Cyber Threat Hunting

Learn how your organization can benefit from cyber threat hunting.

What is Cyber Threat Hunting?

Cyber threat hunting is the practice of systematically and proactively looking for malicious cyber activity inside your organization’s network – it is a critical element in defending against cyber attacks, mitigating the impact of cyber incursions already inside your network and establishing a complete approach to cyber resilience.

Importantly, effective cyber threat hunting cannot be achieved solely by deploying software and hardware technologies to scan for malicious code. We know this because cyber threat actors regularly penetrate and lurk within corporate networks for over 200 days on average before being detected.

In today’s fast-moving cyber environment, organizations need skilled and experienced cyber incident response professionals to serve as threat hunters who can leverage sophisticated tools and situation-specific methodologies to anticipate known and unknown cyber threats.

Breach Assistance

When Should You Conduct a Threat Hunt?

It is always best practice to perform cyber threat hunts annually as part of your cyber resilience strategy. However, it is also important to perform targeted threat hunts when major changes occur in your environment or uncertainty is identified. Examples of situations that may necessitate a threat hunt include:

Identification of a major vulnerability (such as Log4j) or breach (such as SolarWinds) on a critical asset or software your organization uses
M&A activity to ensure you are protected against buying a breach
Periods of major system change to ensure attackers don’t take advantage of disruption
After a cyber event to provide confidence to third parties that your organization hasn’t remained actively compromised
Annual cyber resilience assessments to check if your cyber strategy, controls and cyber risk mitigation processes are working as planned

Explore More Cyber Offerings

What are Common Cyber Threat Hunting Techniques?

Client Portal

Clients have 24/7 access to the CyberScan online portal with real-time and on-demand visibility into their vulnerabilities and risk exposures.
Situation- or Event-Based Hunting
There are multiple ways an organization can learn about actual or potential threats inside their network, including finding a ransomware note on a computer, a notification from law enforcement or intelligence, receiving an antivirus alert, or hearing from the finance department that a fraudulent wire transfer just occurred.

In all cases, whether the incident has a clear starting point or a dubious origin, you must act immediately to answer several key questions. A situation- or event-based threat hunt seeks to answer these questions including:
- Who is the threat actor, and are they credible? It is important to know who you are dealing with and whether they are a known or unknown actor. Are they opportunistic hackers, a well-known criminal group or a nation state?
- How did the threat actor initially access your network? Once identified, these vulnerabilities need to be addressed as quickly as possible.
- Where did the threat actor go in your network, and what did they do? Did they read emails, access specific datasets and systems, or take and sell information, among other things?
- How long was the threat actor in your network? The answer to this question will help you assess potential damage and will help to better inform potential customer outreach.
Answering some or all of these questions will be important to your recovery and rebuilding a formidable cyber security posture.
Hypothesis Based Hunting

Imagine a scenario where your company receives information that a specific dataset you own is the target of a known and capable threat actor. What should you do next?

In these cases, our team will launch a hypothesis-driven threat hunt, which starts by asking: If I were a hacker, how would I try to steal this data? From there, we ask: “If I undertook an attack of this nature, what evidence would I leave behind, and what could someone do to find this evidence?”

Working backward from the outcome your organization tries to avoid, our cyber threat hunters can help identify evidence of past attacks, successful or failed, and sometimes even detect and interrupt cyber attacks in progress.

Our Aon team relies on proven cyber threat hunting techniques to guide our work, which we calibrate to align with the needs of your operation and cyber risk tolerance. Importantly, our mission goes far beyond finding malicious code in your network. We seek to identify any threat actor operating in, or with persistent access to, your network, so you can kick them out and prevent similar attacks from happening in the future.

Cyber threats are evolving rapidly, and risk mitigation is an ongoing challenge. The decisions an organization makes will prove critical to its cyber resilience. Given the current threat landscape, we recommend a regular proactive cyber threat hunt with Aon to build cyber resilience.

200+

Cyber threat actors regularly penetrate and lurk within corporate networks for over 200 days on average before being detected.

Endpoint Detection and Response Deployment and Monitoring

Does your company need an advanced endpoint security tool? If so, we can deploy market-leading EDR tooling during our engagement to help identify threats. Or, if you already have a tool in place, our experienced threat hunters can utilize any major EDR platform to search for threat actor activity.
Device Forensic Review

Do you have computers, network appliances, servers or mobile devices that are currently unprotected or show indicators of compromise? Our team is well-versed in performing fast and thorough forensic analysis to establish whether a device has been accessed by a malicious actor.
Cloud Threat Hunting

Does your infrastructure reside in Azure, Google Cloud, AWS or a similar cloud service? Moving data to the cloud does not automatically ensure its security. Our team can analyze your cloud instance(s) and/or infrastructure to identify if there are existing cyber criminals accessing your systems.
Network Log Review

Network logs often can show how an attacker got into a computer network and moved laterally throughout the network. Our team can review logging in place and, where necessary, deploy sensors or collectors to capture networks.
Deep/Dark Web Scan

What activity references your company on the deep and dark webs? Our team regularly performs dark web intelligence gathering and analysis to assess online targeting and external-facing risk exposure of external assets, breached data, compromised credentials or other online security vulnerabilities.
Customized Client Approach

We’ve responded to thousands of cyber incidents over many years and know every business has a unique cyber footprint. Therefore, every client deserves a cyber threat hunt designed to align with the specific needs of their network setup and layout.

Podcast 25 Minute Listen

On Aon's Podcast: Cyber Threat Hunt

Cyber incidents are becoming more frequent, targeted, sophisticated and costly, with a projected $10.5 trillion annual global cost by 2025.

Learn More

Cyber Threat Hunting

Broking and Risk Transfer

Claim Management

Reinsurance

Risk Analytics

Risk Management

Risk Retention

Health and Benefits

Human Capital Analytics

Investments

Pensions and Retirement

Talent and Rewards

Workplace Wellbeing

Construction and Real Estate

Financial Institutions

Financial Sponsors

Food, Agribusiness and Beverage

Healthcare Providers and Services

Hospitality, Travel and Leisure

Industrials and Manufacturing

Insurance

Life Sciences

Natural Resources

Professional and Business Services

Public Sector

Retail and Consumer Goods

Sports and Entertainment

Technology, Media and Communications

Transportation and Logistics

Trade

Technology

Weather

Workforce

Our Story

Our Values

Our Impact

Inclusion and Wellbeing

Leadership and Governance

Careers

Risk Capital

Human Capital

Alert

Report

Report