<img alt="" src="https://secure.hiss3lark.com/173130.png" style="display:none;">



Read or download all Datashield news, reviews, content, and more.


All Posts

Threat Hunting Mental Games

Mental Games: Threat Hunting Mental Models, Strategies, and Normal Behaviormental games

In the cyber security market today, there is a lot of buzzwords, one of them is threat hunting.

Many tools and services claim they have threat hunting capabilities, but in most cases, this isn’t 100% true.

Threat hunting is an active detection technique that requires real knowledge, understanding, and availability of data. Threat hunting is not a rule, signature, alert, or machine learning AI magic.

In practice, the technique involves a lot more than indicators of compromise (IoC’s). Searching for IoC’s that are new or that were previously unknown is what most traditional threat hunting is today.


Mental Models

A mental model is a process your brain goes through to figure out how something works and make a connection and relationship of the steps involved. Your brain builds a map based on knowledge of what a solution appears to be.

Smarter Faster Better by Charles Duhigg discusses how to go through a checklist of what is normal in a given scenario. As you gain experience and knowledge in your field of expertise, you start to learn how things work, what failures have occurred, and what should be happening.

To develop a mental model, you must be flexible and ask the right questions. Keep it simple and find a way to apply the questions to your scenario. You probably aren’t consciously aware that you are using a mental model, but you are using them all the time.

Threat hunting takes real understanding.

  • What is normal behavior on a network?
  • Who should and shouldn’t be logging into something?
  • How should an application act?
  • Where should this data be allowed to go?

Sometimes intuition kicks in, and you may “feel” something is off. Sort of like the cybersecurity “force.”


Threat hunting can be frustrating but rewarding. Often threat hunting leads you down rabbit holes, which after hours of research, turns into a normal item. You often spend massive amounts of time threat hunting... to your own demise. The 80/20 rule surely applies as positive results from threat hunting are few and far between with a significant amount of effort spent finding them.


Here is an example of a real-life threat hunt that occurred. One of our analysts detected a random PowerShell connection with an interesting reverse shell banner on an odd port. Malicious right?

After an analyst dug through everything that the host had done for hours, viewing tons of encrypted traffic that wasn’t decryptable, tracing ports and connections, and doing OSINT searching, he found out it was an opensource patching platform which happens to use a program from a hacker toolkit kit to test connections to a PC before sending a patch. Seems crazy right? So then why bother threat hunting?

Attackers are always changing tactics, using evasion techniques and tools such as virus total to go undetected.

Threat hunters are the cyber CSI guys.


They live for finding the needle in the haystack. The thrill of tracking down an attacker or malware that is deployed and talking back to a C2 server that was unknown is thrilling. And it does pay off.

We have found many items through threat hunting such as malware, crypto miners, remote access, and data exfiltration as part of these exercises.

Using these techniques, my team has detected accessible PII, breached third parties, breached devices such as firewalls, f5’s, and Citrix NetScaler’s. (These are in clients with the latest Next-Gen AV, SMTP filters, IDS/IPS systems, and other tools.)

Nothing will be detected 100% of the time by tools. That’s why we use our knowledge and skills to build a mental model that helps to identify abnormalities to determine if you should go down the rabbit hole or not.

If you have questions about threat hunting and mental games, contact us today.

Topics from this Article

Citrix, Threat Hunting, NGAV, Open Source

Jeff Marshall
Jeff Marshall
Jeff Marshall was the previous Chief Information Security Officer at Datashield and contributed technical content to the Datashield resource library. Jeff worked at Datashield for nearly 4 years and provided thought leadership and educational content for the Datashield resource library.

Related Posts

Lumifi Cyber Acquires Datashield to Deliver Next-Generation Managed Detection and Response

Combines AI and Machine Learning-Based Software with MDR Services to Provide Fortune 500-Grade Security to Companies of All Sizes Palm Desert, CA and Scottsdale, AZ — May 3, 2022 — Lumifi Cyber, Inc., a next-generation managed detection and response (MDR) cybersecurity software provider, today announced its acquisition of Datashield, Inc., an end-to-end cybersecurity resilience services provider, to deliver Fortune 500-grade security to companies of all sizes for an affordable monthly price.

Datashield Becomes Member of Microsoft Intelligent Security Association (MISA)

Datashield Becomes Member of Microsoft Intelligent Security Association (MISA)

The Difference Between Cybersecurity & Network Security

The Difference Between Cybersecurity & Network Security