How Threat Hunters Operate in Modern Security Environments

Pierluigi Paganini June 06, 2018

Cyber security – With millions of new malware surfacing on the internet every year, threat hunters need to be ever more ready and at the top of their game to ensure that their organization can remain safe and protected from all cyber threats.

Cyber security is a universe in its own. It’s got its own unique domains, and its fair share of challenges and that are faced every day by cyber security experts. Of late, a new terminology has surfaced on the internet; threat hunter. The role of a cyber-security hunter is becomingly rapidly and crucially important with each passing day.

cyber security

In 2017, the number of cyber-attacks that took place just across the US was almost 50% higher compared to the previous year. And this year is no different. According to a recent survey conducted by Crowd Research Partners, “the number of threats in the cyber space have continued to double each year“.

While millions of businesses are facing threats from cyber criminals, the wise ones are busy recruiting, training, and equipping their cyber security threat hunters with sophisticated tools and equipment required to fight the online malice.

Naturally, the ones who are uncertain about what a cyber-security threat hunter is supposed to do, are looking for avenues to get their hands on the skill. This article will help you get a basic understanding related to most aspects of threat hunters and how they work in modern security environments.

Job Description, Skills and Qualifications of a Threat Hunter

A Network threat hunter starts his research by assuming that the network has already been breached. This assumption is based on the fact that even though tools such as VPNs (recommended ones are PureVPN, PIA & Ivacy) and other server protections are in place, a breach has been made into the network which was sophisticated enough to bypass the VPN and other security measures.

A threat hunter needs to have a proactive approach while scanning all the networks and servers for possible breaches or intrusions. He also needs to be very creative in terms of understanding anomalies and slightly abnormal happenings or instances going on over a network.

When it comes to technical knowledge, threat hunters need to be at the top of their game in this forte. Only, when they understand the depths of how a network functions and how data flows through it, can they spot issues such as data being leaked or worse, getting hijacked by someone else.

Lastly, a network threat hunter needs to know the SOPs that are prescribed by the organization he is working at, along with the SOPs of the cyber security industry. Only when he knows in totally about the culture which is expected to be religiously followed, will he be able to create exceptions and detect threats which no eyes have ever seen before.

Understanding Dynamics of Modern Security Environments

Threats that the modern security environments face are evolving every day. It will be only logical to state that the tools and procedures in use today will soon become obsolete and get replaces with new tools and tech. Consequently, organizations that are concerned about keeping their networks and digital environments secure, need to be on the constant move toward adopting new tools and techniques.

This may not guarantee ultimate safety, but will definitely play a crucial role in keeping the organizations at least at par, if not a step ahead, with the growing threats in the online space.

Cyber security

How Threat Hunters Operate In Modern Security Environments?

In 2016, it was reported by G Data Software that 6.8 million new malware specimen surfaced on the internet. A year later, this number rose to 7.1 million. Looking at this trend, it is very clear that the coming years are going to be no easier on the threat hunters. In fact, it emphasizes on the importance of training threat hunters and preparing them for the most unexpected.

Of the 7.1 million new strains of malware that were discovered in 2017, obviously not all of them would be dangerous. However, identifying the few dangerous ones is what determines if a digital environment is secure or not. This is where threat hunters contribute for keeping the networks secure.

A threat hunter identifies threats which AI systems may have missed. They do so by focusing on the shortcomings of their organizational security architectures, which fail at preventing threats from gaining entry into the digital environment.

How to Conduct a Threat Hunt

  • Outsource or DIY

The first step to efficiently conduct an organization-wide threat hunt is to determine if it could to be carried out by the in-house security team. For such a case, it is important to allocate dedicated resources and equipment to the threat hunters.

If, for any reasons, the in-house team lacks the acumen for such a task, or if there are resource or time constraints that the security team is occupied with, the safer option is to outsource it.

  • Focus on Key Areas and Make a Plan

It is crucial to treat threat hunting as a pre-planned process, and not as an ad hoc task. Creating a proper plan and defining procedures that should be followed throughout the threat hunting process will play a crucial role in making the efforts bring a positive impact.

With a plan and a schedule in place, it could be made sure that tasks of the threat hunting team do not interfere with those of other teams. Furthermore, the schedule can also help in pre-determining the order of tasks that are to be executed. This will allow threat hunters to operate smoothly and effectively, while keeping track of all the tasks that have been accomplished and the ones that need attention.

  • Produce a Hypothesis

Beginning with the end in mind makes it easy to plot your journey and now for sure when a task is completed. When hunting threats, the team should determine what it is looking for and what it wants to find. For example, in this case, the threat hunters should determine beforehand that they are looking for malwares, or intruders who may have hacked the system.

Knowing what exactly to look for makes it easy to find it if it is there, or know when to stop the search in case there are no threats. If a hypothesis is not present, the search for threats may become endless and threat hunters will never be certain about when to stop.

  • Gather Crucial Information and Data

There is a lot to do when it comes to organizing all the available information and data. If the data is not organized, it is useless, as it becomes almost impossible to find what’s needed at the right moment. The data that threat hunters will collect and organize can include process names, command line files, DNS queries, destination IP addresses, digital signatures, etc.

If all this information is available but not sorted in a manner which is easy to sift through, threat hunters may take a lot of time for just finding the right information, and then additional time for utilizing the data for their processes. Such an approach can inflate budgets and resources used in threat hunting, damaging the overall productivity of the threat hunting team.

  • Task Automation

Without taking help of AI and automating tasks, it would be impossible to keep up with the ever-growing cyber threats. Even though a human eye is very much needed, without automation, the thousands of new threats and malware that surface on the internet every day, will go unnoticed.

For threat hunters, a combination of human resource which is exceptionally good at what they do is needed with artificial intelligence that has been built for precisely finding threats to modern security environments and sensitive networks.

  • Execution

That being said, there is no such thing as a perfect tool or a perfect procedure that a threat hunter can follow to eliminate threats from a modern security environment. It’s always a continues to struggle between competing with the online threats that keep getting better each day, and the innovation required by threat hunters to always stay one step ahead from the cyber-attacks.

AI and the Future of Cyber Threat Hunting

One of the most evolving tools in the recent times is artificial intelligence and machine learning, which has been helping threat hunters to reduce the amount of time they are spending on detention, prevention and fixing the issues. It also helps to improve the efficiency of the measures that the threat hunters take.
However, some people believe that as AI gets better, it will replace the need for having human threat hunters. We believe that will never be the case. This is due to two reasons.

Primarily, AI is a developing technology, which is available to both sides, the good and the evil. Moreover, some analysts even suggest that future cyber threats will be created and propagated using AI and even blockchain for creating a much wider impact.

Secondly, AI is a tool created by humans. Even though it is very efficient in terms of analyzing all options at the same time and taking the best decision, it may never be able to outpace the creativity and innovation that the human mind is capable of. AI may come in very handy for implementation and research purposes, but for now, the humans will lead the show with their own creativity and critical thinking.

About Author:

Anas Baig is a Cybersecurity & Tech Writer. He has been featured on major media outlets including TheGuardian, Lifehacker Australia, The Next Web, CSO, ITProPortal, Infosec Magazine, Tripwire and many others. He writes about online security and privacy, IoT, AI, and Big Data. If you’d like to get in touch, send an email to [email protected] or follow him on Twitter @anasbaigdm.


[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – cyber security, cyber threats)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment