Why Reactive Security Fails Singapore Businesses
Most Singapore companies run a Security Operations Centre (SOC) or outsource to a managed detection and response (MDR) provider. The model is straightforward: tools generate alerts, analysts investigate, incidents get escalated. This reactive approach catches known threats — but it has a blind spot that sophisticated attackers exploit deliberately.
The problem is dwell time: the period between an attacker gaining initial access and being detected. In Singapore, the average dwell time across analysed breaches runs longer than the global median. Attackers who slip past perimeter controls often operate quietly for weeks or months, moving laterally, escalating privileges, and mapping data stores — before anyone raises an alert.
Threat hunting closes that gap. Rather than waiting for a rule to fire, a hunter actively searches the network for indicators that an attacker is already inside.
Singapore Context
MAS TRM and the Expectation of Proactive Controls
The Monetary Authority of Singapore's Technology Risk Management (TRM) guidelines expect financial institutions to implement "continuous monitoring" and "anomaly detection" — not just baseline alerting. For Singapore fintechs and SMEs serving regulated industries, threat hunting is increasingly seen as a component of due diligence under MAS Notice 655 and the broader TRM framework.
What Threat Hunting Actually Means
Threat hunting is a structured, hypothesis-driven investigation of the network to find evidence of compromise that existing tools have missed. It is not a penetration test. It is not a vulnerability scan. It is a forensic search — conducted whether or not any alerts have fired.
A hunting programme starts with a question: "What would we see if a capable attacker were already in our environment right now?" The answer drives hypotheses, which drive searches, which either clear the environment or find something.
Effective hunts are grounded in three sources:
- Threat intelligence — known-bad infrastructure, TTPs (tactics, techniques, and procedures) linked to active threat actors, especially those targeting the Asia-Pacific region
- Network telemetry — DNS queries, netflow data, proxy logs, firewall traffic logs, and VPN session records
- Endpoint telemetry — process creation events, authentication logs, PowerShell command history, scheduled task modifications, and WMI subscription activity
Common Hunting Hypotheses for Singapore Environments
From our experience running threat hunts across Singapore financial institutions, professional services firms, and technology companies, several hypotheses consistently produce findings — even in environments that pass their annual VAPT:
Lateral Movement via Valid Accounts
Attackers who phish a credential or exploit a VPN gap rarely need to exploit a vulnerability to move forward. They log in with legitimate credentials. Hunting for lateral movement means querying authentication logs for impossible travel (a login from Singapore followed by one from Eastern Europe within two hours), service accounts authenticating to unusual systems, or administrative sessions spanning multiple geographic locations simultaneously.
Command and Control via DNS Tunneling
Sophisticated malware communicates with attacker infrastructure over DNS — queries that look innocuous to most security tools. Hunting for C2 means profiling your DNS traffic baselines and flagging queries to newly registered domains, high-frequency sub-domain lookups from single endpoints, or DNS responses resolving to IP ranges associated with known threat infrastructure.
Data Staging Before Exfiltration
Before exfiltrating data, attackers compress, encrypt, and stage it — often on internal file servers or cloud storage buckets before moving it out. Hunting for staging behaviour means monitoring for bulk file access from endpoints that do not typically touch sensitive data stores, unusual SMB or rsync activity targeting large data volumes, and cloud storage buckets accessed from non-office IP ranges at unusual hours.
Persistence: Scheduled Tasks, Services, and Registry Run Keys
Most post-compromise activity requires persistence — a mechanism to re-establish access after a reboot or credential rotation. Hunting for persistence means auditing scheduled tasks created in the past 30 days, services installed with non-standard binary paths, and WMI subscriptions created outside known deployment windows.
Practical Note
You Do Not Need a Dedicated Threat Intel Team to Start
Managed threat hunting services (a component of mature SOCaaS offerings) can run hypothesis-driven hunts on your behalf, using pre-built detection logic tuned to your environment. The key is ensuring the hunting team has access to raw logs — not just alert data — so hypotheses can be investigated at the telemetry level.
How Singapore Businesses Can Start a Threat Hunting Programme
You do not need a mature security operations centre to begin threat hunting. Here is a realistic starting point:
Step 1 — Audit What You Are Logging
Threat hunting is only as effective as the telemetry available. Conduct a log audit and identify what you are collecting: Windows Security Event logs, DNS query logs, VPN connection logs, firewall netflow data, cloud provider audit trails (AWS CloudTrail, Azure Activity Log, GCP Audit Logs). If gaps exist, close them first — a hunt against incomplete data produces false confidence.
Step 2 — Establish Baselines
Before you can find anomalies, you need to understand normal. Profile typical authentication patterns, DNS query volumes per endpoint, data transfer volumes between network segments, and privileged account usage. These baselines inform hypothesis formation and reduce false positives.
Step 3 — Run Hypothesis-Driven Hunts Quarterly
Each quarter, select two to three high-priority hypotheses based on the threat landscape. Rotate through lateral movement, C2, data staging, and persistence. Document each hunt — the hypothesis, the data queried, the result, and any findings. This documentation becomes part of your security evidence base and supports your ISO 27001 Clause 8.2 (risk assessment) documentation requirements.
Step 4 — Automate Detection Where Possible
Hunts that produce findings should be converted into ongoing detection rules. If you find that PowerShell execution from browser processes is a reliable early indicator in your environment, turn that hunt into a detection rule run on every new event. This is how hunting programmes mature over time — each hunt makes the SOC smarter.
How Infinite Cybersecurity Can Help
Infinite Cybersecurity's threat intelligence and managed detection services include structured threat hunting as part of our SOC service tier for Singapore businesses. Our hunts are conducted against your actual network telemetry — not sandbox simulations — and findings are delivered with specific remediation steps, not generic risk ratings.
For businesses pursuing ISO 27001 certification, documented threat hunting activity provides evidence of operational security monitoring (Annex A.8.16) and contributes to the risk treatment plan under Clause 8.3. For firms operating under MAS TRM, a structured hunting programme supports the continuous monitoring expectations outlined in the guidelines.
Whether you are running your own SOC or outsourcing to an MDR provider, we can design and execute a hunting programme tailored to your environment and threat profile.
Ready to Hunt?
Contact our Singapore cybersecurity experts to discuss a threat hunting programme designed for your environment and risk profile.