In today’s digital age, cyber threats are constantly evolving, and Federal agencies are particularly vulnerable to attacks by State-sponsored advanced persistent threats (APTs). The need for a quick and effective response against these attacks is critical to maintaining national security and protecting our critical infrastructure. 

Hunting for APTs is hard – period. Flush with resources, APTs employ arguably the most sophisticated and evasive tactics, techniques, and procedures (TTPs) to infiltrate and persist within a network. Leveraging highly customized and “low and slow” attack methods, along with advanced evasion techniques, APTs are adept at bypassing detection mechanisms and can persist in victim Agency networks for months or even years. Experts at employing “Living of the Land” TTPs, or abusing legitimate applications organic to the victim’s environment (i.e. PowerShell, WMI, RDP, LoLBins, etc.), APTs are able to blend in with normal-looking activity, making them especially difficult for security teams to discover. 

The right team understands these steep challenges and develops a thorough, proactive, and adaptable approach to discover and mitigate evolving cyber attacks from APTs. Using a combination of threat actor research, advanced hypotheses, and comprehensive data analysis, expert threat hunting teams can quickly uncover the threat and respond accordingly. 

Know your target. Critical to an effective threat hunt is understanding the nature and veracity of the target APTs attack methods. Once a triggering event has occurred, driving the operating assumption that a named APT could be in the victim network, threat hunters will immediately begin working to refine their knowledge of the tools and TTPs that could be in scope. This includes researching published open-source and classified threat intelligence, deep and dark web forums, and security whitepapers. Additionally, sophisticated threat hunters will review relevant incident response data and perform malware analysis and reverse engineering to reveal historical attack trends and patterns as well as expected indicators and artifacts that should be expected if the target APT has successfully compromised the victim environment. Combining this data, experienced hunters will reconstruct the APT’s kill chain using industry standards such as the Pyramid of Pain and the MITRE ATT&CK Framework, outlining an attack workflow that later guides the threat hunt hypotheses and operations. 

Tailor your hunt using hypotheses. Experienced threat hunters must assume that APTs are aware of the reported intelligence and detection methods used to find them and will only be discoverable by looking for evidence of APT TTPs based on well crafted hypotheses. A hunt hypothesis is a testable statement that outlines the indicators or artifacts that must be present if the target APT was successful in their attack. A strong hunt hypothesis will define the scope of the hunt, including the systems, network segments, or data sources to be analyzed. It should also consider the context of the environment, such as the Agency’s mission and operations, typical user behavior, and relevant security controls in place. Furthermore, the hypothesis should include criteria or conditions that must be met to confirm or refute the hypothesis. This could involve thresholds for anomaly detection, correlation with known IOCs, or validation through manual investigation. 

Ensure visibility with the right data. Collecting the right data is essential, and without it, threat hunters are blind. For timely threat discovery and response, hunters must rapidly identify and ensure the collection and processing of a variety of data required to test their threat hunt hypotheses. Network traffic logs reveal patterns suggestive of APT activity, including unusual data transfers and command and control communications, while endpoint logs and artifacts offer insights into compromised devices and persistence mechanisms. System and application logs complement this by highlighting abnormal user behavior and authentication events. User and Entity Behavior Analytics (UEBA) data aids in identifying insider threats and compromised accounts. Collectively, these data sources empower threat hunters to proactively test their hypotheses and prove or disprove the presence of the targeted APT. 

At Edgewater, our recent threat hunt activities to discover Midnight Blizzard, a top-tier Russian government-backed APT, demonstrates our capability and agility. Recognizing the need to perform a hypothesis-driven ad hoc threat hunt to find evidence of compromise that may have evaded existing detections, our threat hunt team jumped into action. We understand the importance of a quick response against cyber attacks, and our expert threat hunt team stands ready to defend our Federal agency customers. Contact us to learn more about our approach to threat hunting, and how we can help protect your Federal organization. 

Back to All News

Further Reading

Revolutionizing Data with AI-Driven Tagging 

In the ever-evolving data management landscape, quickly finding and relating information is paramount. By harnessing the power of open-source AI […]

Case Study: Hunting for Midnight Blizzard to Safeguard a Global Scientific Research Organization

Dangerous organizations are becoming more emboldened in their cyberattacks. Armed with an arsenal of powerful malware tools, expertise of their […]

Edgewater Welcomes Haider Haimus as National Security Sector President

Edgewater Federal Solutions, Inc. (“Edgewater”), a leading enterprise IT, cybersecurity, and systems engineering provider for the U.S. Government, announces that […]

Detection Engineering for OT: How to Spot ICS Threats

Stopping ICS Threats Before They Reach the Network Detection engineering for OT is one of the most effective ways to […]

OT Security in Government: Strategies to Reduce Your Cyber Attack Surface

Operational Technology (OT) devices are the backbone of federal infrastructure, controlling industrial systems, transportation networks, and energy grids. But as […]

Cyber Threat Intelligence for OT: Prioritizing Threats with Limited Resources 

In Part 1 of our OT Cybersecurity on a Budget series, we looked at low-cost ways to build a strong […]

OT Cybersecurity on a Budget: A Practical Guide to Doing More with Less 

Let’s be honest – many of us are being asked to defend operational technology (OT) environments without the dedicated tools, […]

Edgewater Ranks No. 64 on Inc. Magazine’s List of the Mid-Atlantic Region’s Fastest-Growing Private Companies 

Today, Edgewater Federal Solutions, Inc. proudly announces that it has been named No. 64 on the fifth annual Inc. Regionals: […]

Catching up with Andrea Snader, new Health and DoD Sector President at Edgewater Federal

Following the news that Andrea Snader had joined Edgewater as the company’s newly created Health and DoD Sector President, overseeing […]

Catching the Undetected: Cybersecurity Insights from Dan Rossell 

Dan Rossell, VP of Incident Response at Edgewater, thrives on tackling the ongoing challenges of cyber defense. With nearly two […]

Edgewater Welcomes Andrea Snader as Health and DoD Sector President

Frederick, Md. [February 26, 2025] — Edgewater Federal Solutions, Inc. (“Edgewater”), a leading enterprise IT, cybersecurity, and systems engineering provider […]

Tracking the Unseen: Edgewater’s Enhanced Queries for Seashell Blizzard APT 

Edgewater Federal Solutions’ expert cyber threat hunters continuously seek innovative ways to detect and mitigate malicious activity. Our proactive approach […]

Our People…Your Edge

We didn’t create our outstanding team by accident.

Our advantage comes from a consistent focus on attracting highly talented and dedicated people – and a commitment to honoring and empowering them so that they stay. With meaningful work and industry-leading training, compensation, and benefits, Edgewater careers are enviable so that our people are our edge.

I have been working at Edgewater as a Configuration Manager for over 5 years. The job has been challenging, rewarding and has provided an environment for professional growth. As an on-sight contractor, I have been working with a team of seasoned professionals who have provided both technical expertise and a warm friendly environment.

- Barry Cohen