Get the Global IP Investigations and Enforcement Perspective

Industry content delivered straight to your inbox.
Email address
Secure and Spam free...

CISA – Cyber Threat Hunting Recommendations

It intrigued me to read the section titled, “Threat Hunting” in the Cybersecurity and Infrastructure Security Agency (CISA) Alert, “Ransomware Awareness for Holiday and Weekends.”

Although I am not an I.T. or computer security person, as an IP investigations and protection blogger, I found it interesting to review the recommended actions all entities can take to hunt for cyber threats.

As noted in the CISA alert, Threat hunting is a proactive strategy to search for signs of threat actor activity to prevent attacks before they occur or to minimize damage in the event of a successful attack.”


The “Threat Hunting” section is divided into four areas:

  • Understand the IT environment’s routine activity and architecture by establishing a baseline.
  • Review data logs. 
  • Employ intrusion prevention systems and automated security alerting systems
  • Deploy honeytokens and alert on their usage to detect lateral movement.

(As per Wikipedia, “Honeytokens are fictitious words or records that are added to legitimate databases. They allow administrators to track data in situations they wouldn’t normally be able to track, such as cloud-based networks.

“If data is stolen, honey tokens allow administrators to identify who it was stolen from or how it was leaked. If there are three locations for medical records, different honey tokens in the form of fake medical records could be added to each location. Different honeytokens would be in each set of records.”)

That’s darn interesting!

Other indicators of suspicious activity that threat hunters should look for include:

  • Unusual inbound and outbound network traffic,
  • Compromise of administrator privileges or escalation of the permissions on an account,
  • Theft of login and password credentials,
  • Substantial increase in database read volume,
  • Geographical irregularities in access and log in patterns,
  • Attempted user activity during anomalous logon times
  • Attempts to access folders on a server that are not linked to the HTML within the pages of the web server, and
  • Baseline deviations in the type of outbound encrypted traffic since advanced persistent threat actors frequently encrypt exfiltration.


In the current cyber hacking climate, regardless of our IP specialties, it is useful for us to have some understanding of what strategies an I.T. and computer forensics expert could employ to hunt for malicious activity.

As Jen Easterly, the U.S Director of CISA put it on December 1st at the Fortune Brainstorm TECH event in Silicon Valley, “…it’s very important for CEOs to know that cyber security is not just the I.T. guys or the security guys, it’s an existential business risk and quite frankly a risk to national security given the connectivity.”

DisclaimerIPProbe.Global is a service to the professional IP community. While every effort has been made to check information in this blog, we provide no guarantees or warranties, express or implied, regarding the content provided in IPProbe.Global. We disclaim all liability and responsibility for the qualification or accuracy of representations made by the contributors or for any disputes that may arise. It is the responsibility of the readers to independently investigate and verify the credentials of such persons and the accuracy and validity of the information provided by them. This blog is for general information only and not intended to provide legal or other professional advice.

Did you find this post useful?
I agree to have my personal information transfered to MailChimp ( more information )
Join other IP protection professionals, i.e., investigators, attorneys, and brand protection specialists and receive updates straight to your inbox.
We hate spam. Your email address will not be sold or shared with anyone else.

Ron Alvarez is an IP investigations and protection consultant and writer in New York City. He is a former NYPD lieutenant where he investigated robbery, narcotics, internal affairs, and fine art theft cases. Ron has since coordinated the private investigation of international fraud and money laundering cases, as well as IP-related investigations and research involving the four pillars of IP: copyright, patents, trademarks, and trade secrets. Ron is a graduate of the FBI National Academy and earned a B.A. in Government and Public Administration from John Jay College of Criminal Justice in Manhattan. He has written a number of articles for various investigative publications, as well as published "The World of Intellectual Property (IP) Protection and Investigations" in November 2021.

0 comments on “CISA – Cyber Threat Hunting Recommendations

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Get the Global IP Investigations and Enforcement Perspective

Industry content delivered straight to your inbox.
Email address
Secure and Spam free...
%d bloggers like this: