Cyber Threat Investigation and Threat Hunting

Cyber Threat Investigation TelsyAccording to the Verizon Data Breach Investigation Report (DBIR), advanced threats hide in environments undetected, often for months, as they stealthily try to gather valuable information or data to compromise. Waiting for such threats to become visible or for an alert to be generated by traditional SOC monitoring tools could be a fatal mistake.

Cyber Threat Intelligence (CTI) concerns the collection and analysis of information in order to identify and characterize possible cyber threats from a technical, resource, motivational and intent perspective, often in relation to specific operational contexts.

To do this, CTI professionals must necessarily operate investigative practices, so-called Threat Investigation, in search of the threats or criminal groups behind them, as much as of vulnerabilities in the affected infrastructure.


Cyber Threat Intelligence

Cyber Threat Intelligence is a practice that adopts specific defense tools for possible attacks and identifying any new vulnerabilities within the corporate network.

Like any community, the cyber criminal community has its references, meeting places and communication channels on the Internet.

Monitoring this widespread undergrowth on the Web, made up of specialized forums, chat channels and more or less clandestine marketplaces, gives cybersecurity experts a strategic advantage to improve the effectiveness of protection tools.

Threat Intelligence is often intertwined with penetration testing and malware research, whereby experts work to uncover vulnerabilities in software and applications, enabling companies to remediate before a data breach occurs.


Threat Investigation and Threat Hunting

Cyber Threat Investigation Telsy 2Cyber Threat Investigation is a search activity conducted across networks, endpoints, and datasets in order to search for malicious, suspicious, or risky cyber activity that has not been detected (or is able to evade detection) by current security tools.

Proactive Threat Investigation tactics, such as Threat Hunting, have evolved to use Threat Intelligence in previously collected data to identify and classify potential threats preemptively, before an attack.

Security personnel cannot afford to believe that their security system is impenetrable. They must remain vigilant at all times to detect the next threat or vulnerability.

Rather than sitting back and waiting for threats to strike, Threat Hunting activities develop hypotheses based on knowledge of threat actor behaviors and validation of those hypotheses through active research in the environment, including through tools such as the MITRE ATT&CK framework.

With Threat Hunting, an expert does not start with an alert or an indicator of compromise (IOC), but with deeper forensic reasoning.

In many cases, the Threat Hunter’s efforts create and corroborate the alert or IOC. Cyber Threat Investigation assumes that a breach has occurred or will occur in the considered company information systems.

Essentially, anything done in a preventive form to cyber infection is considered Threat Hunting; while all operations done proactively following a detected infection are considered Threat Investigation initiatives, usually followed by Incident Response activities.


Telsy’s Threat Investigation

Cyber Threat Investigation Telsy 3Threat Investigation is thus a defensive activity to detect and isolate those threats that escape detection by existing security solutions because they are new and/or unknown.

Telsy’s Threat Investigation service offers a specialized activity aimed at gathering evidence traceable to a specific anomaly or artifact encountered by the Customer, with the goal of restoring business continuity.

The goal is to validate, understand and react to events so as to prevent or mitigate their impact, through a combination of automated analysis and insights from Telsy’s experts.

The offering includes the provision of a technical report containing event description, data enrichment, indicators of compromise, used attack modes (Threat Modelling), and finally the planning of a defense strategy and assurance to support business continuity recovery.


Discover more on