alphaspirit - Fotolia
The best threat hunters ask hard questions, think creatively and go against the grain, according to John Collins, analyst at Gartner. While some cybersecurity analysts thrive on playbooks, processes and procedures, threat hunters rely heavily on their instincts and improvisational abilities, he added. They approach security with the infinite creativity of threat actors themselves, constantly forming and testing new hypotheses to flush out hidden antagonists.
"[Threat] hunters are like explorers and adventurers on a digital frontier," Collins said. "They're looking for trouble but in a good way."
Engineers can train an automated threat hunting model to detect and flag many anomalies based on existing network data, he added. But no tool can yet rival human intuition when it comes to recognizing highly unusual or even unprecedented threats, such as the infamous Sunburst malware that FireEye found in its own network in December 2020. That discovery revealed the larger SolarWinds supply chain attack, which has had dire implications for organizations across the public and private sectors.
"While we do not know exactly how FireEye first discovered this threat in their environment, our educated guess would suggest this was likely uncovered through manual threat hunting, looking through historical data to spot communications that 'just don't make sense,'" wrote Rudolph Araujo, vice president of strategy and marketing at Awake, Arista Networks' network detection and response security division, in a blog post.
Gartner's Collins said threat hunting automation technology will likely never rival a human's ability to connect disparate dots or intuit the difference between a run-of-the-mill anomaly and a red flag.
John CollinsAnalyst, Gartner
"The best threat hunters will pull on a thread, often on instinct or a gut feeling, and they'll end up down a rabbit hole in an adversary Wonderland," he added. "There are tools that can help, but you can't train a model to have intuition. It's very much a human art form."
What threat hunters do
Threat hunting is a sophisticated cybersecurity practice that relies on a combination of human and technological intelligence to proactively unearth threats that standard detection controls and processes miss. Threat hunters themselves search widely and deeply throughout network environments for subtle signs of intrusion, forming and vetting hypotheses about bad actors' behavior with the goal of finding and evicting them.
While some large enterprises have dedicated threat hunters on staff, most companies lack the resources to conduct aggressive internal threat hunting. Such organizations typically enlist the help of third-party threat hunters, as needed -- in the event of a possible breach, ahead of a corporate merger or as part of a cyber health check, for example.
"Very rarely do hunters not find anything inside an environment," said Collins, who managed operations for a third-party threat hunting team before becoming an analyst. "I think I saw it happen twice. Typically, hunters will find some evidence of previous adversarial activity, or they'll find an active adversary."
What makes a good threat hunter
Collins questioned conventional wisdom that security analysts with the most experience always make the best threat hunters, adding that pattern recognition and chain analysis skills are far more important than tenure. "You may find someone in another part of the organization that's actually really good at threat hunting," he said.
Mat Gangwer, senior director of managed threat response at Sophos, agreed that the cybersecurity industry does itself a disservice by hiring based on factors like certifications and length of formal experience. "Technical expertise can be learned and trained. Personality traits and mindset are more difficult to shape," he said.
Collins pointed to author Gretchen Rubin's Four Tendencies productivity framework, which categorizes people as upholders, obligers, questioners or rebels based on how they respond to inner and outer expectations. Both upholders and obligers are keen to meet external expectations, such as work deadlines, although obligers struggle with internal expectations, such as New Year's resolutions. Questioners, on the other hand, resist outer expectations unless they have compelling justification -- they want to know why they should do something before complying. Most threat hunters are questioners, Collins said, because they aren't afraid to cross-examine the status quo or to try innovative approaches -- making them good, in turn, at uncovering innovative cyber attacks.
"Hunters are 'doers.' They're very creative, and they're not just going to settle for whatever is presented to them," Collins said, adding that many may also have slight rebel tendencies. In Rubin's framework, rebels resist both inner and outer expectations and want the freedom to accomplish tasks their way. But, although many threat hunters find success forging their own paths, they don't lack discipline, Collins added. On the contrary, they can be extremely methodical and process-driven when in service to a larger mission they understand and support.
Curiosity drives exceptional threat hunters to tackle difficult questions, Gangwer added, and their deductive reasoning skills and meticulous persistence help them find the answers. "An analytical mindset allows threat hunters to methodically step through gigabytes of logs, using tools that might not make analyzing data easy," he said. "It's often a daunting task."
How to become a threat hunter
The barrier for entry to threat hunting is relatively low, according to Gangwer. Anyone with access to endpoint, network or security telemetry can threat hunt by using that data to test hypotheses or answer questions that interest them. "If you ever think, 'this looks odd,' and hours later find yourself still working on the same problem, you have a possible career as a threat hunter," he said.
Collins suggested security professionals and others interested in threat hunting consider learning coding and scripting skills in a language such as Python, Go or Perl, thus gaining a level of technological autonomy.
"Learn something that will enable you to create those queries and go beyond what the tool set in front of you offers," Collins said. "Some of the best hunters I've seen in action will just sit down and quickly script something custom to grab data on an ad hoc basis if it's not already available to them."
Aspiring threat hunters would also do well to build cloud networking and cloud security expertise since many of today's organizations struggle with incident response and threat hunting in those environments. "That's a big opportunity," Collins said. "Cloud will be the predominant skill set in the future."
In addition to pattern recognition, deductive reasoning, coding and cloud networking skills, experts said aspiring threat hunters would benefit from some understanding of the following:
- data forensics
- incident response
- network administration
- network traffic analysis
- systems administration
Communication and collaboration skills are also important for anyone interested in how to become a threat hunter. Collins said the best threat hunters are independent thinkers but not lone rangers, working with other IT professionals to access operations data and identify hunting leads. Once hunters have discovered a threat or vulnerability, they must also communicate efficiently and effectively with the rest of the security team and other organizational stakeholders to mitigate the problem.
From the enterprise perspective, cybersecurity leaders looking to attract and retain top threat hunting talent should offer opportunities for professional growth and access to increasingly rich telemetry, Gangwer suggested.
"Threat hunters like to solve challenges, so letting them flex their mental muscles is important," he said.