Security Experts:

Profile of a Threat Hunter

"The history of the bow and arrow is the history of mankind." – Fred Bear

We hunted and gathered before we learned to plant corn. It was how we survived millions of years ago and, in a sense, how we’ll survive today’s Information Age. While we are no longer prey to saber-toothed cats and killer kangaroos, we are now prey to digital threat actors who seek to turn our binary blood and digital currencies into monetary feasts. Thus, as we continue to tend the fields of our daily business, we must once again become hunters who proactively seek out and defend against those who want to raid our coffers or otherwise do us harm.

As the cybersecurity talent shortage continues to worsen, the choice to outsource to companies that specialize in this niche field continues to make more and more sense. Even within the largest, most prepared organizations, there are often simply too few of the necessary resources to contend with too many threats. Certain tasks may be better left to external security professionals. For instance, I don’t want to look like Lloyd Christmas, so I don’t cut my own hair. I also don’t prepare sushi or perform surgery. Well, maybe minor surgery . . . but, I digress.

My point is that it’s important to find the best specialist for the job—or in this case, the hunt. 

A Hunter’s Arsenal

Like big game hunting, cyber threat hunting is not easy and requires a unique mix of hard-earned skills and intelligence.

Yes, a threat hunter’s arsenal consists of technical knowledge and hands-on-keyboard experience, but its most lethal weapons are curiosity and creativity. The best threat hunters aren’t out free-range hunting. They’re not chasing shiny objects. The best threat hunters know exactly what they are looking for because they’ve cultivated the ability to think like their adversaries so that they can take a proactive, strategic approach to hunts.

They understand that adversaries use tactics, techniques, and procedures (TTPs) to compromise networks and perform malicious or unauthorized activity in the streams of data that are not being alerted on by monitoring tools. And so that’s where they go — to these unmapped attack surfaces — to research, develop, and execute advanced searches to expand an organization’s detection capabilities.

Without relying on signatures, rules, or other pre-existing automated controls to detect threats or potential attacks, threat hunters consider attackers’ modus operandi and use industry-specific threat intelligence to formulate an educated hypothesis and develop an actionable hunt plan. Next, they head out, with ‘sniper scope’ in hand, to root out bad actors before they can accomplish their goals.

Okay, It Isn’t All about Bad Guys

According to the Verizon 2018 Data Breach Investigations Report, 28 percent of cyberattacks come from insider threats. And yet, according to another report from Accenture, "Securing the Future Enterprise Today,” only 40 percent of CISOs surveyed said they are prioritizing the establishment or expansion of an insider threat program. 

The great thing about good threat hunters is that they're not just looking for bad-guy break-ins. And while uncovering a sophisticated adversary like a nation state is a threat-hunting feat, it's not the only goal of hunting. Good hunters are out to uncover system misconfigurations, poor cyber hygiene, undesirable user behavior, ineffective processes, and vulnerabilities that could cause a gap in a company’s overall cyber resilience. This way, they can provide clients with a comprehensive snapshot of their environment that expands visibility beyond “known bads” while tying any discoveries into risk context for senior management.

Furthermore, threat hunters can also pivot into an incident response role, helping to scope and eradicate a compromise before returning to the hunt. For instance, if they were to discover that a system administrator has gone rogue and is threatening to damage a company’s network, they could covertly deploy tools, map out the environment to see what systems this individual could access, and help mitigate the threat.

No matter what, good threat hunters never return from a hunt empty-handed. Even if a certain hypothesis does not prove out, it’s still knowledge that can be fed back to a company’s security operations center (SOC) or cyber defense program to help with future hunts and improve overall cyber resiliency.

view counter
Erin O’Malley is an incident response delivery support manager at Accenture Security, FusionX, Cyber Investigation and Forensics Response (CIFR), where she teams with incident responders and threat hunters to document and catalog incident report findings and highlight the value of taking an adversary-based approach to minimize the risk, exposure, and damage of cybersecurity incidents. Prior to joining Accenture, Erin was a security solutions marketing manager at Gigamon. Other past roles have included product marketing for virtualization and cloud security solutions at Juniper Networks and customer marketing at VMware. She has written and edited for GE Digital, WSGR, Business Objects, and the TDA Group, and holds a B.A. in French from Penn State University and an M.A. in French from Middlebury College. The opinions and statements in this column are solely those of the individual author, and do not constitute professional or legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. No representations or warranties are provided, and the reader is responsible for determining whether or not to follow any of the suggestions or recommendations, entirely at their own discretion.