Member-only story
Continuing with the second post in this series, I felt it was necessary to address the skills and knowledge required to become a threat hunter before diving into the threat hunting process. This article will hopefully assist people in understanding the different areas that they might need to work on to become excellent threat hunters.
Threat hunters should have certain skills and experience. This is so they can use their experience to identify suspicious activity patterns and use their skills to investigate each case. Although there are some exceptions, talented individuals with a strong desire to learn could also be a great investment for an organization. In these cases, there are usually more experienced threat hunters in the team willing to help and mentor those that are new to the field.
Human-centric threat hunting
Threat hunting is human-centric and cannot be entirely replaced by automation. The threat hunter will always have to initiate the threat hunt based on a hypothesis or analyze the collected telemetry looking for suspicious activity. Some vendors allege they can automate threat hunting for their customers using Machine Learning (ML).
ML can be an important source of information for threat hunters, but it cannot replace the human-driven threat hunting initiative. Specifically, it can highlight oddities using specific threat hunting techniques such as clustering analysis and make the overall analysis easier. Threat hunters can take advantage of SOAR solutions or, even better, create their own tools for collecting and parsing data to help with the analysis. Creating our tools requires programming knowledge, which is one of the attributes a threat hunter should have. Although ML can be helpful, attackers nowadays try to blend in using administrative tools to achieve their objectives. This makes threat hunters essential in analyzing and identifying malicious activity.
The skills and knowledge of a threat hunter
This chapter will look into some of the most important traits, skills, and knowledge a threat hunter should have. The following list is in no way exhaustive, and it is based on personal views.
