To thwart cyberattacks, threat hunters rely on baseline corrective actions, proactivity over reactivity, and separating legitimate tools from illegitimate uses.
“A day in the life of a threat hunter” is a bit of a misnomer because it implies a pattern to our 9-to-5 routines. In reality, there isn’t much of a pattern. A threat hunter’s day-to-day is rife with unpredictability. One day it may be a hospital system breached by a ransomware gang. The next it might be a nation-state coordinating a cyber assault across government agencies. On another day we might be called in to investigate cyberattacks on universities, law firms, or entire cities and counties, perpetrated by all manner of entry-level and sophisticated attackers.
From day to day, the adversaries that threat hunters face, the environments we investigate, and the tactics, techniques and procedures (TTPs) we look for vary wildly. What doesn’t vary, though, are some key bedrock, guiding principles that threat hunters, security teams and managed service providers (MSPs) have to rely on to thwart cyberattacks and eject threat actors from clients’ networks. Here are three measures that allow threat hunters to inject some reliability, consistency and predictability into their otherwise unpredictable day.
No two attackers are the same, no two breaches or ransomware attacks are the same, and no two client environments are the same. Each situation requires a uniquely tailored approach to thwarting an attacker, cleaning out the environment and preventing another breach from occurring.
But tailoring the approach also means working off a baseline level of corrective actions–steps that must be taken each time to ensure threat hunters are both correctly assessing the breach and flushing out attempts at another one in the future. These include:
When MSPs are determining their next steps for investigating a client’s environment, ejecting all traces of attacker activity and fortifying defenses for the inevitable next attempted breach, the above should form the backbone of any adequate response.
Incident response teams investigate environments that have been breached or compromised by attackers. Their work is largely reactive and retroactive. This is complementary to the threat hunter’s approach, which by design must be proactive: analyzing the day-to-day numbers to find data abnormalities that might indicate
Session expired
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.