Interview: A day in the life of a threat hunter

Cyber ​​threat actors are becoming more and more sophisticated and innovative in their methods of evading cybersecurity tools. Therefore, it is not enough to wait for attacks to occur and try to repel them. Instead, traditional cyber defense strategies based on known threats must be paired with an ability to proactively identify new and emerging attack avenues before it’s too late.

This need has led to the emergence of a relatively new type of cybersecurity role: the threat hunter. These people are responsible for uncovering potential dangers to an organization and for enhancing security before any damage is done. Essentially, they need to think like an attacker and have a deep understanding of emerging trends in cyber attacks.

So what does it take to be successful in the threat hunting world, and what is life like on the frontlines of war against adversaries? Safety Info recently spoke to Connor Morley, senior threat hunter at F-Secure, to find out.

What is a threat hunter and what are its main functions?

A threat hunter works to defend domains and networks by understanding how they might be attacked. By thinking and behaving like an attacker, hunters actively engage in defense by understanding potential offensive avenues of attack. Once the potential avenues of attack are discovered, defenders can mitigate them.

There is no better detection method than a team of threat hunters. When you hear about cybercriminals lingering in a network for months and years, it’s probably because they didn’t have a team of hunters. A good team of threat hunters can detect vulnerabilities in hours or even minutes.

What prompted you to become a threat hunter, and how did you end up working in this role?

I have been a threat hunter for four years. I am an avid security researcher and almost fond of reading and staying on top of the latest threats. I like to distinguish between advanced techniques and see how they work so that we can tailor our detection and response.

I was a teenager when I first started exploring computers, getting by with the CMD command, or writing batch files, VBScripts and the like. It was very basic but basic because it showed me how computers work.

I studied computer security and forensics in college, focusing on offensive techniques and forensic analysis, as well as penetration testing, corporate server management and more. I graduated with a first-class honors degree and had the opportunity to complete a doctorate at the university. However, after I started looking for a job, I was contacted about a possible position in the Countercept department of F-Secure to do active research-led advocacy. Now I am a senior threat hunter.

What are the key skills and qualities required to work in this field?

Many threat hunters start their careers by earning an Offensive Security Certified Professional (OSCP) qualification, which gives them a basic understanding of offensive security. But work requires us to take a giant leap beyond anything that can be taught in the classroom. We need to develop an attacking mindset that involves understanding the questions hackers ask and the answers they are likely to discover. This involves examining an app and determining if it can be misused or used to do something it isn’t supposed to do.

The title of Threat Hunter barely existed five years ago, which means it may conjure up images of comic book heroes joining forces to fight shady digital supervillains – but it doesn’t. . Threat actors are creative and persistent, which means threat hunters are forced to live by a philosophy that attacks are inevitable and all preventative measures will eventually fail, so threat hunting works more on the side. detectives.

This can be done by creating standard rules and toolsets that detect malicious behavior or by looking for threat actions that are often referred to as chase sprints or use cases. Threat Hunters design hunt sprints that expose both Indicators of Compromise (IOC) and Indicators of Attack (IOA) based on new or emerging techniques and exploits, as well as data gathered from active incidents or reports from nature. Hunters then scour their clients’ domains to discover tradeoffs based on the preconditions set in the sprint. The results are brought together to create detection capabilities that detect attackers who try to use the same technique, creating both existing and future protection for customers.

Another myth surrounding threat hunters imagines that they constantly hunt network intruders and engage in digital melee battles. This is not the case. Hunters use response capabilities to slow or stop an attacker and limit their activity until a full-fledged remediation operation can be initiated. Hunters track down attackers and use the information gathered from those sightings to design obstacles such as network speed bottlenecks that give incident response teams time to kick the attacker out of the system and s ‘assure he will never come back.

There are times when hunters are dealing with an attacker “on the keyboard”, which is a very dangerous situation. When an attacker spots a team of threat hunters, he can suddenly change tactics to confuse the hunters. They can also go nuclear and cause as much chaos as possible, which is especially likely if their goal is to do as much damage to the organization as possible.

How has the role of threat hunter evolved over the years and how do you think it will evolve in the future?

The entire security industry is moving towards models like zero trust, which are more stringent security frameworks. One of the main reasons for this is the growth of insider threats, which are now one of the main drivers of compromise. Employees are often used as a point of attack – or initiate the attack themselves, which is particularly dangerous because they have network access and in-depth knowledge of an organization’s systems. This makes it more difficult to detect their activities.

Zero Trust considers all actions to be untrustworthy, so there can be no activity on a domain that is not associated or categorized with a particular person, making it easier to detect unauthorized activity. . We’ve also seen the cybersecurity industry move away from blacklists, which are becoming increasingly long and sprawling as attackers are always able to find new ways to dodge defenses.

Threat hunters must constantly adapt to find ways to detect methodologies that can bypass blacklists, zero trust, or whitelists. The best teams will find ways to capitalize on these developments against attackers and in favor of defenders.

What advice would you give to someone who wants to become a threat hunter?

Make sure you love the research, as this is how Threat Hunters hone their understanding of attackers and design new offensive – and therefore defensive – abilities. It’s also important to pay attention to detail and be prepared to constantly learn. You need to combine many different skills to be a threat hunter, so you need to keep building your knowledge, testing previous hypotheses, and designing new ways to deal with emerging threats.

Comments are closed.