Uncover Hidden Threats! Practical use case of Threat Hunting

1. What Is Threat Hunting?

According to CrowdStrike, threat hunting is "the proactive activity of searching for cyber threats that may be hiding undetected within a network." These cyber threats include unauthorized access, malware infections, data leaks, and other activities that jeopardize the systems of companies and individuals.
As attack techniques have become increasingly sophisticated in recent years, more threats are now able to bypass or evade traditional defensive measures. For this reason, threat hunting has gained significant attention among both private companies and government agencies. In Japan, it is even referenced in the Defense Buildup Program, which outlines the security capabilities the nation should maintain. This suggests that threat hunting may eventually become an expected or required practice for private-sector organizations as well.
At present, only a limited number of organizations in Japan have fully implemented formal threat hunting programs. However, given the government's direction and the rapid growth of cyber threats both domestically and globally, more companies are expected to consider adopting threat hunting in the near future.

2. Positioning of Threat Hunting at NTT DATA

NTT DATA maintains the security of its globally distributed offices through a Global Security Platform based on zero-trust principles. This platform incorporates automated monitoring and detection to reduce response time. For example:

• SIEM (Security Information and Event Management): Monitors, detects, and investigates cybersecurity events
• EDR (Endpoint Detection and Response): Continuously monitors user devices to detect and respond to threats

To further strengthen its security posture, NTTDATA-CERT, the company's global governance team, officially launched full-scale threat hunting operations in April 2024. This initiative aims to go beyond passive detection and create a system capable of identifying early indicators of compromise, enabling rapid response before damage spreads.

3. Practical Use Case of Threat Hunting

3.1 Roadmap

To perform threat hunting effectively, it is crucial to assess an organization's maturity and improve capabilities in a structured, step-by-step manner.
NTTDATA-CERT has adopted the Hunting Maturity Model (HMM) as the framework for evaluating and systematically enhancing its threat hunting operations.
The HMM provides a structured way to:

• Assess current detection and response capabilities
• Identify gaps and areas for improvement
• Build a phased roadmap for capability enhancement
• Establish repeatable, scalable hunting processes

This model enables NTT DATA to progress from ad hoc or manual hunting processes to fully structured, intelligence driven, and automated threat hunting operations.

Hunting maturity model

3.2 Threat Hunting Execution Process

When conducting threat hunting, it is essential to begin by forming a hypothesis and then proceed with the investigation based on that hypothesis. Without a structured starting point, attempts to identify unknown threats can easily lose focus - leading to unclear investigation criteria, inefficient use of resources, and prolonged analysis times.
Among the various hunting methodologies, NTTDATA-CERT has adopted the intelligence-driven hunting approach because of its strong operational effectiveness. This method uses threat intelligence from security vendors, industry organizations, and other external sources to guide the direction of the investigation.
For example, if threat intelligence indicates that "an attack campaign targeting Japan's IT industry has recently been observed," investigators form the hypothesis that a similar attack may also be taking place within NTT DATA's environment. The threat hunting process then begins by examining logs, telemetry, and internal signals related to that specific attack pattern.
By grounding hunting activities in well defined hypotheses supported by intelligence, the organization is able to conduct focused, efficient investigations and rapidly identify potential indicators of compromise.

Threat Hunting Execution Process

3.3 Threat Intelligence to Be Collected

For effective threat hunting, it is essential to collect threat intelligence that supports concrete, actionable investigations. General news articles or high-level summaries of attacks often lack the technical depth required for meaningful analysis. Therefore, NTTDATA-CERT selected intelligence sources that provide detailed and structured data, including:

• Indicators of Compromise (IoCs) such as malicious IP addresses, domains, URLs, hashes, and file names
• Information on attacker tactics, techniques, and procedures (TTPs) aligned with frameworks such as MITRE ATT&CK
• Campaign specific details that reveal behavioral patterns, targeting trends, or unique artifacts left by threat actors

By prioritizing intelligence that contains specific technical artifacts and reproducible attack techniques, threat hunters can form clear hypotheses and conduct investigations that lead to tangible detection improvements.

3.4 Collection and Triage of Threat Intelligence

Given the enormous volume of threat information published daily - including details on new attack techniques, malware variants, and active campaigns - it is crucial to have a system that can collect, organize, and operationalize the necessary intelligence efficiently.
To address this, NTTDATA-CERT deployed OpenCTI, an open-source platform for managing threat intelligence. Using OpenCTI, the team implemented an automated pipeline that:

• Aggregates data from multiple intelligence sources
• Normalizes and categorizes indicators and attack techniques
• Correlates related events, campaigns, and threat actors
• Enables rapid analysis by presenting relevant intelligence in a structured and searchable format

This automated environment allows threat hunters to quickly identify key intelligence, focus on high-priority threats, and reduce the time required for manual data collection or triage.

OpenCTI dashboard screen

To appropriately filter threats relevant to our company from the collected intelligence, we introduced the following three-stage triage criteria. This clarified the selection standards, prevented inconsistencies in judgment within the team, and enabled faster and more efficient identification of potential threats.

Threat Intelligence Triage Criteria

3.5 Hunting

Based on the selected threat intelligence, NTTDATA-CERT conducts investigations using both SIEM and EDR. For example, when malicious IP address information related to an attack campaign is obtained, that IP address is searched within SIEM logs to determine whether any internal communication occurred. If communication is detected, analysts perform deeper investigation to check for abnormal user behavior or signs of compromise.
Below is an example of a threat that NTTDATA-CERT successfully identified:

1. Acquisition of Threat Intelligence
   Threat intelligence indicated that the top-level domain (TLD) ".tk" has a significantly higher likelihood of misuse compared with common TLDs such as ".com".
2. Hypothesis Building
   A hypothesis was formed that communications to ".tk" domains might exist within our environment, and that some of these domains could be malicious.
3. Hunting
   Based on this hypothesis, communication to ".tk" domains were examined. As a result, numerous suspicious domains-including some impersonating NTT DATA - were found to be linked to a single malicious IP address. Although many users had accessed these domains, no malware execution or harmful activity was detected.
4. Response
   Because the identified IP address had previously been used as a C&C (Command-and-Control) server, it was added to firewall blocklists to prevent potential future incidents.
   Through this activity, NTTDATA-CERT was able to identify threats that traditional security tools had not detected, thereby reducing the likelihood of future compromises.

4. Future Outlook

As described above, we have established the processes required for threat hunting and built a system capable of performing hunting activities on a continuous basis. However, this effort also revealed a key challenge: detection difficulty. Attackers frequently rotate their IP addresses and domains, meaning threat intelligence does not always align with real-world attacker behavior.
To overcome this challenge, it is necessary to detect adversaries using more persistent attributes, such as tactics, techniques, and behavioral patterns rather than volatile indicators like IPs or domains. Moving forward, NTTDATA-CERT will continue advancing its threat hunting capabilities by focusing on these more stable detection elements and developing methods that remain effective even as attackers change infrastructure.

Pain point pyramid and robustness analysis

5. Summary

NTT DATA CERT has begun implementing threat hunting activities under the assumption that "attackers may already be inside the environment." This initiative strengthens our security posture in alignment with zero trust principles. By continuously enhancing our threat-hunting capabilities and establishing a framework that enables rapid response to unknown threats, we aim not only to improve our internal security resilience but also to contribute to advancing cybersecurity across Japan as a whole.