What Does a Cyber Threat Hunter Do?
Learn about what a cyber threat hunter does in Data Protection 101, our series on the fundamentals of information security.
The cyber threat hunter role is becoming increasingly important in the modern enterprise, as companies strive to stay ahead of the latest threats and implement rapid response to mitigate potential damage resulting from cyber attacks. Here’s a look at what cyber threat hunters do, the responsibilities of the role, skills and qualifications, and more.
The video clip below is taken from our webinar, The Real World of Cyber Threat Hunting, and will help you understand the basics of threat hunting. Watch the full webinar here.
Definition of a Cyber Threat Hunter
Cyber threat hunters are information security professionals who proactively and iteratively detect, isolate, and neutralize advanced threats that evade automated security solutions. Cyber threat hunters constitute an integral part of the rapidly growing cyber threat intelligence industry. Their employment gives companies a competitive edge as opposed to using traditional rule or signature-based detection methods.
Responsibilities of a Cyber Threat Hunter
Security experts use the 80/20 principle to assess cyber threats. Eighty percent (80%) of cyber threats are unsophisticated and can be mitigated with good security hygiene, while the remaining twenty percent (20%) tend to be more advanced threats. Still, about half of these advanced attacks can be successfully addressed with different blocking and tackling techniques.
The other half of advanced attacks constitutes the top 10% of cyber threats. These highly advanced threats cannot be detected solely with programmatic solutions. Cyber threat hunters aim to sniff out these highly advanced cyber threats. Their job is to track and neutralize adversaries who cannot be caught with other methods. The threats they hunt for can be posed by either an insider, such as an employee of the organization, or an outsider, such as an organized crime group.
However, it’s not the job of the cyber threat hunter to address incidents that have already happened, although they may work together with insider response teams. Instead, they search for cyber threats hiding in the noise before the attack could happen. Once potential threats are identified, cyber threat hunters gather as much information on the behavior, goals, and methods of the adversaries as possible. They also organize and analyze the collected data to determine trends in the security environment of the organization, make predictions for the future, and eliminate current vulnerabilities.
Cyber Threat Hunter Tools and Techniques
Instead of trying to infiltrate the environment from the outside as it happens during penetration testing, cyber threat hunters work with the assumption that adversaries are already in the system. They carefully analyze the whole environment, use behavioral analysis and a hypothesis-driven approach to find unusual behavior that may indicate the presence of malicious activity.
Cyber threat hunters work with a plethora of software and tools to track down adversaries and identify suspicious activities. A few of the most common tools and solutions leveraged by cyber threat hunters include:
● Security Monitoring Tools - Cyber threat hunters work with all kinds of security monitoring solutions such as firewalls, antivirus software, network security monitoring, data loss prevention, network intrusion detection, insider threat detection, and other security tools. Besides monitoring the network at the organizational-level, they also examine endpoint data. They gather event logs from as many places as possible, as their work requires a sufficient amount of security data.
● SIEM Solutions - Security Information and Event Management (SIEM) solutions gather internal structured data within the environment and provide a real-time analysis of security alerts from within the network. Basically, they turn raw security data into meaningful analysis. SIEM tools don’t only help manage the huge amount of data logs hunter work with, but also make it possible to find correlations which can reveal hidden security threats.
● Analytics Tools - Cyber threat hunters work with two kinds of analytics tools: statistical and intelligence analysis software. Statistical analysis tools, such as SAS programs, use mathematical patterns instead of pre-defined rules to find odd behavior and anomalies in the data. Intelligence analytics software visualizes relational data and provide security professionals with interactive graphs, charts, and other data illustrations. They make it possible to discover hidden connections and correlations between different entities and properties in the environment.
Skills and Qualifications
Currently, there is a huge talent gap in the field of cyber security. Cyber threat hunters are tier 3 analysts, and finding qualified professionals for the role is a challenge. As a result, many companies don’t (or can’t) find an in-house cyber threat hunter and rather outsource the job to external experts.
● Experience in Cyber Security - Cyber threat hunters need to have a background in information security, cyber security, or network engineering, although a CS degree is not always a requirement. They also must have hands-on experience in forensic science, data analysis, intelligence analysis, malware reversing, network and endpoint security, adversary tracking, and other security-related tasks.
● Understanding the Cyber Security Landscape - Besides practical experience, cyber threat hunters also need to have a deep knowledge of current and past malware methods, attack methodologies, and TTPs (Tactics, Techniques, Procedures). TTPs are specific patterns of techniques and activities associated with certain cyber adversaries. TTPs, malware, and attack methods rapidly evolve over time, so having an up-to-date knowledge on the matter is crucial in successful cyber threat hunting.
● Knowledge of Operating Systems and Network Protocols - An extensive knowledge of the inner workings of operating systems (Windows and Linux/Unix) is also indispensable. Moreover, cyber threat hunters also need to have a strong understanding of how different network protocols, such as the TCP/IP stack, work.
● Coding Skills - Hunters need to be fluent in at least one scripting language (Python, Perl, etc.). However, it can also be useful to know one or more compiled languages (C, C++, etc.) as well. They also need to know how to parse logs, automate tasks, and perform complex data analysis.
● Technical Writing and Reporting Skills - Preparing security reports and different technical documents is an essential part of cyber threat hunting, so hunters also need to have excellent technical writing and reporting skills.
● Soft Skills - Finally, cyber threat hunters need to possess a handful of soft skills such as strong stress management, analytical, research, and problem-solving skills. They need to be self-starters who are able to work with minimal management, however also need to have strong collaboration and interpersonal skills as they usually work together with several other professionals from other information security fields.
Despite the talent gap, there’s a growing demand for qualified cyber threat hunters among enterprises. This demand is driven by the need for enterprises to take a more proactive approach to security than ever before. But for those with the background and qualifications needed to successfully fill these roles, there’s an abundance of opportunity.
Developing comprehensive cyber hygiene procedures is a must for today’s enterprises. When carried out in conjunction with robust, enterprise-wide security practices, sound cyber hygiene practices aid in maintaining a sound security posture for modern organizations.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business