YOUR GUIDE TO OUTSMARTING ADVERSARIES

Threat Hunting
101
Introduction Where We’re Headed:
In a threat landscape overrun with increasingly sophisticated
1 Threat Hunting: Art, Science, and Mindset
and successful threat actors, the need for proactive

cybersecurity has never been more imperative. 2 Threat Hunting Is Critical to Modern
Cybersecurity
Welcome to Threat Hunting 101: Your Guide to Outsmarting

Adversaries. This ebook serves as your roadmap to the dynamic 3 Your 7-Step Threat Hunting Process
world of threat hunting, a practice that empowers organizations

to anticipate and thwart security threats before they escalate 4 Threat Hunting in the Wild: A Citizen Lab
into potentially catastrophic incidents.
Case Study

5 Conclusion: Threat Hunters Are Needed.

Fight the Good Fight!

6 Threat Hunting with Censys

2
 Yet, unlike detectives, who are hot on the trails of criminals in
Threat Hunting: An Art, a flight, threat hunters hope to track down bad actors before they

Science, and a Mindset get away with the crime. Which brings us to why threat hunters

have such an important role to play in cybersecurity.

Threat hunting is a proactive cybersecurity approach to

identifying and mitigating hidden risks before they can evolve

into full-blown threats. Threat hunting is not just about waiting

for critical events to occur; it’s about actively seeking out

anomalies, suspicious activities, and elusive adversaries within

an organization’s digital landscape.

We can think of threat hunters as detectives, relying on a keen

ability to recognize patterns, collect evidence, and make sense

of incomplete information. And like detectives, a threat hunter’s

job is just as much about having the right mindset as it is

leveraging the right resources. For even with all of the necessary

tools and data sources in hand, doing the job well still requires

thinking like a threat hunter, with an unwavering commitment to

curiosity and relentless pursuit of the unknown.

3
 TH E N EED FO R A PROACTIVE S ECU RIT Y P OSTU RE
Threat Hunting Is Critical to
Organizations can no longer rely on traditional threat detection
Modern Cybersecurity methods alone to prevent cyber attacks. That’s because

Ask any CISO about what would happen if their organization adversaries are constantly thinking of new ways to launch attacks,

fell victim to a successful cyber attack, and you’ll get a list and are increasingly sophisticated in their approaches.

of consequences a mile long. Cyber attacks are incredibly

For example, cyber criminals have recently shifted their focus to
expensive (the average cost of a breach in the U.S. is $9.48
compromising entire software and hardware supply chains. By
million dollars) and they typically cause a slew of negative
infiltrating trusted suppliers and vendors, attackers can inject
ripple effects, including loss of customer data and damage to
malware, backdoors, or vulnerabilities into widely-used software
brand reputation.
or hardware products. Attacks against Managed File Transfer

These are the makings of CISO nightmares – and unfortunately, tools, which the Censys Research Team investigated, are further

most security leaders can probably speak to these nightmares examples of this new focus on supply chain targets.

from firsthand experience. In our 2023 State of Security

Threat detection is an important part of any cybersecurity
Leadership Report, 93% of surveyed security leaders said
strategy, but it primarily relies on recognizing known threat
their organization experienced a cyber attack with a material
patterns and signatures. Threat detection approaches therefore
impact within the last year. Fifty-two percent had experienced
can be more reactive in nature – dependent on alerts that trigger
two to five successful cyberattacks within the last year. It’s clear
action – whereas threat hunting is proactive and can fill security
that adversaries are gaining ground.
gaps that threat detection alone may miss.

4
Organizations’ rapidly-expanding digital footprints also opportunity to sharpen their skills. And as a largely self-taught

warrant the kind of proactive security posture that threat endeavor, many practitioners are left to cobble together tips

hunting can provide. A study from JupiterOne finds that and tricks as they go along. This can make it challenging for

organizations’ external attack surfaces are growing at a rate threat hunters to feel confident that the threats they uncover

of approximately 133% per year. More assets can mean more are truly credible and worth taking action against.

opportunities for attackers to “shoot their shot” and attempt a

If that kind of uncertainty sounds familiar, you’ve arrived at
breach. Teams who rely exclusively on traditional methods to
the right resource! In the following pages, you’ll find information
detect threats across these expanding, sometimes unregulated,
about each step of a typical threat hunting investigation. This
attack surfaces can have their work cut out for them.
guidance is meant to give shape to your investigations, but is

T H R E AT H U N T I N G I S N E E D E D . not designed to be overly prescriptive. After all, threat hunting is

B U T T H R E AT H U N T E R S N E E D D I R E C T I O N . part art, science, and mindset. The science offers a framework,

Censys research finds that 50% of surveyed companies say shared below, but the art and mindset guide the details – and

that the ability to proactively hunt for threats is one of their those are up to you!

top priorities. Organizations may recognize threat hunting as

imperative, but in many, the practice is far from formalized and

lacks dedicated resources.

Rather, threat hunting can be just one SecOps responsibility to

be prioritized against a host of others, leaving practitioners little

5
 STEP 1:

How to Prepare
for a Hunt
Any good investigative work requires proper preparation, Techniques
so before you start your sleuthing, consider the following
Techniques are the specific methods and approaches that
groundwork.
adversaries employ to accomplish their tactical objectives. If

an attacker was pursuing a Data Exfiltration tactic, described

AT T H E S TA R T I N G L I N E : T E R M S T O K N O W
above, the technique they might deploy to carry out the
Let’s begin with two threat hunting terms that are important to
tactic could be data compression. Data compression involves
understand: Tactics, Techniques, and Procedures (TTPs) and
compressing stolen files into smaller files before exfiltrating
Indicators of Compromise (IOCs).
them.

Tactics, Techniques, and Procedures:

TTPs represent the ways in which adversaries plan, execute, and
Procedures
manage their activities during the course of a cyberattack or Procedures are the step-by-step, detailed processes that

other malicious operations. adversaries follow to implement their chosen techniques. In

the context of data exfiltration through data compression,

Tactics a procedure could involve using a specific tool or script to
Tactics refer to the high-level goals or objectives that compress files, encrypt the compressed data, and then transfer
adversaries aim to achieve during an attack. For example, one it to an external server using a predefined protocol.
of the most common attacker tactics is Data Exfiltration. Using

this tactic, attackers seek to compromise data integrity and

confidentiality by stealing sensitive data from a target network

or system.

7
Indicators of Compromise:
IOCs are critical pieces of information or characteristics that

threat hunters can use to identify and detect potential security

incidents or breaches within a computer network or system.

These indicators are typically anomalies or signs that suggest

unauthorized or malicious activity.

• Common IOCs include malicious IP addresses, increased

database activity, excessive requests on important files,

unusual outbound network traffic, or unusual DNS requests,

among many others.

Threat hunters therefore apply what they know about

adversary TTPs to identify IOCs within their own organization.

With these definitions in mind, we can turn to four important

ways to prepare for a threat hunt.

8
Four Ways to Prepare
for a Threat Hunt
1 Understand Your Attack Surface
Threat hunting to defend an organization’s security perimeter
requires that hunters first understand what the organization
owns. What might adversaries look to compromise? This means
threat hunters need full visibility into their attack surface. Attack
surfaces are made up of all external-facing, internet-connected
assets that could be subject to an attack.
Building a view of your attack surface can be accomplished
through efforts like subdomain enumeration, which can require
a fair amount of manual effort. Organizations with External
Attack Surface Management (EASM) solutions, like Censys,
however, can gain visibility into their attack surface while
benefiting from additional efficiencies. EASM solutions provide
automated, real-time attack surface monitoring, and include
the discovery of assets that were previously unknown to the
organization.
2 Establish Baseline Activity
After you’ve achieved an understanding of your attack surface,
it’s important to determine what baseline activity looks like at
your organization. Doing so will make it easier to spot those
IOCs. To understand baseline activity, you might:
• Determine which activity is most relevant to understand.
This could include network traffic, user behavior, system
activity, or any other relevant aspect of your environment.
• Identify the data sources you need to collect and analyze
for baselining. Common sources include logs from network
devices, endpoints, servers, and security tools like firewalls
and intrusion detection systems.
• Gather historical data for a sufficient period, typically at
least several weeks. The longer the historical data, the more
accurate your baseline will be.
9
 3 Become Familiar with Adversary Tactics
Though adversaries are continuously evolving their approaches,
threat hunters can use what they know about current tactics to
anticipate how attackers might adapt and evolve them going
forward. You can dive deeper into the techniques hackers are
using to deploy common attacks, including malware, phishing,
and ransomware attacks, by referencing the MITRE ATT&CK
framework.
MITRE ATT&CK is a “globally accessible knowledge base
of adversary tactics and techniques based on real-world
organizations.” The MITRE ATT&CK framework has detailed
insight into the TTPs that hackers use.
4 Know Thy Enemy
Are there cyber attack techniques that have been frequently
used on other companies in your industry, or against other
companies who use similar technologies? As you conduct your
research, think about how an adversary is most likely to take
action against your specific organization.
For example, in recent years many educational institutions
in the U.S. have been prime targets of ransomware attacks.
If you were conducting threat hunting investigations for
an educational institution in the U.S., looking for signs of
ransomware would be a logical place to start.
10
 STEP 2:

Use a Threat Modeling

Mindset to Establish
a Hypothesis
It’s now time to narrow focus and establish your threat hunting

hypothesis. Without a strong hypothesis, a threat hunting

investigation can become directionless. To avoid this, threat

hunters need to develop an educated guess about what kind

of threat they are setting out to find, and where evidence of

that threat could be observed. That educated guess – your

hypothesis – should be the guiding light that informs the start of

your hunt.

Threat hunters can adopt a threat modeling mindset to

establish their hypothesis. Threat modeling is the practice

of analyzing a system’s architecture and potential attack

vectors to identify and assess risk. Threat modeling can be

a robust, formalized exercise that occurs independently of a

threat hunt. However, adopting a threat modeling mindset can

be relevant to developing a threat hunting hypothesis, as it

raises questions like: Where are we most vulnerable? Where are

attackers most likely to strike?

12
Consider the following questions, inspired by a threat
modeling mindset:
• Past Action: How have attackers successfully breached
your organization in the past? Is there a chance you’re still
vulnerable to this tactic?
• Known Weak Spots: Does your attack surface have
any vulnerabilities or exposures we know we haven’t
remediated? Are there risky user behaviors across our
workforce that an attacker could exploit?
• Industry Trends: As mentioned above, give thought to
what’s happening to other organizations in your space. How
are attackers targeting other companies in our industry?
• Technology Targets: How are attackers targeting
companies that use the same technology services we use?
• Geolocation: What other attacks have occurred against
organizations in our region? Attackers may use geolocation
data to craft targeted campaigns, or may be looking to
disrupt entities in certain regions as a result of geopolitical
factors.
As ideas for your threat hypothesis percolate, keep in mind that
a hypothesis should be specific enough to provide focused
direction, but not too specific so as to lead you down a
rabbit hole.
A Hypothesis That's Just Right
We think we could be subject to a targeted phishing
campaign that’s attempting to exploit a recently
disclosed vulnerability in our email system. We’ll begin
by evaluating emails with suspicious attachments
and hyperlinks.
A threat hunting hypothesis should also be actionable and
verifiable. This can be accomplished in part with the right level
of focus (as discussed above), but will also depend on the
resources at your disposal. This brings us to threat hunting tools.
13
 STEP 3:

Building Your Threat

Hunting Toolbox
There is no singular “threat hunting tool” that can do it all, soup
to nuts. Today’s threat hunters rely on many different tools and
intelligence sources to carry out effective hunts. Your choice of
tools will likely vary based on your investigation’s specific needs.
However, a common resource that all threat hunting toolboxes
should have is access to superior internet intelligence.
SUPERIOR INTERNET INTELLIGENCE:
A TA B L E S TA K E S R E Q U I R E M E N T
Superior internet intelligence is a must for any successful threat
hunt. If the internet intelligence you’re using to inform your hunt
is stale, incomplete, inaccurate, or difficult to parse, identifying
threats with confidence will be a challenge. If you’re going to
ring the alarm to your organization’s leadership, you want to be
sure you know what you’re looking at.
Threat hunters therefore need internet intelligence that is:
• Comprehensive: Global, multiperspective scanning of the
publicly-visible internet infrastructure should be conducted.
• Up-to-Date: Top ports and all services should be scanned
daily.
• Accurate: Data should have a low rate of false positives.
• Contextualized: Data should include deep protocol scans
and indexed protocol fields.
15
W H E R E C A N T H R E AT H U N T E R S F I N D S U P E R I O R Threat hunters can access Censys Internet Map data using
I NTEL? Censys Search, which is available for use as a free community

There are many different internet intelligence sources available tool. Advanced Search capabilities (like access to more

to threat hunters, but not all offer the same quality of data. Only historical data, regular expression queries, and matched

the Censys Internet Map, which powers the Censys Internet services) are available to threat hunters with an upgraded

Intelligence Platform, gives threat hunters the breadth and subscription.

depth of data they need to outsmart their adversaries.

The Censys Internet Map’s industry leading data provides the

most complete, contextual, and up-to-date index of hosts and

services on the internet. Censys is the only vendor to:

• Conduct daily comprehensive scans of the top 100+ ports

• Conduct proprietary ML-based discovery across all

65,000 ports

• Refresh all services daily to eliminate false positives

• Provide detailed visibility into open ports and protocols,

regardless of standard port assignment, to understand

host intent

16
RO U N D I N G O UT YO U R TO O L B OX
External Attack Surface Management
In addition to a leading internet intelligence source, threat
EASM solutions provide a comprehensive view of an
hunters will likely rely on a number of other tools to carry out
organization’s internet-facing assets and vulnerabilities.
their hunt. You can find examples of a few below.
Threat hunters can leverage this solution to proactively identify

Security Information and Event Management (SIEM) potential weak points and misconfigurations, helping them stay

ahead of adversaries who might exploit these external entry

SIEM solutions provide data logs of activity across an
points to infiltrate the network.
organization’s hardware and software. Threat hunters can

review these logs during their investigation to look for indicators

of compromise. Internet intelligence vendors, like Censys, can Network Traffic Analysis
integrate with SIEM solutions to enrich SIEM data logs. These tools capture and analyze network traffic to identify

unusual patterns or activities that might suggest a network

Endpoint Detection and Response (EDR) Solutions intrusion or compromise.

EDR solutions monitor endpoints (workstations, servers, and

other devices) for suspicious activities, including file changes,

process execution, and network connections. Threat hunters

can use EDR tools to investigate endpoint-specific threats.

17
 Open-Source Intelligence (OSINT) Tools

OSINT tools enable threat hunters to gather information from

publicly-available sources on the internet, helping them

identify potential threats or attackers’ tactics, techniques, and

procedures (TTPs).

YARA Rules and Signature-Based Detection

Threat hunters often create custom YARA rules or use existing

signatures to search for specific patterns or malware in the

organization’s environment.

18
 STEP 4:

The Hunt Begins:

“You’re Going on a
Threat Hunt”
Now that you’ve established a hypothesis and have your
threat hunting toolbox at the ready, it’s time to launch your
investigation! Many threat hunting investigations begin with an
exploration into logs and data feeds, as it is here that unusual
activity, suspicious patterns, and other hints of undetected IOCs
can be uncovered.
E X P L O R I N G H O S T S , C E R T I F I C AT E S , D E V I C E S &
M O RE WITH CEN SYS SEARCH
In addition to enriching SIEM tools, Censys data can be a
primary source for threat hunters to explore when accessed
through the Censys Search tool. Threat hunters can use Censys
Search to run queries on an expansive database of hosts and
certificates to look for suspicious activity across IP addresses,
servers, IoT devices, operating systems, autonomous systems,
locations, and more. As mentioned, Censys maintains the best
view of global internet infrastructure available, which gives
threat hunters a treasure trove of intelligence to comb through.
When beginning an investigation, threat hunters can use
Censys Search to:
Identify Vulnerable Services
Identify devices or services with known vulnerabilities.
By querying specific service banners, software versions,
or configurations, you can pinpoint systems that require
immediate patching or remediation.
20
 Discover Rogue Assets O T H E R F I R S T S T E P S T O I N V E S T I G AT E T H R E AT S

Every threat hunting investigation is unique. Yours may start

Search for devices and services that do not belong to the
with information that another tool in your toolbox provides.
organization’s known inventory. This helps identify rogue or
For additional examples of ways to begin an investigation into
unauthorized assets that may pose a security risk.
common threats, consider:

Monitor SSL/TLS Certificates

Advanced Persistent Threats (APTs)
Track SSL/TLS certificates and search for expired or
APTs are long-term, targeted cyberattacks often associated
misconfigured certificates, identify certificate authorities used.
with nation-state actors or highly organized cybercriminal

Identify Malicious Infrastructure groups. To start a search for indicators of APT activity, you

might: Closely monitor network traffic for unusual or long-term

Detect malicious infrastructure, such as command and control
patterns of communication. APTs often establish persistent
servers, phishing websites, and other suspicious domains or IP
connections with command and control servers, which can be
addresses.
detected through unusual traffic patterns.
• Deimos C2: same_service((services.http.response.html_
title=”Deimos C2” or services.tls.certificates.leaf_data.

subject.organization=”Acme Co”) and services.port: 8443)

• Posh C2: services.tls.certificates.leaf_data.subject_dn:

“C=US, ST=Minnesota, L=Minnetonka, O=Pajfds, OU=Jethpro,

CN=P18055077”

21
 Zero-Day Exploits Phishing & Social Engineering

Zero-day exploits are vulnerabilities in software or hardware You might start by reviewing email traffic for suspicious

that are unknown to the vendor. These threats can be attachments or links, monitoring user behavior for signs of

challenging to detect using traditional security tools, which compromised credentials, and identifying phishing domains or

makes threat hunting efforts crucial for early detection. You fake login pages.

could start to look for clues of zero-day exploits by looking for

unusual or unauthorized access to sensitive data, repeated
failed login attempts, or data exfiltration patterns.
• Note: You can also use Censys Search queries to identify
and respond to zero-day exploits. The Censys Research
Team publishes zero-day queries in Rapid Response blog
No matter how you start your threat hunt, it’s crucial to focus on
anomalies rather than preconceived notions of what an attack
may look like. Look for subtle and persistent IOCs that may go
unnoticed by traditional security tools, as these often hold the
key to identifying and mitigating emerging threats.

articles.

Ransomware
When looking for signs of ransomware activity, you might

want to start your search by looking for unusual encryption

processes, unauthorized changes to files, or ransom notes left

on compromised systems.

22
 STEP 5:

It’s Time to
P - I- V - O - T!!
Unless luck is on your side, you’re unlikely to find a proverbial Examples of ways you can pivot your threat hunting

smoking gun to prove or disprove your threat hunting investigation include:

hypothesis right out of the gate. Threat hunting is typically an

iterative process, requiring a healthy dose of patience, curiosity, Uncovering Historical Data
and a willingness to go where the evidence leads you. If you come across a suspicious domain or IP address, you

can pivot to explore its historical data and understand how it

When a shift of focus is warranted, your investigation “pivots”
has evolved over time, revealing changes in infrastructure or
and your hypothesis is refined based upon the new information
potential attacks. Censys archives more than seven years of
at hand.
historical information about internet-connected devices.

The ability to pivot is one of the most critical skills in threat

hunting. Pivoting is important because threats are rarely Tracking Certificate Information
isolated; they often have multiple points of entry, lateral
If you come across a malicious SSL certificate during your
movement paths, or associated indicators. By pivoting
investigation, you can pivot to explore all certificates issued by
effectively, threat hunters can uncover hidden relationships,
the same entity or used across multiple domains, potentially
patterns, and attack paths, allowing them to trace the entire
identifying a larger attack infrastructure. Censys has the world’s
attack chain and gain a holistic view of the threat landscape.
largest repository of x.509 certificates.
This approach not only helps in identifying the root cause and

the full extent of an incident, but allows for a more proactive

and comprehensive response to mitigate future risks.

24
 Exploring Autonomous Systems

Threat actors often use specific ASNs or network providers for

their operations. You can pivot using Censys to investigate an

ASN and discover all IP addresses, domains, and services linked

to that network, helping to uncover a broader scope of potential

threats.

Pro Tip:
Use the “Explore” feature in Censys Search to quickly pivot

to identify related hosts, certificates, and more.

25
Threat Hunting in the Wild: Attacker Profile
A Case Study Citizen Lab set its sights on Candiru, a private sector offensive

How Citizen Lab Exposed Mercenary Spyware actor already known for selling malware to governments.

using Censys Candiru’s core product offering is spyware that can be installed

Before we continue on with our Threat Hunting 101 framework, let's through a number of infection vectors on a target’s Apple,

take a detour to see how threat hunting principles were applied to an Windows, or Android device. Candiru claims their products are
actual threat hunting investigation conducted by Citizen Lab. “untraceable,” which makes finding domains, certificates,

and other C&C infrastructure affiliated with their software

Researchers from the University of Toronto’s Citizen Lab used
especially challenging.
Censys data to understand spyware used to target human

rights workers, journalists, and activists. Threat Hunting Goal

Citizen Lab is a research institute at the intersection of human Understand Candiru’s global footprint by mapping out

rights and information technology that focuses on research, command and control infrastructure, including IPs,

policy, and advocacy. One unique aspect of Citizen Lab’s domains, certificates.

mission is their investigations into the technical practices used

to target activists and journalists.

26
 The Investigation Self-signed TLS Certificate
amitn@candirusecurity[.]com
Citizen Lab used Censys Internet Map data, which details IPv4

and IPv6 hosts and services and provides the world’s largest

certificate repository, to map Candiru’s command and control

6 IP Addresses
infrastructure, and to understand the websites that Candiru’s
Returned this certificate
spyware has been used to target.

Citizen Lab found a self-signed certificate on Censys Search

that was associated with Candiru. This certificate finding was

4 of these IPs Fingerprint
significant because it allowed the team to pivot and uncover Returned a new certificate CF1
other attacker infrastructure using Censys’ historical dataset.

Citizen Lab then queried the Censys IPv4 dataset to locate the

IP addresses that were serving the certificate and potentially 6 IP Addresses 42 Certificates
Matched Fingerprint CF1 Matched Fingerprint CF1
affiliated with Candiru. The team iterated between IPv4 hosts

and certificates, surfacing certificates for over 750 websites that

Candiru spyware infrastructure was impersonating.

Additional Certificates Fingerprint

Revealed by the 6 IPs CF2

27
 The Outcome

Citizen Lab shared a signature that allowed Microsoft to identify

two previously undisclosed privilege escalation vulnerabilities

exploited by Candiru malware as well as identify more than

100 other human rights defenders, journalists, activists, and

politicians who were targeted by Candiru’s spyware.

Read The Full Report

You can read more about Citizen Lab’s investigation
into Candiru spyware here.

28
 STEP 6:

Identifying Threats
That Are Critically
Understood
You’ve been deep in the weeds of your threat hunting Critically understanding threats is crucial for informed decision-

investigation, sussed out IOCs, pivoted where the data has making. It allows organizations to accurately assess the level

taken you, and accumulated a trail of evidence that seems to of risk and prioritize the response, and helps teams craft an

point to a threat. Is it time to alert the team? effective and tailored mitigation strategy, whether it involves

isolating compromised systems, patching vulnerabilities, or

Possibly. Before you take action, a good question to ask is: “Can enhancing security controls. Deep insight into the threat also
I say that this threat is critically understood?” aids in threat attribution, which can inform responses involving

legal actions or law enforcement cooperation.

A threat is critically understood when there’s a nuanced

understanding of its nature, scope, and potential impact. In

other words: a threat hunter is able to explain how each piece of

Don't Forget the TTPs
evidence connects to the next, and why that evidence indicates Remember the Tactics, Techniques, and Procedures we talked

that activity poses a credible threat to the organization. about earlier? If a threat is critically understood, a threat

hunter should have a solid understanding of the TTPs that an

adversary deployed. An understanding of TTPs is particularly

important to communicate when taking action against a threat,

as it can help organizations respond accurately and adapt

security strategies to prevent similar threats in the future.

30
 STEP 7:

Taking Action:
Escalation, Remediation,
and Analysis
Once your threat is critically understood, prompt escalation and
2 Remediation
remediation should occur, followed by analysis that should be
Once a threat has been escalated to the right parties, it’s
used to operationalize your findings.
time to collaborate closely with incident responders in the

organization to contain and eradicate the threat. Remediation

1 Escalation
efforts may involve isolating compromised systems, patching
Notify appropriate stakeholders within your organization
vulnerabilities, updating security policies, and monitoring for
(incident response teams, your CISO, senior management)
any lateral movement or persistence attempts by the threat
that a threat has been identified. To do so, you’ll likely need
actor. Continuous monitoring and analysis are crucial during
to provide a detailed report outlining the nature of the
this phase to ensure that the threat is fully eradicated and that
threat, its potential impact, and any evidence supporting
any residual risks are mitigated.
your conclusions. It’s crucial to be concise and clear in

communicating the technical and business implications of the After conducting remediation activities, verify that the threat
threat to ensure that decision-makers understand the urgency is no longer present. You could do this by running queries
and severity of the situation. again, re-checking logs, or using your External Attack Surface

Management tool to confirm that an exposure no longer

appears on your attack surface.

32
 3 Analysis
Conduct a thorough post-incident analysis to assess the root

cause and identify lessons learned. This knowledge can then

be used to improve your organization’s overall security posture,

enhancing its ability to proactively detect and respond to

threats in the future.

Documentation:
Good post-incident analysis and operationalization will involve

referring back to documentation about the IOCs you uncovered

and the TTPs that were used by the threat actor.

Threat hunters running investigations in Censys Search can

document key aspects like function, make/model, owner, and

location serviced by the asset. Tags also let you quickly return

to hosts and track your progress. Additionally, you can use the

Comment section at the bottom of the host summary page to

detail exposures and add context to share with your colleagues.

33
Threat Hunters Are
Needed. Fight the
Good Fight!
And there you have it – we’ve come to the conclusion of our
3 Build Your Toolbox
Threat Hunting 101 framework. Though there is no exact “threat
Build out your threat hunting toolbox with a wide variety of
hunting formula,” for threat hunters to follow, we hope that with
resources, including access to superior internet intelligence.
insights from our 101 framework, you’ll be able to approach your

next investigation with the clarity and confidence you need to 4 Test Your Hypothesis
go toe-to-toe with adversaries.
Set out to prove or disprove your hypothesis by looking for

Threat Hunting 101 IOCs. Review data sources and other tools to identify suspicious

activity and anomalies.

Key Takeaways:
5 Pivot As Necessary
1 Prepare for Your Investigation
Follow your curiosity and use your tools to pivot your
Prepare for an investigation by gaining a view of your attack
investigation as needed. Threat hunting is an iterative process!
surface, baselining your organization’s activity, and becoming

familiar with current TTPs.

2 Establish a Hypothesis
Use what you know about your attack surface, TTPs, and

answers to other threat modeling questions to establish an

actionable, verifiable threat hunting hypothesis.

35
 6 Ensure Critical Understanding
Once you’ve built a trail of evidence, check to ensure that your

threat is critically understood. You should have an idea of the

TTPs the adversary used.

7 Escalate & Operationalize

Escalate a critically understood threat to relevant parties

and share documented findings. Look for opportunities to

operationalize to prevent a similar attack in the future.

Threat hunting is poised to become even more critical to

organizations’ cybersecurity efforts as adversaries advance

their efforts and the digital landscape continues to evolve. If

you’re responsible for threat hunting efforts at your organization,

know that your work matters. It may be the only thing standing

between an adversary and a successful attack.

Happy hunting!

36

Threat Hunting with Censys
Threat hunters can accelerate their investigations into
advanced threats with leading internet intelligence from
Censys. Censys provides the most comprehensive, accurate,
and up-to-date view of global internet infrastructure available.
W H Y D O T H R E AT H U N T E R S U S E C E N S Y S ?
Unlike other data sources, the Censys offers a deep,
contextualized, attributed internet infrastructure map that
supports multiple use cases. We don’t just collect banners or
detect service presence, we create a structured snapshot of
every host and running service down to the protocol level. We
enrich the dataset with running software, TLS configurations,
and so much more. Threat hunters can easily make sense of
their findings and pivot as needed thanks to the robust context
the Censys provides.
G E T T I N G S TA R T E D W I T H C E N S Y S S E A R C H
Censys Internet Map data is available to threat hunters through
our query-based Censys Search tool. Censys Search allows
threat hunters to run search queries against our database of
leading internet intelligence, so that they can more successfully
pursue tasks like identifying malicious command and
control infrastructure, locating vulnerabile or compromised
hosts, remediating risks to prevent further compromise, and
strengthening their overall security posture.
You can see Censys Internet Map data in action by visiting our
Censys Search tool at http://search.censys.io! For access to
enhanced Censys Search features, check out our self-service
packages for individuals and small teams.
Interested in learning more about how Censys can support your
threat hunting efforts? We’d love to talk. Reach out to us today
to start a conversation at http://censys.com/contact.
37
Censys is the leading Internet Intelligence Platform for Threat Hunting

and Exposure Management. We provide governments, enterprises, and

researchers with the most comprehensive, accurate, and up-to-date

map of the internet to defend attack surfaces and hunt for threats.

Censys scans 63% more services than the nearest competitor across

the world’s largest certificate database (>10B), reducing the likelihood of

a breach by 50%.

Founded by the creators of ZMap, trusted by the U.S. Government and

over 50% of the Fortune 500, Censys’ mission is to be the one place to

understand everything on the Internet.

www.censys.com