​Six ways to define a successful threat hunter

By Rick McElroy, Carbon Black

Once an organisation establishes a a threat hunting program, its goal is to hunt threats proactively, with a focus on newer, more sophisticated attacks for which reliable signatures or indicators are not yet available.

Lack of an effective threat hunting program leaves attackers better positioned for success. So how can they be stopped? The six tips below aim to put threat hunters in the driver’s seat and outsmart their adversaries.

1) Know what’s normal
Discovering abnormal activities within an organisation is the first sign of an attack. But without understand what normal is or looks like, it’s impossible to identify what is out of the ordinary. Normality is a fluid state created over time, and threat hunters must maintain an understanding of what has, and hasn’t, changed in order to dictate what is or isn’t normal.

Tracking attacks and remediations over the course of an organisation’s history helps threat hunters to understand and maintain a virtual environment efficiently and effectively.

2) Trust the team
Threat hunters cannot protect an organisation from external attacks effectively if they don’t have trusting, communicative relationships with internal teams and stakeholders. Once a threat is detected, the hunter must have a strong, cooperative relationship with personnel from IT in order to remedy the problem quickly. Three reasons why threat hunters should forge relationships with other teams, particularly IT, are:

  • Knowing normal: Understanding the everyday functions of systems and applications relies heavily on a threat hunter’s ability to communicate with IT about their understanding of normal.
  • Productively managing weaknesses: Attackers are not always the first ones to find a vulnerable endpoint within an organisation’s network. Threat hunters often happen upon design, application, system and network weaknesses when trying to hunt threats. When these vulnerabilities are identified, dialogue between the threat hunter and the appropriate person or team is essential to strengthen the weak endpoint before an attacker takes advantage.
  • Rapid remediation: When a threat or intrusion is detected by a hunter, appropriate actions must be taken to eliminate the attacker from the system entirely. IT personnel must be involved with this process to ensure that business impact is minimised while an intruder is effectively and completely removed. By forging relationships with individuals in IT, a threat hunter is able to collect information, work with others to understand it, and act accordingly.

3) Observe... Orient... Decide… Act
Threat hunters are comparable to combat soldiers fighting in a cyber war. Soldiers are trained to take on the OODA mindset when handling an attack: Observe, Orient, Decide, Act.

Without the appropriate mindset and process, threat hunters could make a mistake and compromise their effectiveness. Understanding normal conditions and collaborating with other teams helps a threat hunter to inherit the OODA mindset.

For example, by establishing a healthy dialogue with IT personnel, a threat hunter receives more information and is able to orient that information in more ways than just the method that works for their goal. They are able to make confident decisions and take actions backed up by other members of the company.

4) Threat hunters need good TIPs (tools, infrastructure, personnel)
Threat hunters need appropriate resources to identify threats effectively. Essential resources for running an effective threat hunting mission are tools, infrastructure and personnel.

  • Tools: An advanced endpoint detection and response tool should be installed on every endpoint, to provide a step‐by-step detailed forensic history of every activity on each endpoint. This must incorporate a central querying capability that allows a threat hunter to create and store queries, asking about whether certain detailed events have occurred anywhere in the environment.
  • Infrastructure: A threat hunter’s infrastructure may include management consoles and a ‘test range,’ where the more advanced can experiment with suspected malware in a safe environment. Here, hunters can hone their skills with ‘live fire’ and also hone their hunting skills in production environments.
  • Personnel: A good threat hunting team must include at least one trained and/or experienced threat hunter. These individuals should have a deep understanding of the inner workings of operating systems, application servers and sub-systems such as web servers, database management systems, as well as maintaining an understanding of the latest attack trends.

Qualified threat hunters should understand the way they and their organisation function, as well as the way attackers function and the trends and tactics they employ. Most importantly, they need to understand thoroughly the inner workings of the organisation, its users, networks and applications.

5) Guard those endpoints
Threat hunters must monitor and protect every one of an organisation’s endpoints at all times. Attackers need only one unprotected endpoint to infiltrate an environment and if a threat hunter is not monitoring all endpoints, the attacker is able to dwell within the system undetected. While endpoints are the principal focus of intruder attacks, they are by no means the only place where information about intruders can be found.

6) Hunt smarter
In addition to endpoint tools, it’s useful for threat hunters to have unfiltered endpoint-level visibility, plus the ability to integrate network‐centric visibility via tools such as:
✓ Intrusion detection systems (IDS)
✓ Intrusion prevention systems (IPS)
✓ Netflow
✓ Web filters
✓ Firewalls
✓ Data loss prevention (DLP) systems

Tools like these enhance a threat hunter’s visibility into patterns and activities that help identify potential attacks and vulnerabilities. These tools also provide additional information which helps to contextualise events and increase understanding of its orientation within an environment. Threat hunters must stay up-to-date with the most effective tools and strategies in their field in order to hunt threats effectively.

Other resources that help threat hunters to stay on top of cybersecurity innovations are conferences and technical trainings.

Conferences, such as RSA and Black Hat provide threat hunters with opportunities to attend industry events that help to advance their understanding of the current state of cybersecurity, while providing networking opportunities to connect with other threat hunters for sharing findings, challenges and strategies.