Threat Hunting Series: What Makes a Good Threat Hunter
Originally published June 2022 on Medium.
Photo by Fahim Reza on Unsplash
Continuing with the second post in this series, I felt it was necessary to address the skills and knowledge required to become a threat hunter before diving into the threat hunting process. This article will hopefully assist people in understanding the different areas that they might need to work on to become excellent threat hunters.
Threat hunters should have certain skills and experience. This is so they can use their experience to identify suspicious activity patterns and use their skills to investigate each case. Although there are some exceptions, talented individuals with a strong desire to learn could also be a great investment for an organization. In these cases, there are usually more experienced threat hunters in the team willing to help and mentor those that are new to the field.
Human-centric threat hunting
Threat hunting is human-centric and cannot be entirely replaced by automation. The threat hunter will always have to initiate the threat hunt based on a hypothesis or analyze the collected telemetry looking for suspicious activity. Some vendors allege they can automate threat hunting for their customers using Machine Learning (ML).
ML can be an important source of information for threat hunters, but it cannot replace the human-driven threat hunting initiative. Specifically, it can highlight oddities using specific threat hunting techniques such as clustering analysis and make the overall analysis easier. Threat hunters can take advantage of SOAR solutions or, even better, create their own tools for collecting and parsing data to help with the analysis. Creating our tools requires programming knowledge, which is one of the attributes a threat hunter should have. Although ML can be helpful, attackers nowadays try to blend in using administrative tools to achieve their objectives. This makes threat hunters essential in analyzing and identifying malicious activity.
The skills and knowledge of a threat hunter
This chapter will look into some of the most important traits, skills, and knowledge a threat hunter should have. The following list is in no way exhaustive, and it is based on personal views.
Positive personality traits
To be a successful threat hunter, one must possess various positive personality traits. Starting with one of the most important ones, which is humility. A threat hunter should keep looking for opportunities to invite new perspectives and, at the same time, avoid biases.
Additionally, information security is a very fast-paced industry, and it would be fair to say that the more you know, the more you realize you don’t know. Many people, specifically at the start of the journey, overestimate their ability or knowledge, which could slow down their ability to improve their skills. This phenomenon is known as the Dunning–Kruger effect. The picture below accurately depicts this type of cognitive bias: The second trait is being a good communicator. A threat hunter must be prepared to explain complex technical topics to a broad audience with different levels of knowledge. The communication could be either written or spoken. Below are some examples of communication that I find myself
Document findings in a short (e.g. quick votes) and in a long-form, more permanent/official format (e.g. team wiki or through a report).
Involve different departments within the organization to pass on your findings, request access or notify the management team regarding an active threat.
Share your findings with the infosec community.
Overall, being a decent human can take you a long way; nobody likes a know-all. This is not specific to threat hunting, but you’ll have an easier time connecting with people if you’re likable.
Recognizing patterns of suspicious activity is a must-have skill for threat hunters. Threat hunters should become familiar with the environments they are trying to defend and understand what “normal” looks like. They can then use their knowledge to hunt for Indicators Of Attack (IOAs) or uncover malicious activity based on abnormal activity patterns. Threat hunters use their analytical skills to investigate possible intrusions missed by traditional detection mechanisms. To do that, they use a hypothesis-driven approach to make up for the lack of evidence. During a threat hunt, hunters sift through all available logs. Upon initial identification, they are expected to follow the evidence and unravel the timeline of the attack.
Analytical skills come with experience and a lot of work in acquiring an investigative mindset. Reading intrusion analysis reports is an excellent way to develop this skill. Reading reports will keep you up-to-date with the current threat landscape and expose you to the various techniques adversaries are using to infiltrate networks.
Threat hunters must be well-versed in numerous areas of information security in order to effectively hunt for previously unknown malicious activities. Having the necessary technical knowledge will help with accomplishing a variety of tasks during a threat hunt.
Digital Forensics and Incident Response (DFIR)
A threat hunter should be able to follow the same procedures as an incident responder when it comes to the collection and analysis of relevant artifacts. In some cases, when available telemetry is not sufficient, a threat hunter might need to dig deeper into system-specific artifacts. Examples of that could be looking into UserAssist, Prefetch files or Jump Lists when searching for evidence of execution. The threat hunter should know how to collect and process these pieces of information. Like in DFIR, the threat hunter is looking to reconstruct the timeline of events. The difference is that the investigation trigger for a threat hunting operation is hypothesis-based and not activity-driven.
Nowadays, programming has become a must-have skill for threat hunters. It provides the freedom to create tools or scripts for parsing a large amount of data, analyzing artifacts, and automating the workflow. Python is one of the easiest and most commonly used languages for that purpose. Python is easy to learn and has an extensive collection of third-party libraries that can help speed up the development process.
It is very difficult to analyze and triage systems without knowing how they work. An example of that is understanding how they can be installed, configured, and understanding the artifacts they generate when it comes to logs. An example of that would be to know at a high level how Active Directory (AD) works.
AD is used in most corporate environments. It is a database that keeps the information about objects like users and computers on the network and makes it easy for administrators and users to find and use. A threat hunter should have a general idea of how AD works and what some of the common misconfigurations are.
A threat hunter should know how the information is flowing inside and outside of the network. They should also be familiar with a variety of common network protocols. Threat actors use different protocols to accomplish tasks, such as:
Command & Control
Exfiltration of data
A threat hunter should be able to read network traffic and extract information that will aid in their investigation.
Regardless of being on the blue side, threat hunters should get familiar with red teaming tools, especially the ones that threat actors are using the most to leverage their access once inside the network. Most of these tools are free to use; therefore, threat hunters should understand how to use them and what artifacts they produce when used.
Kerberoasting, for example, is an attack that takes advantage of the Kerberos protocol to collect password hashes for Active Directory user accounts with servicePrincipalName (SPN) values. Rubeus is a tool that abuses the flaws in the Kerberos protocol. Threat hunters should be able to create an AD lab environment, set it up in a way to expose the flaw in the Kerberos protocol, and use Rubeus against that environment. They can then look at the telemetry that was generated, such as network traffic, process execution activity, etc. They can then base their threat hunting queries on hunting for this activity.
The same principle as in the example above can apply to different attack scenarios.
As mentioned at the start, this is by no means a complete list, although these are some of the main core competencies that threat hunters should have. Threat hunting can be both a team game and a solo job. However, I find that I spend more time with my own thoughts than discussing the investigations with the team, and I prefer this style of work. Hence, having the ability to stand on our own feet throughout many hours of research, investigation, and analysis could help with the feeling of being lost.
By now, you know why threat hunting is a multidisciplinary field that combines soft skills with specialized technical knowledge. Threat hunters will generally have a unique mix of skills, traits, and experience that they bring to their role. Below, I put together some resources that helped me and hopefully, will help you too in your journey of becoming an awesome threat hunter.
Intrusion analysis reports:
There are other vendors with good content a Google search away; this is not a complete list. Books
Practical Threat Intelligence and Data-Driven Threat Hunting
Intelligence-Driven Incident Response: Outwitting the Adversary
All of Sparc FLOW’s books (so fun)
Incident Response & Computer Forensics, Third Edition 3rd Edition
There are many more, but the above are my favorite books I’ve read. Security News: