Cybersecurity Career Paths: Threat Hunting
Previously we talked about Detection & Response and what the job entails. In this issue of the series, we’ll dive into another role within the Blue Team in Cybersecurity: Threat Hunting. These are generally closely aligned.
Let’s take a look at this domains within Cybersecurity.
Threat Intel
Before we get into Threat Hunting, let’s talk about Threat Intelligence.
Threat Intel professionals collect and analyze information about potential threats to the company. They then use this information to identify and mitigate risks and develop strategies for responding to attacks, usually in collaboration with partner Security teams. In the end, the work will be tailored to their organization.
Many models exist to approach and illustrate threats, this is the Diamond Model. It can be used to map Adversaries, Capabilities and so forth.
A day in the life of a Threat Intel Analyst could include tasks such as:
Sorting and filtering data on potential threats.
Collaborative threat hunting efforts creating hypotheses about potential attacks.
Generating intelligence reports for stakeholders.
Performing regular threat research to better understand the context of threats
Investigating threats to track their sources and develop preventive action plans.
This is not an exhaustive list, but a good overview of what to expect in the role.
The key part when it comes to Threat Hunting is collaboration.
Collaborating on Threat Hunting Efforts: Threat Intel Analysts play a key role in threat hunting activities (If a company is fortunate enough to have both a Threat Intel and Threat Hunting team). They create hypotheses based on the data collected and the intelligence gathered. This involves asking questions such as
When did the attack occur?
What was the attacker looking for?
What systems were targeted?
Think the Who, What Where, and so forth. The hypotheses help in understanding how the attacker thinks and where to look for more threat intelligence. This keeps everyone in the organization informed and aids in making risk assessed decisions.
Threat Hunting
In a nutshell, Threat Hunters proactively search for potential threats, focusing on areas not currently covered by any automated detection systems.
They use a variety of tools and techniques to identify suspicious activity, then work diligently to investigate and respond to these threats.
The above mentioned collaboration with Threat Intel will inform them on where best to focus their efforts. An informed defense is a strong defense.
A day in the life of a Threat Hunter could include tasks such as:
Threat Hunting Research & Planning
Data Analysis
Collaboration with the Blue Team
Documentation and Reporting findings
Let’s dive deeper into a sample job description.
Threat Hunting Research & Planning: reviewing the current threat landscape, noting any emerging trends or unusual activity. Use this information to develop hypotheses about potential threats, which will guide the day's threat hunting activities.
Data Analysis: After a hypothesis is formed, dive into the data. This involves analyzing logs, network traffic, endpoint data, etc. to identify anomalies or suspicious activity that could suggest a threat.
Investigation: When finding something that looks out of the ordinary, Threat Hunters will then start investigating. This could involve anything from time-lining logs, deep-dive network forensics to malware analysis.
Collaboration with the Blue Team: If the investigation uncovers a credible threat, collaboration with the rest of the Cybersecurity team will ensue to develop and implement a response strategy. This might involve patching vulnerabilities, taking systems offline, or image analysis.
Documentation and Reporting: At the end of the day, documenting your findings, making note of the threats identified, the steps taken to mitigate them, and recommendations for future action is key. This information is invaluable in preparing for future threats of similar nature.
These are the core responsibilities of the role, but not exhaustive.
Conclusion
Threat Intel and Threat Hunting are intertwined and rewarding career paths. Offering an opportunity to be on the front lines, proactively identifying and combating threats.
If this sounds like something you want to dive deeper into, I highly recommend the book Huntpedia. It’s free 😄.
Stay tuned for the next part of this series, where we will look into another domain of Cybersecurity.