Definition

cyber threat hunter (cybersecurity threat analyst)

What is a cyber threat hunter?

A cyber threat hunter, also called a cybersecurity threat analyst, proactively identifies security incidents that may go undetected by automated security tools such as malware detectors and firewalls.

To find these potential security incidents, cyber threat hunting involves monitoring network traffic, IP addresses, endpoints and data sets to uncover incidents that might otherwise go undetected.

In this way, the hunter provides threat intelligence and an additional line of defense against cyber attacks and advanced persistent threats (APTs).

Why is cybersecurity threat hunting important?

Predicting malicious activity is challenging because many new threats have no apparent indicators. The only way to stay ahead of these emerging threats is by proactively seeking them out and preventing them before they occur.

Instead of waiting for potential threats to emerge, the threat hunting process is centered around searching the organization's environment for anomalies that might indicate vulnerabilities and then implement proactive threat hunting to validate assumptions and mitigate risks.

In essence, hunters assume that threat actors already have access to the environment they are investigating. They evaluate all systems until they can find any malicious activity and remediate the causes.

What tasks are involved in cyber threat hunting?

The job of the threat hunter is to both supplement and reinforce automated systems. As the review process uncovers patterns for initiating attacks, the security organization can use that information to improve its automated threat detection software.

A threat hunter will regularly:

  • search for vulnerabilities and risk factors in data and systems;
  • stay up to date on the latest innovation in cybersecurity;
  • study trends in cybercrime around threat actors' behaviors, tactics and goals;
  • analyze collected data to find potential anomalies in the security environment; and
  • eliminate any risks and vulnerabilities.
Characteristics of a cybersecurity threat hunter

Cyber threat hunting methodologies

Threat hunting generally revolves around one of three industry accepted methodologies. These include:

  • Hypothesis-driven investigation. Hypothesis-driven investigations are those driven by a large amount of crowdsourced data that provides insight into cybercriminals' latest tactics, techniques and procedures (TTP). Threat hunters use TTP insight to investigate whether those behaviors are present within the organization's current environment.
  • IOC-driven investigation. Indicators of compromise (IOC) are found in forensic "artifacts" and identify activity that indicates potential threats. Investigations driven by IOCs use threat intelligence to try to identify the effective threat within the organization's environment. Potential IOCs include network-based artifacts, host-based artifacts and authentication-based artifacts.
  • Machine learning investigation. Machine learning can aid threat hunting by combining analysis and machine learning to sift through large amounts of data in search of anomalies that might indicate a potential threat. 

All of these methodologies combine threat intelligence, human effort and advanced cybersecurity technologies to proactively investigate an organization's systems and data to mitigate or prevent security incidents.

Cyber threat hunting tools

There are a number of tools that supplement the human effort expended by cyber threat hunters. These include:

  • SIEM solutions. Security information and event management (SIEM) tools help threat hunters by utilizing automation to collect and analyze large amounts of data from monitoring tools and other sources to unearth previously unidentified threats.
  • Security monitoring tools. Security professionals use the data collected from security monitoring tools to help provide a full picture of potential threats.
  • Analytics tools. These tools allow the threat hunter to better visualize data to help them better identify correlations between data sets that may indicate an attack.
  • Threat intelligence sources. Threat hunters use threat intelligence data on malicious IP addresses, malware hashes and other threat indicators found in various forms on the internet to support their analysis and investigation efforts.

What types of organizations use cyber threat hunters?

Typically, cyber threat hunters are employed by large-scale, enterprise organizations that are particularly vulnerable to cyber attacks.

Threat hunters work within a security operations center (SOC) and take the lead role in their threat detection and incident response activities. They are often managed by the organization's CISO, who works with the CIO to coordinate enterprise security.

Threat hunting may be assigned as an additional duty to one or more security analysts within a SOC, or they may be assigned full-time threat hunting duties. For smaller organizations, threat hunting services are typically outsourced to managed security service providers (MSSPs) that offer security monitoring and management to a number of organizations at once.

Additional options include creating a threat hunting team that includes rotating security engineers into the threat hunting role on a temporary basis and then having them return to their usual jobs within the SOC.

Employment outlook for cybersecurity threat hunters

The "SANS 2020 Threat Hunting Survey" found that 65% of respondent organizations were already performing some form of threat hunting and another 29% planning to implement threat hunting within the next 12 months. The survey results also showed that the bulk of growth in threat hunting is confined to vertical markets such as financial services, high-tech, military, government and telecommunications.

Many of the organizations in need of a threat hunter's services are looking for a professional with experience in threat hunting or cybersecurity methodologies and remediation techniques.

This might be someone with a security analyst background and a bachelor's degree in cybersecurity, computer science or a related field. Requirements may also include prior experience working in a similar role or as a member of a security team.

According to the U.S. Bureau of Labor Statistics, the annual salary range for a security threat analyst in 2021 was $57,810 to $158,860. In addition, CompTIA predicted a 32% increase in new jobs in the information security analyst field between 2018 and 2028.

Learn more about threat hunting as a career in "How to become a threat hunter."

This was last updated in March 2021

Continue Reading About cyber threat hunter (cybersecurity threat analyst)

Dig Deeper on IT applications, infrastructure and operations