Content, Security Staff Acquisition & Development

Security Talent: Top 3 Skills to Look For in a Threat Hunter

Credit: Getty Images

Organizations are facing around-the-clock threats from every direction. From ransomware attacks to vulnerable cloud configurations and devastating RDP exploits, businesses need to be able to quickly detect and respond to these threats in real time.

Scott Barlow, global VP of MSP and cloud alliances, Sophos
Author: Scott Barlow, global VP of MSP and cloud alliances, Sophos

To support this need, MSPs are increasingly expanding their prevention-centric security approaches to also include threat hunting services.

Threat hunters are constantly monitoring environments and are always ready to respond. It’s a role with a unique skillset.

Whether MSPs are building their own in-house threat hunting team or outsourcing these activities to a trusted security partner, here are the top qualities to look for:

1. Proactiveness

Threat hunting and incident response are different, but they complement each other. Incident responders do hand-to-hand combat with cyber adversaries in emergency situations. They’re the ones who investigate environments that are already known to have been infected or breached. In most cases, its retroactive.

Threat hunters, on the other hand, are more proactive. The role is more of an analytics function, looking at data on a day-to-day basis to identify abnormalities and deconstructing the TTPs being utilized.

A threat hunter’s job is to be proactive. They need to have the ability to focus and the bandwidth to monitor an environment 24/7 in order to stay a step ahead of attackers. They need to always be on the cusp of cutting-edge threat intelligence, perform research on new attack methods, and look comprehensively at a customer’s estate for anything that looks even the slightest bit off.

2. Attention to detail

Indicators of attack (IoAs) and indicators of compromise (IoCs) are the telltale signs of compromised environments and/or impending attacks that threat hunters find across masses of data. But, as soon as these indicators have been discovered, attackers leave them in the dust and change their TTPs to stay effective.

Threat hunters need to pay close attention to detail to understand when old indicators are no longer relevant, and then have the ability to pivot with the adversary to stay a step ahead.

3. Flexibility

While cyberattackers often use similar TTPs, each threat hunt requires different measures. And based on initial findings, a threat hunter will need to dig in deeper. This requires flexibility and the ability to think on their feet.

And while there are a handful of best practices to rely on, threat hunters need to be able to pivot and tweak each method as the situation calls for it in real time.

A Threat Hunter’s Job is Never Complete

Every threat or red flag detected is the first in an endless line of threats, and they all need to be investigated.

These threats are very real for all businesses of all sizes, and every organization needs to assume they’re a target. That’s the mindset that threat hunters need to have as well.


Scott Barlow is vice president, Global MSP and Cloud Alliances, at Sophos. Read more Sophos guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.

You can skip this ad in 5 seconds