Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Profile of a Threat Hunter

The history of the bow and arrow is the history of mankind.” – Fred Bear

The history of the bow and arrow is the history of mankind.” – Fred Bear

We hunted and gathered before we learned to plant corn. It was how we survived millions of years ago and, in a sense, how we’ll survive today’s Information Age. While we are no longer prey to saber-toothed cats and killer kangaroos, we are now prey to digital threat actors who seek to turn our binary blood and digital currencies into monetary feasts. Thus, as we continue to tend the fields of our daily business, we must once again become hunters who proactively seek out and defend against those who want to raid our coffers or otherwise do us harm.

As the cybersecurity talent shortage continues to worsen, the choice to outsource to companies that specialize in this niche field continues to make more and more sense. Even within the largest, most prepared organizations, there are often simply too few of the necessary resources to contend with too many threats. Certain tasks may be better left to external security professionals. For instance, I don’t want to look like Lloyd Christmas, so I don’t cut my own hair. I also don’t prepare sushi or perform surgery. Well, maybe minor surgery . . . but, I digress.

My point is that it’s important to find the best specialist for the job—or in this case, the hunt. 

A Hunter’s Arsenal

Like big game hunting, cyber threat hunting is not easy and requires a unique mix of hard-earned skills and intelligence.

Yes, a threat hunter’s arsenal consists of technical knowledge and hands-on-keyboard experience, but its most lethal weapons are curiosity and creativity. The best threat hunters aren’t out free-range hunting. They’re not chasing shiny objects. The best threat hunters know exactly what they are looking for because they’ve cultivated the ability to think like their adversaries so that they can take a proactive, strategic approach to hunts.

They understand that adversaries use tactics, techniques, and procedures (TTPs) to compromise networks and perform malicious or unauthorized activity in the streams of data that are not being alerted on by monitoring tools. And so that’s where they go — to these unmapped attack surfaces — to research, develop, and execute advanced searches to expand an organization’s detection capabilities.

Advertisement. Scroll to continue reading.

Without relying on signatures, rules, or other pre-existing automated controls to detect threats or potential attacks, threat hunters consider attackers’ modus operandi and use industry-specific threat intelligence to formulate an educated hypothesis and develop an actionable hunt plan. Next, they head out, with ‘sniper scope’ in hand, to root out bad actors before they can accomplish their goals.

Okay, It Isn’t All about Bad Guys

According to the Verizon 2018 Data Breach Investigations Report, 28 percent of cyberattacks come from insider threats. And yet, according to another report from Accenture, “Securing the Future Enterprise Today,” only 40 percent of CISOs surveyed said they are prioritizing the establishment or expansion of an insider threat program. 

The great thing about good threat hunters is that they’re not just looking for bad-guy break-ins. And while uncovering a sophisticated adversary like a nation state is a threat-hunting feat, it’s not the only goal of hunting. Good hunters are out to uncover system misconfigurations, poor cyber hygiene, undesirable user behavior, ineffective processes, and vulnerabilities that could cause a gap in a company’s overall cyber resilience. This way, they can provide clients with a comprehensive snapshot of their environment that expands visibility beyond “known bads” while tying any discoveries into risk context for senior management.

Furthermore, threat hunters can also pivot into an incident response role, helping to scope and eradicate a compromise before returning to the hunt. For instance, if they were to discover that a system administrator has gone rogue and is threatening to damage a company’s network, they could covertly deploy tools, map out the environment to see what systems this individual could access, and help mitigate the threat.

No matter what, good threat hunters never return from a hunt empty-handed. Even if a certain hypothesis does not prove out, it’s still knowledge that can be fed back to a company’s security operations center (SOC) or cyber defense program to help with future hunts and improve overall cyber resiliency.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.