Leveling_Up_as_a_Threat_Hunter_Lets_Go_Hunting

🦅 🐜 Career Talk (30 mins) Leveling Up as a Threat Hunter: Letʼs Go Hunting! Tatsuya Hasegawa (T.H) Threat Hunter (T.H) 1

Tatsuya Hasegawa • Professional Threat Hunter for over 4y, total 16y in Cyber Security • Threat Hunting Consultant • SNS (HN: hackeT, X: @T_8ase) Security Consultant Visualization Developer Threat Hunter AI Engineer Certifications - GSE#404, GSP#414, CISSP, CISA, Threat Hunting - GX-FA, GX-FE, GX-IH GX-CS, + 10 GIACs Consultant 2025 > Speaker of BSides (Tokyo & Brisbane), Workshop Leader of DEATHCON 2

My Threat Hunting Career Amount of Proactive Time Related to Threat Hunting 3

My Role as Threat Hunting Consultant • No hunt by myself, only regular meetings along with the progress of clientʼs hunters • Advice for a deeper investigations, reporting tips, and provide the next hunt hole to drill (Hypothesis Design) • Discuss not only current attack trends, but possible future threat actorʼs perspectives Trust and motivation mgt are essential for clientʼs hunters to achieve results. 4

Outline 1. Threat Hunting Landscape 2. Threat Hunting Skills and Experience Gained from Each Role 1. 2. 3. 4. 5. 6. MSS Developer & Owner MSSP SOC Analyst CSIRT Incident Handler & Forensic Analyst Threat Researcher Security Consultant Full-commit Threat Hunter 3. Path to Threat Hunting Consultant 4. Takeaways 5

Outline 1. Threat Hunting Landscape 2. Threat Hunting Skills and Experience Gained from Each Role 1. 2. 3. 4. 5. 6. MSS Developer & Owner MSSP SOC Analyst CSIRT Incident Handler & Forensic Analyst Threat Researcher Security Consultant Full-commit Threat Hunter 3. Path to Threat Hunting Consultant 4. Takeaways 6

What is Threat Hunting? Security products can NOT detect all threats => potential risk/threat of FN But having productʼs telemetries or logs!✨ We can.. Proactive detection, then respond quickly before risk spreads Even with the same analytical perspective, new discoveries if the timing is different. Threat hunting should be incorporated into daily operations. Similar to security monitoring? 🧐 Þ Yes, but security monitoring 👉 “fixed-point observation” (定点観測 in JP) Þ While, threat hunting 👉 “dynamic observation for weak area” 7

Who usually performs practical Threat Hunting? • In-house Hunting team • Private SOC Analyst • CSIRT Member (peacetime) • MSSP SOC Analyst/Hunting Team (As a Service) • Out-sourced Hunter (contracted) ʻIn-houseʼ “Out-sourced” Easy to Understand for Normal environment - Active Baseline 😊 Difficult to Understand for Attack trends - Delayed Trend 😞 Easy to Understand for Attack trends - Active Trend 😊 Difficult to Understand for Normal environment - Delayed Baseline 😞 8

How is Threat Hunting approach? • Intelligence-Driven Hypo ♦ • Known evil, malicious similarity • ♦ IoC (Indicator of Compromise) • ❤ IoA (Indicator of Attack) Intelligence -Driven (IoC) • ♣ Situation Awareness Hypo • Baseline, deviation from benign • ♠ Domain Expertise Hypo ❤ ♠ Intelligence Domain Expertise • Hunterʼs past experience • Difficult to document and share • Cognitive bias? But valuable resource SANS “Generating Hypotheses for Successful Threat Hunting” 2016 https://www.sans.org/white-papers/37172/ -Driven (IoA) ♣ Situation Awareness 9

• https://www.sans.org/white-papers/37172/

Hasegawa-style Drill Hunting Based on EDA (Exploratory Data Analysis) Scoping widely at first、then dig deeper with more knowledge Noise Noise FP FP FP Dig! Dig! Dig! with understanding Noise Security Product Area FP FP Security Product Area Dig Wide at First 10

Moving from Bird to Insect, no silver bullet! Look! Look! Inspect! 🦅 Bird eye Data cut by 1 or 2 features/fields Horizon Normal events Bubble Understood data enough Narrow down while excluding normal/benign Then, drill down! Insect eye 🐜 Anomaly Look at narrowed down with many features/fields Sunburst Sankey Multi-Dim Plot 11 Some icons from elastic

Difference between general Hunting style Easy Team Operation limited GenAI Automation ML/DL, but limited Easy Scope Planning Difficult Easy Knowledge Share Difficult limited Find Unknown Yes Low Uniqueness High Anomaly / Data Mining Threat Intelligence Unstructured Structured 12

Outline 1. Threat Hunting Landscape 2. Threat Hunting Skills and Experience Gained from Each Role 1. 2. 3. 4. 5. 6. MSS Developer & Owner MSSP SOC Analyst CSIRT Incident Handler & Forensic Analyst Threat Researcher Security Consultant Full-commit Threat Hunter 3. Path to Threat Hunting Consultant 4. Takeaways 13

1. MSS Developer & Owner Experienced👇 Security productʼs habits & weaknesses🧐 Job tasks ØSecurity product discovery ØOperation design ØProduction test / PoC ✨ ØService specification creation ØTroubleshooting 14

2. MSSP SOC Analyst Experienced👇 False Positives of security product 🤯 Fundamentals of Detection Engineering Job tasks ØAlert handling ØLog analysis ✨ ØPeriodic report creation ØCustom rules development 15

3. CSIRT Incident Handler & Forensic Analyst Experienced👇 False Negatives in real 😭 Pattern of Insider Threat Job tasks ØIncident Handling for variety ✨ ØForensic analysis ✨ ØForensic report creation ØVulnerability management ✨ ØCommunity activity, e.g. ISAC 16

4. Threat Researcher Experienced👇 @Anti-Virus Vendor Sophisticated Evasion Attack 🙃 Threatʼs Spread Speed Job tasks ØNew threat/evasion research ✨ ØMalware/Exploit deep analysis✨ ØThreat report creation 17

5. Security Consultant Experienced👇 Only a few 😞… Job tasks ØCustomer meetings ØSecurity framework research ØSecurity Audit ØPresentation slides creation 18

6. Full-commit Threat Hunter Experienced👇 Cost-effectiveness of time and result⚖ Predict threat actorʼs mind Mental resilience😆 Job tasks ØLog Analysis (Forensic) ✨ ØThreat Intelligence check ✨ ØHunt tool development ØConsidering hunt PDCA ✨ ØHunt! Hunt! Hunt! Greedily! Commit to results! 19

Outline 1. Threat Hunting Landscape 2. Threat Hunting Skills and Experience Gained from Each Role 1. 2. 3. 4. 5. 6. MSS Developer & Owner MSSP SOC Analyst CSIRT Incident Handler & Forensic Analyst Threat Researcher Security Consultant Full-commit Threat Hunter 3. Path to Threat Hunting Consultant 4. Takeaways 20

Path to Threat Hunting Consultant In my case Lots of practical hunt works🔥 Create your own hunt method✨ Presents at famous security conf 🎤 Going my way Commit to results IMPORTANT !! Sustained involvement in real hunting 21

Outline 1. Threat Hunting Landscape 2. Threat Hunting Skills and Experience Gained from Each Role 1. 2. 3. 4. 5. 6. MSS Developer & Owner MSSP SOC Analyst CSIRT Incident Handler & Forensic Analyst Threat Researcher Security Consultant Full-commit Threat Hunter 3. Path to Threat Hunting Consultant 4. Takeaways 22

Compare 6 rolesʼ experiences for hunter MSS Dev&Own MSSP SOC Ana CSIRT IR Forensic Threat Researc Security Consult Fullcommit Hunter Hypothesis and Verification Loop Data Analysis with Visualization False Positives Evasion Attack False Security Negative product’s Fundame habits & Spread Insider weakness ntals of Speed Threat DE Very Limited… Costeffectiven ess Mental resilience 23

Best hunter experience 🦅 Hunter grows through Facing “False Negatives” 🐜 ØGet as much chances as possible in your current role ØHunt by yourself ØLooking another hunterʼs results ØForensic investigation in incident ØPublic IR reports or TR reports (limited awareness) Suspect False Negative is the first step to hunting! 24

Controlling Cognitive Bias Hunters rely on their experience... Be confident, but donʼt be alone! Get feedback & new perspectives from others🐜 🦅 25

Looking at Real Data Yourself Practical advanced hunting requires Data Analysis Skill Payload Analysis DL ML Statistics Query Lang 🦅 🐜 26

Thoughts on Hunting Automation IMPORTANT !! AI can mimic past exp, but hunters canʼt gain true exp from AI alone Plan ☑GenAI Act ✅Deep Analysis by AI (Timeline correlation, DL) ☑GenAI Whole New Hypotheses Planning is the biggest challenge .. Do ✅Scheduled Job Check 27

Thank you! This is my LinkedIn account QR. Feel free to connect to me. 28