To thwart cyberattacks, threat hunters rely on baseline corrective actions, proactivity over reactivity, and separating legitimate tools from illegitimate uses.
“A day in the life of a threat hunter” is a bit of a misnomer because it implies a pattern to our 9-to-5 routines. In reality, there isn’t much of a pattern. A threat hunter’s day-to-day is rife with unpredictability. One day it may be a hospital system breached by a ransomware gang. The next it might be a nation-state coordinating a cyber assault across government agencies. On another day we might be called in to investigate cyberattacks on universities, law firms, or entire cities and counties, perpetrated by all manner of entry-level and sophisticated attackers.
From day to day, the adversaries that threat hunters face, the environments we investigate, and the tactics, techniques and procedures (TTPs) we look for vary wildly. What doesn’t vary, though, are some key bedrock, guiding principles that threat hunters, security teams and managed service providers (MSPs) have to rely on to thwart cyberattacks and eject threat actors from clients’ networks. Here are three measures that allow threat hunters to inject some reliability, consistency and predictability into their otherwise unpredictable day.
- Clean out the web of intrusion in a client’s environment.
No two attackers are the same, no two breaches or ransomware attacks are the same, and no two client environments are the same. Each situation requires a uniquely tailored approach to thwarting an attacker, cleaning out the environment and preventing another breach from occurring.
But tailoring the approach also means working off a baseline level of corrective actions–steps that must be taken each time to ensure threat hunters are both correctly assessing the breach and flushing out attempts at another one in the future. These include:
- Blocking attacker commands and C2 communications that may occur after the initial breach
- Conducting login audits that entail disabling and removing access privileges for each compromised account on a network
- Deploying tools like Sophos Intercept X to isolate hosts from the environment
- Eliminating malicious processes and systems that have been left behind on compromised machines or networks, and may be used as backdoors for future attacks
When MSPs are determining their next steps for investigating a client’s environment, ejecting all traces of attacker activity and fortifying defenses for the inevitable next attempted breach, the above should form the backbone of any adequate response.
- Practice proactivity over reactivity.
Incident response teams investigate environments that have been breached or compromised by attackers. Their work is largely reactive and retroactive. This is complementary to the threat hunter’s approach, which by design must be proactive: analyzing the day-to-day numbers to find data abnormalities that might indicate