Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Profile of a Threat Hunter

The history of the bow and arrow is the history of mankind.” – Fred Bear

The history of the bow and arrow is the history of mankind.” – Fred Bear

We hunted and gathered before we learned to plant corn. It was how we survived millions of years ago and, in a sense, how we’ll survive today’s Information Age. While we are no longer prey to saber-toothed cats and killer kangaroos, we are now prey to digital threat actors who seek to turn our binary blood and digital currencies into monetary feasts. Thus, as we continue to tend the fields of our daily business, we must once again become hunters who proactively seek out and defend against those who want to raid our coffers or otherwise do us harm.

As the cybersecurity talent shortage continues to worsen, the choice to outsource to companies that specialize in this niche field continues to make more and more sense. Even within the largest, most prepared organizations, there are often simply too few of the necessary resources to contend with too many threats. Certain tasks may be better left to external security professionals. For instance, I don’t want to look like Lloyd Christmas, so I don’t cut my own hair. I also don’t prepare sushi or perform surgery. Well, maybe minor surgery . . . but, I digress.

My point is that it’s important to find the best specialist for the job—or in this case, the hunt. 

A Hunter’s Arsenal

Like big game hunting, cyber threat hunting is not easy and requires a unique mix of hard-earned skills and intelligence.

Yes, a threat hunter’s arsenal consists of technical knowledge and hands-on-keyboard experience, but its most lethal weapons are curiosity and creativity. The best threat hunters aren’t out free-range hunting. They’re not chasing shiny objects. The best threat hunters know exactly what they are looking for because they’ve cultivated the ability to think like their adversaries so that they can take a proactive, strategic approach to hunts.

They understand that adversaries use tactics, techniques, and procedures (TTPs) to compromise networks and perform malicious or unauthorized activity in the streams of data that are not being alerted on by monitoring tools. And so that’s where they go — to these unmapped attack surfaces — to research, develop, and execute advanced searches to expand an organization’s detection capabilities.

Without relying on signatures, rules, or other pre-existing automated controls to detect threats or potential attacks, threat hunters consider attackers’ modus operandi and use industry-specific threat intelligence to formulate an educated hypothesis and develop an actionable hunt plan. Next, they head out, with ‘sniper scope’ in hand, to root out bad actors before they can accomplish their goals.

Okay, It Isn’t All about Bad Guys

According to the Verizon 2018 Data Breach Investigations Report, 28 percent of cyberattacks come from insider threats. And yet, according to another report from Accenture, “Securing the Future Enterprise Today,” only 40 percent of CISOs surveyed said they are prioritizing the establishment or expansion of an insider threat program. 

The great thing about good threat hunters is that they’re not just looking for bad-guy break-ins. And while uncovering a sophisticated adversary like a nation state is a threat-hunting feat, it’s not the only goal of hunting. Good hunters are out to uncover system misconfigurations, poor cyber hygiene, undesirable user behavior, ineffective processes, and vulnerabilities that could cause a gap in a company’s overall cyber resilience. This way, they can provide clients with a comprehensive snapshot of their environment that expands visibility beyond “known bads” while tying any discoveries into risk context for senior management.

Furthermore, threat hunters can also pivot into an incident response role, helping to scope and eradicate a compromise before returning to the hunt. For instance, if they were to discover that a system administrator has gone rogue and is threatening to damage a company’s network, they could covertly deploy tools, map out the environment to see what systems this individual could access, and help mitigate the threat.

No matter what, good threat hunters never return from a hunt empty-handed. Even if a certain hypothesis does not prove out, it’s still knowledge that can be fed back to a company’s security operations center (SOC) or cyber defense program to help with future hunts and improve overall cyber resiliency.

Written By

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Cybercrime

Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.

Funding/M&A

Thoma Bravo will spend $1.3 billion to acquire Canadian software firm Magnet Forensics, expanding a push into the lucrative cybersecurity business.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...