On The Hunt: A Sneak Peek Into Cyber Threat Hunting
Last year, the National Institute of Standards and Technology (NIST) recognized cyber threat hunting as an official discipline. A lot of what threat hunters do remains a mystery, so we sat down for a conversation with a cyber threat hunting professional, team leader Or Mauber, who has been at BrandShield for 18 months and was able to answer our burning questions.
Or explained the details of threat hunting, from the daily routine to the complex situations. But it is not just about these dry details. We were privileged to get a view of her approach to threat hunting and how important she feels it is for the whole team to communicate clearly and be on board with what is going on with individual clients.
This is a fascinating glimpse into a world most people are unfamiliar with!
The Day-To-Day Life of Threat Hunters
Let’s start with the basics. What does a typical day entail?
I start my day with a quick overview of the cyber threat hunting system, covering all the latest updates. Sometimes, the system indicates that a specific issue, like a new live phishing attack or a new impersonation, requires immediate attention. I devote a great deal of my day to client meetings where we discuss recent trends to keep everyone in the loop. Finally, I always set aside time for enforcement work which includes taking down websites, monitoring social media accounts, analyzing ad content, and more.
Speaking of enforcement, how do you divide your attention between detection and takedown?
Enforcement takes up about 60% of my time. Issues may arise in multiple areas, depending on the client’s field of work and business conduct. For example, launching a new product may lead to security threats that demand anti-phishing solutions, or entering an industry like cryptocurrency could expose the company to risk.
What would make you change a client’s threat-hunting strategy?
Company changes lead to strategy adjustments. New leadership might cause an increase in email phishing attacks, as attackers take advantage of new executives who are not yet familiar with company employees. This makes anti-phishing solutions a top priority.
New products are often accompanied by malicious ads, and an IPO that boosts the company’s visibility may also affect the strategy.
Do you deal differently with every client?
Yes. Each client demands specific modules that will eventually form the cyber threat hunting dashboard we work with. I look beyond the division of websites, apps, or social networks and examine personal C-level accounts, content, business goals, and more.
Diving Into Threat Hunters’ Work
What would happen if you stopped doing your work tomorrow?
We’d see a flood of fake social media accounts, phishing websites and emails. Companies would also experience the results of these attacks as they face PR crises and reputational damage. Threat hunters stay in touch with PR and Legal teams who feel the heavy impact of cybersecurity attacks.
Do you still perform any type of manual work?
Rarely. With our threat hunting tools, many actions are automated, but specific quick fixes may still be done manually. Automation helps us stay on top of everything and move much faster. Automated phishing solutions and connected antiviruses are essential in protecting against phishing attacks.
What percentage of your time is devoted to team guidance?
I strongly believe that keeping everyone informed is critical, even if certain members are not involved in a particular project. This information may prove valuable and relevant for their next project. Team training is an ongoing process, much like cybersecurity. My work as team leader is to ensure that everyone is fully synced and that I am aware of every step, checking and approving progress. Fortunately, being aware of many details and double checking work is one of the traits needed to succeed as a threat hunter.
What are these traits? Who would make a great threat hunter?
- Determination is vital. Cyber threat hunting never stops, and our phishing takedown service handles security issues around the clock.
- You have to be excited about the quest. John Collins, an analyst at Gartner, described it perfectly, saying that, "Threat hunters are like explorers and adventurers on a digital frontier. They're looking for trouble but in a good way."Threat hunters are also detail-oriented. Each case is different, and subtle nuances can reveal suspicious activity.
- Being able to handle the dynamic nature of the field is essential because there’s a difference between a trademark issue, copyright violation, and a phishing website.
- Prioritizing and analyzing the threat is another part of the job, as well as explaining the risk in a way that encourages involvement on the client’s end.
Cybersecurity Is a Case-By-Case Learning Process
Do you have any tips for clients who want their brand to stay protected?
Keeping track of every asset is challenging for companies, so I recommend ensuring that every trademark and registered number is documented.
Some companies don’t have a dedicated CISO, and we cover this position for them. Organizations that choose another executive who isn’t a trained security expert to handle this task should keep in mind that it will grow into something much bigger at some point. Don’t expect other departments like PR to take on this responsibility. Just because they handle the security-related crisis doesn’t mean they should be in charge of preventing it.
Can you share an exciting success?
A success story that comes to mind is a case we had of a manager at a large US crypto company. He was facing an unprecedented number of fake social pages, phishing emails, and other threats. We performed hundreds of takedowns and operated on multiple platforms simultaneously.
And in what situation might customers not be immediately on board with your recommendations?
Well, sometimes clients worry that a fake website might belong to a legitimate company, and we need them to trust our recommendations. Less than 1% of takedowns turn out to be real company websites, and we can help restore the information within days. When companies have multiple pages in many languages, mistakes might happen, but it’s extremely rare.
The work of threat hunters is challenging and fascinating. To harness this level of expertise and use it to your brand’s advantage, contact us and learn more about how BrandShield detects and removes threats. Start hunting for brand protection today.