I used to be in charge of interviewing candidates for a threat hunting position several years ago. I was one of the few managers who conducted individual interviews with each applicant before making recommendations. Some interviewers concentrated on knowledge-based questions, such as where the SHIM cache is, what file stores user passwords in a Windows environment without domain joining, what shellbags are, etc. Others concentrated on the person’s personality, such as what they wanted to do, how they worked with teams, what their biggest mistake was, etc.
I however focused on the applicant’s mindset. Did this individual think like a threat hunter. See it’s easy to teach people knowledge. I can teach someone what a SAM file is, or which Registry Hive keys are frequently used to establish malware persistence; however, it’s challenging to instruct someone how to think like a threat hunter. This is why, when conducting interviews, I would only ask one question. I was certain that this one inquiry would reveal whether or not someone was capable of thinking like a threat hunter (or at the very least, was willing to learn how to think like one).
I can now share this question and explain why I thought it was so helpful because I’m no longer a hiring manager and I’m not revealing the name of the company.
When conducting interviews, I would show interviewees this network map and ask them to describe their threat-hunting strategy for looking for an unauthorized adversary within the network. I would add some more disclaimers, specifically that they would be working with Security Onion and could only install two sensors in the network.
I chose Security Onion because it is an open-source tool that is vendor-neutral and because it is a reliable tool that I have used in hunts. I would caution applicants, though, that this wasn’t a test of their familiarity with Security Onion, and it’s okay if they weren’t aware of all of its features; I can explain them.
The beauty of this question is that there is no correct response. There are many right answers and many wrong answers, but there isn’t just one that’s right. Therefore, I’ll discuss some of the methods for answering this question rather than attempting to explain the correct response.
When getting ready to hunt on a new network that you are unfamiliar with, this is possibly the best course of action to take. I’m going to make a reference to my time in the military here. Key Terrain is a subject that is covered in a military doctrine. Any terrain that gives a combatant an advantage is referred to as Key Terrain in Army doctrine. Key Terrain Cyberspace (KT-C) is a concept that is still in its early stages of development, but it is crucial to comprehend.
If you are unfamiliar with the network, where should you begin your search? Well, you need to know which network components are crucial to business operations. You should begin hunting in what is known as the Key Terrain.
Take a look at our network here. Its main duties as a warehouse are to import goods, store them, and then ship them out upon demand. This is the Warehouse’s main purpose (to use more military terminology). The warehouse requires certain items in order to complete this mission. The SQL server, which keeps track of all the moving items, and the wireless network, which powers the handheld scanners, are two examples of things needed for the warehouse to run.
Knowing this important terrain suggests that we position one of our sensors in a spot where we can access the SQL server for data collection.
I withhold any of this data up front because I want to gauge an applicant’s mentality. Do they deploy sensors right away, or do they first try to understand the key terrain and mission requirements of the business they’re hunting?
These interviews were back-and-forth discussions, so if a candidate spent the entire time asking questions about the important topics, I would view that as a success and would consider inviting them back for the next round of interviews.
The adversary-centric approach, also known as the adversary course of action (COA), was another strategy that I found appealing. In this strategy, the applicant would design a potential adversary’s course of action before deploying sensors in a spot where they could pick up the COA they came up with.
This strategy disregards KT-C, but that isn’t always a bad thing. Think again about our warehouse example. Although handheld scanners may be KT-C, they may not necessarily be relevant to the hunt because it is relatively unlikely that the adversary will obtain malware on them. This is referred to as Mission Relevant Terrain Cyberspace (MRT-C). Do you spend time trying to monitor a handheld scanner or do you concentrate on things more relevant to what an adversary can actually do? What equipment in your network is relevant to the mission?
Look back at our network map. These computers are linked to the public internet instead of the company’s private intranet; however, the router is set up incorrectly, allowing the break room subnet to communicate with the rest of the intranet (something I would explain to the applicant if they inquired about the router’s setup).
The applicant might recognize that the break room computers (which have open access to the internet) are a weak point an adversary might use to gain initial access by using an adversary-centric approach. That applicant may have hypothesized that a warehouse worker would open a phishing email during a break and download malware to the computer in the break room. The applicant might then speculate that an attacker would use high success exploits like EternalBlue to attack some of the company’s more vulnerable systems by using exploitation for lateral movement.
In accordance with this theory, the applicant would then position their sensors in a position to detect lateral movement between the break room subnet and another system, such as the SQL server.
This approach would also be acceptable to me, and a candidate who adopted it would be requested to return for additional interviews with the team.
With this strategy, a candidate would first try to comprehend what equipment they have access to and what capabilities it has. Additionally, they would try to determine what intrinsic capabilities are already present in the environment and how much those capabilities are being used.
Look at our map; the main router is a pfSense. The capabilities of a pfSense router include Zeek IDS, Snort and Suricata IDS/IPS, and pfBlockerNG-devel. What about the switches, they’re Ubiquiti Enterprise switches, which means they’re managed switches, are they installed, are they configured, and how are they configured? Do the switches have a SPAN port configuration that sends traffic to a collector?
An applicant employing this strategy would seek out areas with coverage gaps for their sensors to be placed. They would try to make use of the capabilities already present in the environment before adding sensors in places where the capabilities are either lacking or insufficient.
The data-driven approach is the final strategy I want to discuss. I may not have given much information about the network, as you may have noticed. I deliberately provided very little information because some of the circumstances I’ve encountered make it unfortunate. My team will be hunting on a network in a week, and we were only given a map with no other information to help us plan our hunt.
What were the ACLs on the Router? How are the VLANs configured? How secure is the Wireless? Do the end points have a host-based security suite on them? What is their patch level? What about EDRs? What OSes and what versions are in the environment? How long is log storage? Do the systems have a DLP policy that blocks USB? What software is running on the systems? When was that software last patched? And there are still more questions.
Each of these inquiries is crucial and has the potential to significantly alter how a hunt team prepares for and deploys in a network. If I am aware that the endpoints have a DLP tool that blocks USBs, I might not need to concentrate my efforts on looking for USB malware artifacts.
An applicant who begins exploring the network in this manner is probably going to make a good hunter because they can start removing concerns for the hunt team.
I focused on these approaches specifically for two reasons. First, because I want a hunter to use all four of these strategies concurrently, consistently, and on every hunt they participate in When I was training, I used to walk my analysts through these methods.
The second reason is that a strong framework is more crucial than a long list of details. Threat hunting has taught anyone that you can’t just “find bad.” A single computer might allow you to investigate, pull all the event logs, and scroll through them until you locate malicious activity. Even though it isn’t effective, it can still be used (I did it when I first started). However, this method will be completely unusable in a network of even just 5 computers.
I’ll say that again. It is ineffective to simply deploy sensors, collect data, and hope to find problems. The advantages of being able to delve deeper and truly comprehend the applicants through the process are also provided by this question for me.
I can explore each of these methods further to learn more about how they think. Consider a scenario in which the applicant wishes to install one of their two sensors at the switch connecting the HR subnet to the main network. If the applicant replies that they intend to deploy the sensor in-line, I will ask them, “What considerations do you need to make when deploying in-line?” If they reply otherwise, I will ask, “How do you plan to deploy that sensor?”
I’m looking for the applicant to take into account that doing so will require briefly taking a portion of the network offline to deploy the sensors. Many network owners, I’ve discovered, don’t like the idea of you shutting down a section of their network for even a few minutes to install equipment.
When a candidate realizes this, they will need to devise a different strategy to obtain the same information. Commonly that would be SPAN porting the switch. If the applicant says that, I’ll ask what factors they need to take into account when using a SPAN port. I’m anticipating responses like how the network’s overall bandwidth might be higher than the speed of a single SPAN port, which could lead to dropped packets.
These inquiries can continue indefinitely until we run out of time or the applicant is unable to respond any longer. Although these in-depth inquiries aren’t strictly necessary, they provide a good indication of how strategically the applicant thinks. A good hunter will likely be able to navigate through these factors, but many of them are learned through experience, so a person who is unable to respond isn’t necessarily a bad choice.
I recognize that this method might have some issues. It’s possible for a candidate to possess extremely technical knowledge but poor hunting vision. Because teaching someone to think is more difficult than simply teaching them system facts, I don’t think this situation is very important.
I’ve also experienced the opposite, approving someone who was good at thinking about hunting but had no idea how to carry out their ideas. Most of the time, we can teach people this, but on occasion, we’ve hired someone who just wasn’t interested in learning.
When hiring for a hunt team, this was my favorite question to ask candidates. The question’s open-ended format was very similar to real-world situations I’ve encountered. I can tell if the person I’m interviewing can think like a hunter or not by asking them a question like this.
- Explain Threat Hunting? …
- Differentiate between Pen Testing and Threat Hunting? …
- Is it a possibility to get nothing in Threat Hunting results? …
- Can we trust the Threat hunting reports and act on them? …
- Explain MITRE ATT&CK? …
- Explain the Mitre ATT&CK Use?
” Threat Hunting” Interview Questions and Answers| Soc Analyst | Cybersecurity
Opening Threat Hunting Interview Questions
It’s critical to gain perspective on a candidate before a cyber security job interview to understand who they are and how they think. Because of this, all of our senior hunters asked some variation of the following as their first threat hunting interview question:
This type of question is multi-faceted. In addition to letting you know how “deep” a candidate goes (do they only read content that is superficial, like CNN, or do they frequently contribute to niche subreddits or blogs? ), it also allows you to determine whether the candidate is still actively learning and staying engaged and can show how passionate they are about the field. A popular follow-up to this query among our team was:
This supports their claim and demonstrates the breadth of their knowledge. With these threat hunting interview questions, you can begin learning more about the candidate’s background once you are confident that they are truly passionate about the field and exhibit a good depth of knowledge.
6. Threat hunters, red teamers, and defenders use the MITRE ATT&CK paradigm to more accurately identify cyberattacks and assess an organization’s vulnerability.
Over time, threat hunting and incident response approaches have improved. Organizations use cutting-edge methodologies to spot risks using expert threat hunters even before harm or loss occurs. Our Threat Hunting Professional Online Training Course helps you improve your skills and better understand threats and their objectives.
3. Although it is theoretically possible to find nothing during some threat hunting exercises, doing so is not a complete waste of time because we might find a few other vulnerabilities that we weren’t aware of or didn’t think existed. Therefore, even if we don’t uncover any potential threats, it is always beneficial to carry out a thorough threat hunting process.
9. What is a threat hunting hypothesis, and how does it differ from other theories or proposed interpretations based on sparse data from a secure environment? Then, it serves as a springboard for additional investigation.
12. What is proactive Threat Hunting? Proactive threat hunting is the process of actively scouring networks or datasets for sophisticated cyberthreats that evade traditional rule- or signature-based security controls and responding to them.
Moving toward models like zero trust, which are tighter security frameworks, is the entire security industry The rise of internal threats, which are currently one of the main causes of compromise, is one of the main causes of this. Because they have access to the network and in-depth knowledge of an organization’s systems, employees are frequently used as the point of attack or launch the attack themselves, which is particularly dangerous. This makes it harder to detect their activities.
Due to this need, a relatively new category of cybersecurity positions has emerged: threat hunters. These people are responsible for identifying potential threats to an organization and enhancing security before any harm is done. They essentially need to think like an attacker and have extensive knowledge of current trends in cyberattacks.
Five years ago, the term “threat hunter” was hardly used, and as a result, it may conjure images of comic book heroes banding together to fight corrupt online supervillains. However, this is not the case. Threat actors are resourceful and persistent, so threat hunters are compelled to adopt a philosophy that holds that attacks are unavoidable and that all preventative measures will eventually fall short. As a result, threat hunting tends to lean more toward the detective end of the spectrum.
There are times when hunters must deal with an attacker who is “hands-on the keyboard,” which is a very dangerous scenario. Attackers may abruptly alter their tactics to confuse hunters when they spot a threat hunting team. If their objective is to harm the organization as much as possible, they might also go nuclear and wreck as much havoc as they can.
There can be no activity on an estate that isn’t associated with or categorized to a particular person because zero trust deems all actions to be untrustworthy, making it simpler to spot unauthorized activities. Additionally, we’ve seen the cybersecurity industry move away from blacklists, which grow longer and more sprawling as a result of attackers consistently coming up with inventive ways to get around defenses.
I’ll say that again. It is ineffective to simply deploy sensors, collect data, and hope to find problems. The advantages of being able to delve deeper and truly comprehend the applicants through the process are also provided by this question for me.
This strategy disregards KT-C, but that isn’t always a bad thing. Think again about our warehouse example. Although handheld scanners may be KT-C, they may not necessarily be relevant to the hunt because it is relatively unlikely that the adversary will obtain malware on them. This is referred to as Mission Relevant Terrain Cyberspace (MRT-C). Do you spend time trying to monitor a handheld scanner or do you concentrate on things more relevant to what an adversary can actually do? What equipment in your network is relevant to the mission?
I chose Security Onion because it is an open-source tool that is vendor-neutral and because it is a reliable tool that I have used in hunts. I would caution applicants, though, that this wasn’t a test of their familiarity with Security Onion, and it’s okay if they weren’t aware of all of its features; I can explain them.
I focused on these approaches specifically for two reasons. First, because I want a hunter to use all four of these strategies concurrently, consistently, and on every hunt they participate in When I was training, I used to walk my analysts through these methods.
I recognize that this method might have some issues. It’s possible for a candidate to possess extremely technical knowledge but poor hunting vision. Because teaching someone to think is more difficult than simply teaching them system facts, I don’t think this situation is very important.
FAQ
What are threat hunting techniques?
- Structured hunting. An indicator of attack (IoA) and the attacker’s tactics, techniques, and procedures (TTPs) serve as the foundation of a structured hunt.
- Unstructured hunting. Based on a trigger, one of many indicators of compromise (IoC), an unstructured hunt is started.
- Situational or entity driven.
What makes a good threat hunter?
Threat hunters need to be able to spot trends that correspond to the methods, tactics, strategies, and practices used by hackers, malware, and strange behaviors. They must first comprehend typical network behavior patterns in order to spot any suspicious activity or transaction before they can spot those patterns.
What are the top challenges of threat hunting?
- Challenge #1: Budget Constraints of Threat Hunting. …
- Challenge #2: The Hunting Skills Gap. …
- Challenge #3: Lack of Dedicated Resources for Threat Hunting. …
- Challenge #4: Threat Intelligence is Not Geared To Hunting. …
- Challenge #5: The ‘Legitimacy Gap’
Which threat hunting technique is best?
The most sophisticated cyber threat hunting methods may be based on Digital Forensics and Incident Response (DFIR). It focuses on identifying, looking into, and fixing cyberattacks that happen in a corporate setting.
