CYBERSECURITY,

What Makes a Good Threat Hunter?

What makes a good Threat Hunter? My answer may not be what you expect.

Avatar Phillip Kittelson | 24 Jul 23 | 3 min read |
Share this:

I attended an industry conference not too long ago, and took special interest in a breakout session on threat hunting, especially since I just moved into a position at my company on the threat hunting team for a client. The speakers gave exceptionally good talks about threat hunting; however, I took notice of one theme: the impression you had to be “X” to be a good threat hunter.

What the “X” was largely depended on the speaker, but I heard things like: to be a good threat hunter, you needed to have the background of a network engineer. Or to be a good threat hunter, you need to have a solid understanding of a computer network. There were a few more examples, but they largely concentrated on deep understanding of just computer networks.

If being a network engineer was the litmus test for being a threat hunter, I’ll tell you right now: I wouldn’t make the cut. And I’m on team right now as a threat hunter.

I’ve had time to think about this talk, and I’d like to play devils advocate: Sure, you can have some cross-training going on, but if you had an entire threat hunting team of just network engineers, what happens when the artifacts you need to find an investigate are Windows Registry hives? Or Linux logs? Even within operating systems, most system administrators specialize in one or the other. It’s rare to find an excellent system administrator who is a subject matter expect in both Window and Linux administration.

When it comes to forming teams, across a wide range of business, industries, and even government, we learn to brining on people with skills and experiences which should complement the people on our existing team or fill in skill-gaps. Sort of how you might identify the need for a professional project manager, or someone with a teaching background to develop a training and certification program. When it comes to IT, cybersecurity, and in this specific instance, threat hunting, we throw that widespread practice right out the window.

The purpose of diversity is not so I can look across the table at a face dissimilar to mine, diversity is supposed surround me with team members who compliment or help fill in areas I may be weak in. To bring in people who don’t think like me, who may be able to see things from a different angle.

When I transitioned from my first job in cybersecurity, mostly working in governance, to a SOC analyst position, I identified issues with users downloading unauthorized browser extensions. As someone who understood Security Technical Implementation Guides (STIG), and knew what policies and controls we had in place, I knew what authority to reference when telling a user they could not use the extension.

A well-rounded threat hunting team (or any cybersecurity team in reality) is a team which can find and investigate threats across a wide variety of infrastructures, operating systems, and technologies. That team should include people of diverse backgrounds, perspectives, and skill sets, while leveraging individual deep skill sets and expertise. If you’ve ever studied for, or have your Professional Management Professional (PMP) certification, you may recall these people are referred to as “T-shaped.”

A T-shaped person develops some broad or complimentary skill to help contribute to the team, however, they do not lose their defined and recognized specialization or primary role. The same is true for a threat hunter, who should have a basic understanding of the different concepts involving cybersecurity but should have some niche specialization.

With that, I’ve taken on the task of finding and publishing a curated threat hunter training resource. I have a working list published in my Curated Training page.

Back...

Tags: cybersecurity