With Ukraine now under siege, and Russian-fueled cyberattacks no longer just a feared or likely scenario but an ongoing threat, the pressure on cybersecurity defenders has never been greater.
The situation in Ukraine is dire, with recent reports indicating that government officials there have begun reaching out to volunteers from the nation’s hacker underground to help protect infrastructure and conduct spying missions on Russian troops. Ukraine is on the defensive, a position familiar to many cybersecurity professionals as well as business leaders and their boards of directors, even when not thrust into all-out war.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance to companies and organizations to shore up defenses in the event that Russian cyberattacks threaten critical infrastructure and financial institutions. That is helpful, but also underscores an inconvenient truth: When it comes to network cybersecurity, we’re playing defense.
It’s time, say cybersecurity experts, to flip that script.
The flip, in theory, is fairly simple: Stop being reactive; get proactive with security, whenever possible. In practice, it’s tougher—but that’s where the craft of threat hunting comes in.
Threat hunters are the cybersecurity professionals who dig into systems and networks to root out attackers before bad things happen. Think of them as your organization’s own private Navy
Threat hunters understand that threat actors—whether geeky hackers, ideals-driven hacktivists, or state-sponsored black-ops types—approach enterprises with distinct tactics, techniques, and procedures that are predictable and identifiable. Threat hunters study the environment they’re defending and the possible strategies of their adversaries. Then
they go hunting!
Of course, effective threat hunting is a team effort and requires the right talent to be in place. There are five foundational elements needed to build your ideal threat hunting squad. Consider what follows a primer on how to hunt the hunters.
1. Diversity—it’s not just a buzzword
Has there been any proof—ever—that great minds think alike? Groupthink is the enemy of effective threat hunting teams. “Diverse teams yield better results,” says Melissa Bischoping, an endpoint security research specialist at Tanium.
Diverse teams yield better results.“Imagine you have a team with too many people from the same background.” The likely result: a group of people who eat the same breakfasts, shop the same brands, download the same podcasts, tweet the same rants, and find themselves surrounded by others who eat, shop, download, and rant in exactly the same way.
In homogeneous groups, she says, it’s easy for people to “forget there might be other viewpoints to consider.”
Experts note that when enterprises hire threat hunters with different professional backgrounds and experience levels, the team’s problem-solving abilities improve. Such backgrounds can be as varied as military intelligence, data science, traditional technology, or red, blue, and purple teams (security testers who specialize, respectively, in attacking your systems, defending them, and combining the wisdom of both).
Even those with little or no technical expertise are worthy of consideration. “When you get diverse backgrounds like this, you get people asking questions that the others didn’t even know were questions available to ask,” Bischoping explains.
Recruiting experts of various ages and socioeconomic backgrounds is also vital to “harvest the different ideas and threat experiences each might possess,” says L. Burke Files, co-author of the Business Security Audit & Review Toolkit and president of Financial Examinations and Evaluations, Inc. “Find the people that are willing to be creative and push the edges a bit,” Files says.
The takeaway: A diverse team of threat hunters is essential to improve problem-solving and avoid groupthink.
2. Soft skills—they’re harder than you think
Threat hunting entails scouring networks for activity that’s known and unknown—which requires time, determination, and an often undervalued but indispensable component: patience.
You need somebody who has the skill set and the patience to want to really solve a problem.“You need somebody who has the skill set and the patience to want to really solve a problem,” says Michael Farnum, CTO at Set Solutions. “Those tend to be the people who like to do CTFs,” he notes, referring to the various “Capture the Flag” competitions, in which “flags” are used to reward players who succeed at security themed challenges. “You want to find somebody who enjoys doing that in their spare time,” he says.
Such challenges, and threat hunting overall, inevitably involve asking lots of questions. Threat hunters who excel are naturally curious, with superior problem-solving skills and a knack for exploration, notes Duncan Miller, Tanium’s director of endpoint security. These are people with a keen eye and the courage to follow their hunches—wherever they may lead.
“Threat hunters must be willing to fail sometimes,” says Miller. “If they are looking for true ‘unknown-unknown’ activity, there will be a lot of times when hunches don’t play out. And that’s OK.”
Other general skills that threat hunters should possess, observes Eric McGee, senior network engineer at TRG Datacenters, include deductive reasoning, quick pattern recognition, and an ability to avoid their own cognitive biases.
“I hate the term soft skill,” adds Bischoping, when referring to nontechnical skills. “These are critical skills,” she says.
The takeaway: Successful threat hunting is more than technical acumen. It requires additional intangible skills, such as patience and a willingness to take chances.
3. Environmental awareness—and we don’t mean recycling
Every industry has unique aspects that draw different sets of attackers and defenders alike. This is why cybersecurity requirements and strategies are different at a bank, school, medical center, or energy provider.
“We talk about industrial systems like SCADA [supervisory control and data acquisition] and industrial controls in, say, the oil and gas industry,” says Bischoping. “Hunting in those environments looks a lot different than hunting at a bank or hospital. So it’s important to have a deep understanding of the type of environment in which specific threat hunters operate.”
A great way to build that environmental awareness is to have threat hunters collaborate across the industry.
“This is especially important in your vertical, where trust and relationships can matter more than raw intelligence,” says Ron Gula, president and co-founder of cybersecurity investment firm Gula Tech Adventures. “This will allow your hunters to learn from others and bring this back to your organization.”
The takeaway: Business technology and systems vary widely from industry to industry, making it crucial for any threat hunting team to thoroughly understand their industry at every level.
4. Continuous education—it’s never too soon to start
Technology is constantly evolving, and adversaries are always changing and improving. So the only way for a threat hunting team to be highly effective is to study. Study again. And study some more.
It’s never been more important to focus on [this] because there is a hiring emergency currently in cybersecurity.“It’s never been more important to focus on [this] because there is a hiring emergency currently in cybersecurity,” says Scott Crawford, information security research head at 451 Research.
So what type of education are we talking about? Of course, learning technical skills, such as networking, data forensics, data analytics, application security, malware analysis, and endpoint system internals, along with a thorough knowledge of the systems they defend. There is a laundry list of things we know contribute to effective threat hunting, says Crawford.
Security leaders can cultivate these skills for their in-house threat hunters, notes McGee of TRG Datacenters, by providing access to threat hunting workshops, available courses like Certified Cyber Threat Hunter (CCTH), and certification exams. In addition to CCTH exams (found at this boot camp), other certifications include the CompTIA Security+ (good for those starting out in the field), GIAC’s Cyber Threat Intelligence (issued by GIAC, a leading cyber certification provider), and ISACA’s Certified Information Security Manager program.
The takeaway: Everything in enterprise technology evolves, which means that to remain effective, so must threat hunters.
5. Real-world training—the more realistic, the better
One of the reasons the military trains with live rounds is to get recruits used to operating their weapons—and under circumstances that most accurately reflect the real-world scenarios in which they’ll soon have to perform.
“Realistic adversary emulation is a great way to ensure you cultivate skills for threat hunters,” says Gula. “The more realistic the simulation, the better prepared and confident your team will be.”
For threat hunters, that preparation could entail engaging in CTF competitions for offensive training or participating in tabletop exercises. Gula says exercises like these are central to team training.
Adversary emulation platforms that simulate basic malware and the repeated strategies of advanced persistent threats (APTs), typically those of stealthy nation-states, also make training much more realistic, he says. “Cyber ranges are great, too, but working on your network with your own tools is much more effective.”
Tools such as Mitre’s Adversary Emulation Plans show how threat hunters and defenders can use the Mitre ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework, a popular knowledge base used to model adversary behavior.
This type of training is essential for threat hunters to stay abreast
of attack skills—the same skills used by those they’re trying to
The takeaway: Make threat hunting training as realistic as possible so that hunters have the skills they need to identify real-world threats.
After breaching a network, hackers can avoid detection for 280 days, on average, according to an IBM Security report. Threat hunters can put a serious dent in that. Of course, there will be losses among the wins, but by assembling the right team and giving them the space to track down potential adversaries in your environment, they will find threat actors before they do harm.