Job profile: Threat hunters stop cyberattacks before they can happen
This feature first appeared in the Spring 2021 issue of Certification Magazine. Click here to get your own print or digital copy.
When people think “Texas,” it automatically conjures up images of the Alamo, cowboys with Stetson hats, Lone Star Beer, desert lights, open skies, bluebonnets, rivers and wineries, NASA, and some of the best BBQ and live music venues in the United States. Texas also has its own mini-Silicon Valley (Austin and Dallas areas predominately) and is second only to California as a technology employer.
It is also — little known fact — the largest producer of meat goats in the United States. (Goat meat, more commonly called “chevon” in the United States, is a staple food largely outside North America, so most of the meat from meat goats is exported.) I know this because I happen to own a ranch in the Meat Goat Capital of Texas (yes, there really is such a place).
Goats and sheep mean lambs and baby goats, which means a corresponding (and correspondingly large) predator problem. Coyotes and big cats (no, not domestic “Here kitty-kitty” housecats but BIG cats such as bobcats, mountain lions, cougars, and jaguars) are a persistent threat, costing ranchers millions of dollars in lost livestock annually.
Right about now, you might be wondering what Texas and meat goats have to do with cybersecurity in general, and threat hunting in particular. It’s simple. Combatting the growing predator population takes a special breed of hunter.
To do the job right, one must not only know and understand the habits of the predators one seeks, but must also possess key skills and knowledge. A successful hunter has to both defend against predator attacks and come up with innovative ways to proactively track large predators and prevent attacks before they can happen.
In the same way that ranchers look to this special breed of hunter to prevent attacks on livestock businesses look to threat hunters — an emerging breed of cybersecurity specialist — to proactively seek out cybersecurity threats. A good threat hunter can prevent a problem from blossoming into an economic disaster with negative repercussion for organizations and businesses alike.
What does a threat hunter do?
The title “threat hunter” is still a relatively new designation in cybersecurity circles. As you research this career path, you might encounter some minor differences of opinions from various business, vendors, market analysts, suppliers, and certification providers regarding exactly what a threat hunter does.
Don’t let this deter you from exploring this awesome career! Any time a new career path develops to meet emerging challenges, there is always room for refining requirements as the new technology or challenge evolves.
One of my brothers is an absolute cybersecurity genius. I used to think that the character of Spock from Star Trek was patterned after him as he had a special mind meld with computers and an intuition about security long before “cybersecurity” became a household word. He eventually ended up working in an unknown capacity for the United States government.
We never knew specifically what he did — because, naturally, he would have had to kill us if he’d told us. What he was able to share was that, among other things, he actively sought out and looked for new and emerging threats and stopped them before they occurred. Long before the label was coined, he was a cyber threat hunter. Cybersecurity threat hunters take the role of cybersecurity analyst to a new level.
Cybersecurity analysts defend security operation centers against threats and perform tasks such as monitoring network activity, conducting penetration testing, and applying security patches.
On the other hand, threat hunters take an offensive, not a defensive position against cybersecurity threats. These super cyber-predator hunters don’t just defend against known types of attacks or attacks as they occur — they defend against advanced threats, which under normal circumstances might take weeks or months before being discovered.
Threat hunters take the fight directly to the malefactor and look for ways to track and stop advanced cybersecurity attacks before they occur. Stopping cyberattacks before they occur is no small feat. After all, how can you predict an attack for which no warning signs or advanced indicators may exist?
To accomplish this seemingly daunting task, threat hunters use a variety of tools and techniques to predict future cybersecurity attacks and mitigate them before they have an opportunity to take root in organizational systems, networks, and databases.
Common threat hunting tools and techniques include security monitoring tools, Security Information and Event Management (SIEM) solutions, statistical analysis software (such as SAS or other software that searches for data anomalies), and intelligence analysis software.
Keenly analytical, threat hunters analyze data gathered by searching for unusual behavior patterns which may be a signal that a cybersecurity problem exists. Supporting tools and techniques enable threat hunters to gather data, look for and identify hidden patterns, anomalies, and connections between organizations and environments which may indicate potential vulnerabilities. Based on the analysis of information gathered, threat hunters are able to predict potential future attacks and mitigate the threat before it can occur.
Education and background
Ideally, IT security professionals interested in pursuing a career as a threat hunter should possess a bachelor’s degree or higher in a computer-related field such as programming, information systems, computer science, or cybersecurity. Some companies may require an advanced degree such as a Master’s of Engineering in Cybersecurity.
Practical skills are also an essential component of becoming a successful threat hunter. Candidates should be well-versed in a variety of security-focused topics such as cryptography, endpoint security, security operations, malware reversing, network and system security, forensic science, and intelligence and data analysis.
Understanding operating systems and network protocols is also a must-have skill, along with practical programming skills in at least one scripting language. Potential threat hunters should also possess a solid understanding of current and past attack methodology, and common malware methods, along with tactics, techniques, and procedures (TTPs).
It’s also helpful to possess a general knowledge of business operations along with some project management skills. Technical writing and reporting skills are also essential.
Certifications can also be a great way to fill in knowledge gaps and ensure that your skills are up to date. I conducted a Google search to see what types of threat hunting certifications are available and the choices (which are too numerous to mention) range from informational or general training to vendor-neutral certifications and credentials geared to specific vendor products or industry sectors.
By way of example, CompTIA offers four vendor-neutral certifications — Network+, Security+, Cybersecurity Analyst (CySA+), and CompTIA Advanced Security Practitioner CASP+) — which aspiring threat hunters may find useful.
The Information Assurance Certification Review Board (IACRB) offers the Certified Cyber Threat Hunting Professional (CCTHP) credential, which is geared to expert-level professionals with demonstrated skills in cyber threat identification and threat hunting.
Other interesting threat hunter certifications included InfoSec Institute’s Certified Cyber Threat Hunting Professional and GIAC’s Cyber Threat Intelligence (GCTI) credential. You’ll also find that many vendors offer cyber threat hunting webinars, white papers, and specialized training that dovetails with their product and service offerings.
Regardless of the certification or training provider you choose, look for threat hunting credentials that define threat hunting and its overall goals. Worthwhile certs should also cover common threat hunting methodologies and techniques, approaches to hunting for network- versus host-based cyber threats, and available threat hunting tools and technologies.
Industry growth and salary
The U.S. Bureau of Labor Statistics does not yet have a separate job classification for cybersecurity threat hunters. When searching for cybersecurity threat hunters, BLS refers you to information security analysts.
As compared to overall U.S. employment projections, this field is smoking hot with a projected 31 percent job growth rate between 2019 and 2029. This is much higher than the national average. By comparison, the projected job growth rate for all U.S. job roles combined for the same time period is just 4 percent.
You’ll find that potential earnings are quite lucrative. BLS reported median annual wage at almost $100,000, but, the earning potential can be much more. A search of a common job board site yielded the following:
A Texas-based cybersecurity consulting firm seeks a threat hunter to fulfil a threat researcher position; salary quoted as $130,000 to $150,000 annually.
A Virginia cloud AI company seeks a cyber threat analyst; salary quoted as $100,000 to $130,000 annually.
A New York healthcare firm seeks a lead cyber threat hunter engineer; salary quoted as $120,000 to $160,00 annually.
Is threat hunting right for me?
Do you possess an analytical mind? Do you like to solve problems and innovate? Win at chess and outthink your opponent? Does the thought of outmaneuvering malefactors to prevent attacks from occurring rank right up there in your mind with winning the Super Bowl? Are you a cybersecurity analyst who would like to take your career to the next level?
If you answered yes to any of these questions, then cybersecurity threat hunting just might be the career for you. Happy hunting!