How to Become a Threat Hunter
A cyberthreat can be defined as any adversary with three basic characteristics: the intent, capability and opportunity to do harm. While a traditional cybersecurity strategy can do quite a lot to reduce the opportunities for a breach, little can be done about the other two factors.
As cybercriminals’ methods and tools evolve, attack techniques are constantly updated and systematically employed to detect every weakness in cybersecurity. It is particularly important to understand that even the best-laid security countermeasures, based on current security solutions, cannot ensure 100% protection. There is always the chance a vulnerability will remain undetected for many years — such as Meltdown and Spectre, a design flaw in most modern processors that could be exploited to gain unauthorized access to data.
That is where threat hunting comes in. Based on the premise that no system is fully secure, threat hunting assumes an advanced threat may have already slipped by existing security solutions; therefore, the best course of action is proactively searching corporate network and assets in order to detect and isolate the attacker.
While a significant part of the threat hunting process must be done with the help of technology (e.g. a SIEM solution), it cannot be fully automated. In fact, hunting is highly dependent on the hunter’s level of expertise. In a traditional security approach for detecting threats, it is quite usual to start by deploying a technology and then have experts who are trying to get the most out of it. With threat hunting, it’s the other way around: you start with people, the threat hunters, and then use technology to get the most out of their abilities.
So, how does a security professional become a master threat hunter? What are the fundamental skills to face one of the most challenging cybersecurity fields and ensure no threat goes undetected? Let’s find out!
The 5 Essential Skills of a Master Threat Hunter
Expert hunters are highly-skilled professionals with an extensive experience and a deep understand of the tools of the trade, such as firewall logs, windows logs, attack techniques, intrusion detection systems and security incident and event management (SIEM).
Some skills are considered essential for an effective threat hunter, including:
1. Pattern Recognition
Hackers are constantly developing new attack techniques, including unconventional ways of exploiting any sort of vulnerability and gaining unauthorized access. In many cases, there is no signature for these new zero-day attacks, so the hunter must be able to identify patterns that match these techniques. An effective threat hunter must be able to spot unusual patterns on the network and confirm if it is a false positive or an advanced malware trying to communicate with an external party.
Some level of deductive reasoning is also vital, as hunters must be able to formulate reasonable hypotheses (e.g. how a threat would evade an IDS and exfiltrate specific data) and work backwards to look for traces of a possible ongoing intrusion.
2. Data Analytics
The most basic threat-hunting tool is data. Hunters are expected to not only know where to collect meaningful data, but how to perform data analytics. This includes using data science approaches, tools and techniques. For instance, a hunter may use data collected with an SIEM tool to create custom charts, based on their hypothesis, that will help in recognizing patterns more easily.
3. Malware Analysis
Finding the threat is just the first part of the job. Hunters are expected to dig in and gather detailed information on malware, including how it was delivered, its capabilities, how it spreads, and what sorts of damage it may cause. In order to do so, hunters must use advanced malware analysis techniques, including reverse-engineering malware code.
4. Data Forensics
The hunt is not limited to the piece of malware that was just found. In most cases, it will be necessary to analyze the affected hosts (both endpoints and servers) to have a complete picture of the damage caused by the threat. Hunters must know how to adequately collect, handle and analyze the evidence that will prove (or disprove) the hypothesis they are working on.
Being able to effectively communicate on all levels is an essential soft skill for a threat hunter. Any identified threat must be communicated to the appropriate parties. Doing it properly is quite different from just sending an email saying “Hi! I found a new threat that could jeopardize our entire company operation, please apply the attached fix and reboot all our servers immediately.”
Remember, communications are not necessarily limited to the technical staff. In fact, it is likely the hunter is trying to validate their hypothesis in order to answer a question from the strategic level, most probably from the CISO or CIO.
Hunters must know how to communicate clearly and concisely: not only in technical terms, but also in explaining, from a strategic risk-based approach, how a threat that has been identified is affecting the business and its possible impacts.
Becoming an expert threat hunter will not happen will not happen overnight. Most successful hunters developed their skills over years, gaining practical experience in several cybersecurity fields. As expected, these professionals are quite rare in the market, have excellent salaries, and are in constant high demand by the many companies that want to ensure the protection of their operations.
Hunters must also have lots of patience and focus, as crunching and analyzing data for several hours can become quite tiresome. It would not come as a surprise if most threat hunters have also spent quite some time doing meditation and yoga!
In the end, the best way to become a threat hunter is planning ahead. There is no shortage of training on areas such as malware analysis, forensics, incident response, pentesting or any other discipline required to become a hunter. Combining that with practical experience gained on the job or in a custom-testing environment can be of immense value in preparing you for one of the most difficult and specialized cybersecurity positions.