Defending against cyberattacks is a critical function of federal IT professionals, but the nature and complexity of cyberthreats are constantly changing. To keep up with hackers and bad actors, agencies can use threat hunters to proactively monitor systems for vulnerabilities and protect against major breaches.
In a recent training, GovLoop spoke with three experts to learn how threat hunters operate within an agency and improve government cybersecurity. Chuck Steel, Diplomatic Security Cyber Threat Division Chief at the State Department, Jae Lee, Product Marketing Director at Splunk, and Anthony Talamantes, Manager of Defensive Cyber Operations at Johns Hopkins Applied Physics Lab described how agencies can better protect government IT systems. They also shared their own experiences using threat hunters to fight hackers.
First, Steel outlined how threat-hunting programs operate at the State Department. A threat-hunting program is different than standard perimeter cybersecurity because, according to Steel, “We poke around our own network to see what’s odd.” In order to find potential threats, successful threat hunters — many of whom work with data scientists capable of analyzing big data sets — must develop and deploy their intelligence about the common behaviors within a system, as well as the common exploitation techniques used by hackers. By consistently monitoring data and IT systems for anomalies, threat hunters can detect cyberthreats before they turn into full-blown breaches.
Talamantes experienced first hand how threat hunting and developing threat intelligence can protect against hackers. Sophisticated hackers targeted his organization — twice. By examining each attack, his team could analyze and understand the behavior of the adversary, which helped protect against future attacks. When he was brought in to help a partner organization that was attacked by the same hackers, he gained even more knowledge about his adversary. From this attack, he developed further intelligence about their evolving techniques to hide malware in data, and he applied this knowledge to help him recognize more vulnerabilities in his own systems.
Threat hunting is about more than just identifying a baseline and potential threats. Lee added that threat-hunting programs involve changing the cybersecurity mentality at an agency from being reactive to proactive. “Rather than looking for something noteworthy like a breach, you should have a hypothesis, know what you are hunting for, and try to validate your suspicions,” he said. “It’s about being proactive.”
The experts agreed that the necessary qualifications for threat hunters are slightly different than average cybersecurity professionals. Steel noted that when hiring threat hunters, agencies should look for cybersecurity professionals that are analytical and “tinkerers.” This means that they are constantly asking questions to gain deeper knowledge, and they enjoy playing around to find intricacies within a system.
Talamantes agreed. “They should be people with deep analytical capabilities that can understand the nature of threats rather than just somebody that can set up a firewall,” he explained.
Lastly, the experts recommended that the best way to implement a threat-hunting program is to start with the resources you already have. Despite budget and personnel constraints, IT professionals can show the value of threat hunting by demonstrating early results that help the organization. Lee recognized that you don’t need additional personnel to understand your environment or orient your mentality toward being proactive about threats.
“An imperfect start is better than an unimplemented plan,” Talamantes noted.
Hackers are learning to create more complex cyberattacks, and threat hunting is a way to protect against these evolving techniques. By understanding your environment, developing knowledge of threats, and actively searching for vulnerabilities and anomalies in agency data and IT systems, IT professionals can better protect against breaches and ensure that agencies can continue to fulfill their missions.
For more information about threat hunting, listen to the entire online training here.