CyberDax Heuristic Threat Hunting Foundations
Report Type
Training
BLUF
Modern attackers increasingly rely on zero-day exploits, malware variants, and legitimate system tools to bypass traditional detection methods. These techniques avoid known indicators such as file hashes, IP addresses, and signatures, rendering indicator-based hunting ineffective during the most critical stages of an attack.
Heuristic threat hunting addresses this gap by focusing on behavior rather than known artifacts. Instead of detecting what is already known to be malicious, this approach identifies suspicious activity patterns such as unexpected execution chains, abnormal process behavior, and unusual external communication. These behaviors remain consistent even when attackers change tools, infrastructure, or payloads.
This makes heuristic hunting more reliable during early-stage compromise and previously unseen activity. While traditional IOC-based methods are strongest after threats are publicly identified, behavioral hunting enables earlier detection during active compromise.
Analysts using this approach can identify attacks that would otherwise go undetected, particularly in environments where attackers intentionally avoid triggering known signatures. This improves detection during active compromise, reduces time to response, and limits the operational impact of security incidents.
Objective of This Guide
This guide teaches analysts how to:
· Identify suspicious activity without relying on alerts or known indicators
· Build confidence through behavior and signal correlation
· Make structured escalation decisions under uncertainty
This is not a detection engineering guide.
This is a guide on how to think and investigate when nothing is obvious.
Each section builds on the previous, moving from understanding the problem to applying a repeatable method.
The Core Problem: Why Traditional Detection Fails
Most analysts are trained to follow alerts.
If an alert exists, it is investigated.
If no alert exists, no action is taken.
This approach only works when threats are already known.
What This Looks Like in Practice
In real environments:
· Alerts represent only a small portion of activity
· Most activity is never reviewed
· Analysts are conditioned to ignore anything that is not clearly flagged
How Attackers Take Advantage of This
Attackers do not need to be invisible.
They only need to avoid being obvious.
They do this by:
· Using legitimate tools
· Avoiding known signatures
· Breaking activity into low-signal steps
Result
If detection depends on alerts or known indicators,
new or slightly modified activity will bypass it.
This is the gap heuristic hunting addresses.
Why the Threat Landscape Has Changed
The effectiveness of traditional detection approaches has declined as the threat landscape has evolved.
Attackers now prioritize techniques that reduce reliance on static and reusable indicators.
These changes include:
· Increased use of zero-day vulnerabilities
· Rapid generation of malware variants
· Use of legitimate tools and living-off-the-land techniques
· Access to stolen or reused vendor code
What This Means for Detection
These changes create two important effects.
First, indicators change quickly.
Infrastructure is rotated, payloads are modified, and artifacts are short-lived.
By the time indicators are identified and shared, they are often no longer relevant.
Second, behavior changes more slowly.
Even when attackers modify tools or infrastructure, they still need to:
· Execute code
· Establish persistence
· Communicate externally
· Move through systems
These actions create observable patterns that are more stable than the artifacts used to perform them.
Operational Reality
In many environments, detection strategies prioritize activity that is easy to validate rather than activity that presents the highest risk.
Indicator-based detection provides clear, defensible results.
However, this often leads to under-investigation of behavior that does not match known patterns.
As attackers increasingly avoid reusable indicators, this gap becomes more significant.
Implication for Analysts
· Detection approaches that rely primarily on indicators become less effective as attacker speed increases.
· Detection approaches that focus on behavior remain effective because they target what attackers must do, not what they temporarily use.
Industry Shift
· The increasing effectiveness of zero-day exploitation and rapidly changing malware variants is not solely a result of attacker capability.
· It is also a result of detection approaches that rely heavily on known indicators.
· As attackers adapt, detection strategies must evolve to focus on behavior that cannot be easily changed.
Key Takeaway
· Indicators evolve quickly.
· Behavior evolves more slowly.
· Effective detection strategies must account for this difference.
Where Indicators Fit (And Where They Fail)
· Indicators of Compromise represent known malicious artifacts.
· They do not represent behavior.
What Analysts Actually Spend Time Doing
In most environments, analysts spend significant time:
· Searching for known malicious domains or IPs
· Checking file hashes against threat intelligence
· Reviewing alerts tied to known indicators
This work is necessary. It helps:
· Confirm known threats
· Understand scope
· Support incident response
However, it creates a pattern.
Analysts may begin to focus primarily on what is already known
Critical Reality of IOC Timing
In modern attack operations, by the time an IOC is reported and reaches analysts, it is often already detected, rotated, or no longer central to the attacker’s activity.
This means most IOC-based work is focused on:
· What already happened
· Not what is currently happening
Why This Becomes a Problem
When analysts rely heavily on indicators:
· New activity is ignored if there is no match
· Early-stage compromise is missed
· Investigation becomes reactive
This leads to a dangerous assumption:
If it is not in threat intelligence, it is safe.
This assumption is incorrect.
What This Means Operationally
By the time an IOC is:
· Reported
· Shared
· Operationalized
The attacker may have already:
· Used it
· Rotated it
· Achieved their objective
What Attackers Expect
Attackers assume:
· Their infrastructure will be detected
· Indicators will be shared
· Defenders will search for them
\They adapt by:
· Rotating infrastructure quickly
· Using disposable resources
· Avoiding reuse
Core Distinction
Indicator-based detection answers one question:
· Has this exact thing been seen before.
Heuristic hunting answers a different question:
· Does this behavior indicate something is wrong, even if it has never been seen before.
Indicator-based detection depends on prior knowledge.
Heuristic detection operates without it.
Correct Use of Indicators
Indicators are useful for:
· Confirming known activity
· Enriching investigations
· Supporting response
They are not sufficient for:
· Detecting new attacks
· Determining safety
· Driving all investigative decisions
Indicator-based detection remains critical for confirming known threats and supporting incident response. Heuristic hunting complements this by addressing activity that has not yet been identified.
Transition to Hunting
Because indicators are reactive and time-limited,
Analysts need a method that works without prior knowledge.
That method is heuristic hunting.
What Heuristic Hunting Actually Means
Heuristic hunting focuses on identifying suspicious behavior.
Instead of asking:
· Is this known malicious
You ask:
· Does this behavior make sense in this environment
Why This Works
Attackers change:
· Tools
· Payloads
· Infrastructure
They do not change:
· The need to execute
· The need to communicate
· The sequence of actions
Constraint
You will not have certainty when performing heuristic hunting.
You will often be working with:
· Partial visibility
· Incomplete information
· Multiple possible explanations
This is not a failure condition.
It is the normal operating environment.
The goal is not to prove something is malicious.
The goal is to make a defensible decision based on available evidence.
Signals: The Foundation of Hunting
Everything in heuristic hunting is built on signals.
A signal is any observable activity that may indicate abnormal behavior.
Types of Signals
· A weak signal is unusual but explainable.
· A supporting signal adds context.
· A strong signal chain forms when signals connect into a sequence.
What This Means in Practice
· Weak signals are constant and most are benign.
· The goal is not to eliminate them.
· The goal is to recognize when they begin to connect into meaningful patterns.
Signal Clarification
A weak signal is not low risk.
· It is low confidence until context is added.
· As context increases, confidence increases.
· The analyst’s role is to determine when that confidence justifies action.
Why Signals Are Difficult to Use
· Signals are difficult because they exist in high volume and lack immediate clarity.
Why Analysts Struggle
Analysts must constantly balance:
· Investigating too much noise
· Missing real threats
How Attackers Exploit This
Attackers rely on:
· Weak signals being ignored
· Lack of correlation
· Analysts staying within a single system
Key Insight
Signals become meaningful when they are connected across time and context.
Signal Escalation Model
· A weak signal alone does not justify escalation.
· A weak signal with supporting context requires investigation.
· A sequence of related signals justifies escalation.
· This is not because the activity is confirmed malicious,
· but because the behavior is inconsistent enough with expected activity to require further analysis.
Important Constraint
· Abnormal behavior is defined relative to expected activity for the user, system, and environment.
· Escalation should occur when behavior deviates from that baseline and forms a sequence that cannot be reasonably explained.
Where Signals Exist (Telemetry Model)
Signals exist across:
· Entry
· Execution
· Communication
Key Rule
· If you investigate only one area, you will only see part of the attack.
Practical Hunting Workflow
· Start with something unusual.
· Look back to identify origin.
· Look forward to understand impact.
· Check for external communication.
· Determine whether events form a sequence.
· Apply escalation logic.
· At this stage, the goal is not to prove the activity is malicious.
· The goal is to determine whether the behavior justifies further investigation.
What Good Looks Like
Effective hunting produces a structured explanation of behavior.
A strong investigation:
· Identifies the initial signal
· Adds relevant context
· Connects events into a sequence
· Explains why the behavior is abnormal.
· The output is a defensible narrative that explains:
What happened
Why it is abnormal
Why it requires further investigation.
Decision-Making Under Uncertainty
· All hunting decisions are made without full certainty.
Reality of the Role
· Data is incomplete
· Signals are ambiguous
· Time is limited
Decision Model
· Rare but explainable activity is deprioritized.
· Rare activity with execution is investigated.
· Rare activity with execution and communication is escalated.
Operational Constraint
· Not all activity can be fully investigated.
· These decisions are about prioritizing risk under limited time and incomplete information.
· This model is designed to improve decision quality, not increase investigation volume.
Real-World Narrative
· A user receives an email with a document.
· The document is opened.
o No alert triggers.
· There is no immediate indication that the activity is malicious.
· Shortly after:
o A script executes
o The system connects externally
· There are no known indicators.
o The activity is reviewed and closed.
o Days later, the system is confirmed compromised.
What Went Wrong
The activity was evaluated based on:
· Lack of indicators
· Lack of alerts
The behavior itself was not evaluated.
What Would Have Worked
· Identifying abnormal execution
· Recognizing the sequence
· Connecting execution to communication
Key Lesson
· The attack was visible.
· It was not recognized.
Good vs Poor Analysis
Poor Analysis
· Poor analysis focuses on what is missing.
· The activity has no indicator match.
· No alert was triggered.
· The case is closed.
Good analysis
· Good analysis focuses on what is present.
· The activity does not match known indicators.
· However, the behavior forms a sequence involving execution and external communication.
· The timing and combination of events are inconsistent with expected activity.
· The case is escalated for further investigation.
Operational Insight
· Heuristic hunting is not about proving something is malicious.
· It is about identifying behavior that is abnormal enough to require investigation.
Important Reminder
· The absence of indicators is not evidence of safety.
How to Explain Heuristic Findings
· When escalating heuristic findings, analysts must clearly explain their reasoning.
· Heuristic findings are based on behavior, not known indicators.
· This means the analyst must justify escalation using context and sequence.
The Core Challenge
Escalations are often challenged with:
· What indicator is associated
· What alert triggered this
· How do you know this is malicious
If reasoning is unclear, the finding may be dismissed.
How to Structure an Explanation
· Start with the initial signal.
· Add the context that increased suspicion.
· Describe the sequence of events.
· Explain why the behavior is abnormal.
· End with a clear risk statement.
Example Explanation
This activity began with an Office application launching a command interpreter.
The command used encoded execution, which is not typical for standard user activity.
Immediately after execution, the system initiated an external network connection.
While each event may be explainable individually, the sequence and timing are inconsistent with expected behavior and align with initial compromise patterns.
Escalation is recommended.
Handling Pushback
If challenged with:
· There is no indicator
Respond with:
· This escalation is based on behavioral correlation.
· The sequence of activity is inconsistent with expected behavior, even without a known indicator.
Communication Insight
· You are not proving something is malicious.
· You are demonstrating that the behavior justifies investigation.
Common Failure Patterns
· Focusing on single events
· Ignoring timing relationships
· Failing to correlate across systems
· Over-relying on indicators
· Misjudging escalation
Implementation Boundary
This guide does not include:
· Detection thresholds
· Correlation timing
· Noise reduction logic
· Environment tuning
These require engineering and operational design.
Final Operational Model
Effective hunting requires:
· Recognizing signals
· Building context
· Connecting events
· Making decisions under uncertainty
Strategic Insight
· Organizations that rely only on indicators detect compromise after it occurs.
· Organizations that use behavioral correlation detect compromise while it is happening, reducing dwell time and limiting operational impact.
Final Principle
Attacks are not hidden because they are invisible. They are hidden because the individual signals are not connected in time and context. The role of the analyst is to connect them.”
