands systems, studies adversaries, and knows enough about the environment to recognize when something does not fit. 

That skill set takes time. 

For people trying to get into OT threat hunting, the advice is straightforward: be curious, but also get technical. Read protocol specifications. Learn how industrial systems communicate. Understand what normal operations look like. Spend time with operators and engineers. Study adversary behavior, but do not stop there. 

In OT, knowing the attacker is only half the job. 

You also have to know the plant. 

Final Thoughts

Threat hunting in OT is not about heroics. It is not about chasing every scary headline or proving value by finding an intrusion. 

It is about building the organization’s ability to ask better questions of its own environment. 

Can we see what matters? Do we understand what we are looking at? Can we tell the difference between normal variation and suspicious behavior? Can we turn what we learn into better detection, better response, and better resilience? 

Those are not glamorous questions. 

But in industrial security, they are the questions that matter.