In the final entry of this series demystifying defensive cybersecurity roles, we turn our attention to threat hunting. Let’s get into what it is, what’s involved, and what it takes to make it as a successful threat hunter!

Note: Throughout this blog post series, we refer to certain cybersecurity skill sets as "roles." We’ve done this to ensure we cover all security roles and align with the functions of the Cybersecurity Framework and  NICE Framework. Each organization may define these roles and responsibilities differently, and there can be many variations of specific title names. 

Threat hunting is the practice of proactively searching an organization’s systems, networks, and infrastructure for threats to hone an organization’s responses. Security professionals are responsible for protecting all of a company’s data and technical assets, like servers and computers, so a variety of safeguards need to be employed. 

While a SOC analyst or incident responder may rely on automation to maintain system security for things like log monitoring and alerts, threat hunters take a more proactive approach. 

“Cybersecurity and everything that we have to protect is so large. There's so much that you could just decide one day, ‘I'm going to go look into this and kick over some rocks and see what crawls out.’ And we certainly do that,” explains Spencer Astorga, Information Security Engineer at Pluralsight.

Security is always evolving, so even with safeguards to keep data in (and bad actors out), a sound security approach should also include these proactive practices. Uncovering bad actors as early as possible in their attack sequences allows the team to work on improving the speed and accuracy of their responses.

Every other week, Spencer and his team put aside dedicated threat hunt time to work together to uncover anomalies on Threat Hunt Thursdays. 

“We just all get in a room together and decide on a topic, and we try to not only learn about it, but see what could be wrong in our own environments regarding that topic,” he explains. They dig around and see what kinds of things could crawl out as they methodically kick over rocks in the system.

“My favorite thing is getting into the weeds on something,” says Spencer. “Some of my favorite things about my job are the threat hunting pieces where me and the team just really get into something, and it's a puzzle. We're trying to figure it out, and eventually we come to a conclusion [and understand] that this is what we should do.”

“I feel like most days are kind of different,” explains Spencer. A threat hunter doesn’t just stop at kicking over rocks. It’s also about applying those learnings to create a more secure environment.

Threats are always evolving, so it’s necessary to keep response plans as up-to-date as possible. In addition to holding regular threat hunts that focus on a single topic, Spencer will review and update existing incident response plans. This involves reading documentation and comparing it with the organization’s current incident response. If something occurs, such as a breach, the organization will have the appropriate steps in place to remediate the situation.

Security is a round-the-clock concern, so the team will rotate on-call shifts. If you’re on call, you might look at and respond to emails and investigate alerts. In addition to dedicated Threat Hunt Thursdays, this is when Spencer does most of his threat hunting. “When I’m on call and managing the inboxes where I investigate every alert,” he says, “that's where I'm investigating threats and hunting there.”

Being able to successfully uncover cybersecurity threats relies on understanding the system first. In addition to working on major projects and company initiatives to better secure the environment, Spencer dedicates time to studying for certifications and learning about the tools the organization is using or working to set up.

Start with your cybersecurity fundamentals! Certifications like the COMPTIA Security+ will provide you with a good foundation to understand things like risk assessment and management, incident response, forensics, and more. As more companies shift to the cloud, getting versed in how AWS, Google Cloud Platform, or Microsoft Azure work, and how everything fits together, will help you become an effective threat hunter. 

“Get certified in the software that's being used,” Spencer says. Understanding SIEM platforms is also a large part of threat hunting—organizations will often employ software like Splunk to handle the logging of many systems across a company. “That’s where a lot of the data is,” explains Spencer. So, knowing your way around these systems will make it a whole lot easier to spot when things are out of place.

A big part of threat hunting involves leveraging knowledge of the systems you’re protecting. Senior members of a team may have tribal knowledge that allows them to look at something and say, “That looks odd. Let me look into that.” 

Lean on the expertise of others and pick their brains for all that juicy knowledge! Dedicate yourself to continuous learning by diving into certifications, documentation, and hands-on practice rooting around in a system. The more you know, the better you’ll be able to defend your environment.

“One thing about security as a whole is that you are responsible for protecting [what] feels like everything in the company,” says Spencer. “But you're in charge of no one other than your own team. So a lot of what we are doing is working with other teams who we have no control over.”

You’ll constantly be asking others, “Pretty please, do this for us, and do it for security!” Communicating with purpose, and providing as much help as you can, is a must. Not every request will be actioned immediately, but the last thing you want is to have to go to someone’s boss to get them to do it. 

Lastly, don’t be afraid to bring in some humor. Coming into someone’s DMs as a real person will prove more successful than coldly demanding or shaming someone into doing something you need.

Find out more about other defensive cybersecurity roles like SOC analyst, incident responder, and penetration and vulnerability tester in our other blogs that dig into a day in the life of defensive cybersecurity roles.