Cybersecurity threat hunting is a hot topic these days, and it’s also a high priority for CISOs and business leaders alike. The accelerated deployment of more and more threats — as well as the increasingly sophisticated nature of those threats — have turned threat hunting into an essential capability for cybersecurity departments and their organizations.
This has led to a buildup in spending for threat hunting tools and services. One study predicts the global market for threat hunting software and services will exceed $13 billion by 2033; this represents a 10-year compound annual growth rate of 18.6 percent.[1] But as much as those numbers represent organizations’ willingness to make sizable investments in threat hunting technologies, there’s an even bigger initiative underway: Current and future security professionals must have the right skills and mindset to be successful threat hunters.
Focus More on People-Centric Defenses
CISOs, IT executives, and C-suite executives need to prioritize training, education, mentorship, and a commitment to continuous improvement in their threat hunting teams. As a SANS author and instructor specializing in ransomware and other threats, I’ve spent years in threat hunting and digital forensics and have tried to pass along what I’ve learned to others in this field. I’ve also presented at numerous cybersecurity community events and conferences, where I’ve engaged with peers and newcomers alike to help further organizations’ readiness and capabilities in threat hunting.
What have I learned that I find most important for cybersecurity professionals and their business stakeholders? Certainly, I’ve discovered and shared my insights on new and successful threat hunting tools and services, many of which have emanated from our Unit 42® team and many others that have come from a wide range of other sources.
But as important as these technical solutions are in our world, what’s more significant — and sometimes undervalued and overlooked — is understanding what it takes to be a strong threat hunter. A big part of being good at threat hunting is to learn from others. I’ve learned most of what I know today from colleagues, peers, mentors, and others. We all stand on the shoulders of giants, and there’s so much we can learn simply by talking with and observing the actions of those who have done this before. That’s certainly one thing I try to do with my colleagues inside and outside Palo Alto Networks.
You go to a conference or take a SANS course, and you are immediately struck by important new takeaways about threats and threat hunting, and you build on that. For instance, let’s say you come across a list of commands and there’s one you don’t understand. As an effective threat hunter, you need to take that one thing you don’t quite understand and keep pushing until it makes sense. That may sound like a technical requirement: You have to understand things like command lines so you can determine what the threat actors are trying to do when they run various commands and why they’re doing it. Beyond technology, you must be motivated to learn by asking questions, observing, challenging, and playing “what if” exercises. In essence, you have to put yourself into the head of a threat actor to understand their motivations, methods, and mindsets.
Another key area where cybersecurity professionals can improve their threat hunting will likely evoke a “really?” response for many of you: social media. Some of the craziest exploits and vulnerabilities emerge because of what’s posted on those platforms — because threat researchers, hackers, and cybercriminals are exceptionally proud of their work and can’t help but share it.
Leveraging Tools and Technologies
Many valuable methodologies and technical resources are at our disposal, such as open-source intelligence (OSINT) and closed-source threat intelligence feeds. Using all the tools, services, and technical resources available to you enables you to stay abreast of the changing threat landscape to keep pace with this ever-evolving creature called cybersecurity.
New threats emerge all the time, which means you are likely confronted with things you don’t quite understand and don’t necessarily have a well-thought-out playbook on how to analyze and confront the threat. When the Lumma Stealer malware emerged a few years ago, it quickly gained momentum with the bad guys because it was simple to execute. The developers who provided the methodologies used by the threat actors made it easy for them to gain initial access via a new form of social engineering to speed and simplify delivery of payloads.
Dealing with these sophisticated, yet easily acquired and deployed, threats requires a cybersecurity mindset that doesn’t rely exclusively upon new tools and playbooks, but on critical thinking. I like to do training exercises with security engineers where I show them a number of low-level technical screenshots of data movement and activity. Then, I ask them what they’re looking for and what they think they see. And the most important thing I try to instill in them — or hone it if it’s already there — is getting in touch with how their brain processes information.
Pattern Recognition
Critical thinking and thinking outside the box are among the top skills threat hunters need when chasing down the sources, causes, and intents of emerging threats. You might not immediately realize it, but there are often discernible patterns you can recognize from prior instances of similar threats. And, because threat hunting is a team sport, keep in mind that someone else on your team or in your professional circle has likely seen something similar, which can open up new possibilities for solutions.
We do the same kinds of things when looking at threat hunting tools. Most important is the telemetry the tool provides to give us the broad and deep visibility you need to come up with answers and responses to new threats. It’s essential that these tools go above and beyond how a process is run or how a file was written. Instead, the right threat hunting tool — especially one in the hands of the right threat hunter with the right approach — looks at a wider array of issues. These might include when the process was run, the order commands were executed, or the overall parameters.
It’s about looking at the big picture. And that requires a different approach by threat hunters who are looking to identify, block, and clean out threats at scale. By combining great tools, highly focused services, critical thinking, and a commitment to collaborative problem-solving, organizations can stop chasing threats and start creating an environment where threats are quickly and reliably spotted and squelched.
Want to hear more from Ryan? Check out his Threat Vector podcast.
1 “Threat Hunting Market Outlook (2023-2033), Future Market Insights, July 2023.
