Cyber investigations, threat hunting and research: More art than science

While it’s true that threat hunting, incident response, and threat research all have their foundations in science (operating system theory and architecture, computer language and compilation, protocols, hardware and memory architecture, logic, etc.), throughout my entire career I have found it is also fundamentally true that the most successful threat hunters, incident responders, and threat researchers are far more artist than scientist.

In fact, this is the very summary of all the advice I’ve offered in my last three Help Net Security articles: if you want to land a job and have a successful career as a researcher, threat hunter or investigator, approach the work creatively, as play, and with a beginner’s mind.

There is a reason why this is a requirement to become one of the most successful. Security defenders need to be 100% perfect at protecting 100% of the countless entry points 100% of the time in order to prevent breaches, while on the other hand, hackers only need one exploit that works.

While that adage is considerably oversimplified, the moral is true: Being a defender means keeping up with an impossible firehose of changing technologies, controls, and attacks. Not to mention, your advisories are not pieces of code – they are creative and motivated people.

And let’s be honest, hacking is fun! When you are engaged in something fun, you likely have heightened motivation and creativity, so only those who approach the challenge of defense work with the same level of play and creativity as hackers will rise to the top of their team, company, and industry.

What can threat analysts learn from artists?

The reflections of this “playful” approach can be seen in quotes from some of the most famous contemporary artists of today.

“When someone sees one of my paintings, I want them to really feel the place that I’m depicting. And so, my desire is that they’re going to want to travel into that painting and become part of it.” – James Colema

How does this apply to the aspiring threat analyst?

When you write reports about your threat research that will be released publicly, do not simply annotate the threat you documented. Take the reader of your article (or the attendee of your presentation) into the world unfolding for the attacker during that activity. What did they do well? What did they overlook? Why did they do what they did? How can your audience find and explore similar worlds? Tell a story.

“I use palette knives because for me it adds a dimension to the painting. There is that thickness, that working in the flow of the paint, that it casts its own shadow. I make my own knives.” – Alexandre Renoir

Where artists use brushes and knives to craft their works of art, we also use tools to shape, spread, and manipulate data (as opposed to paint). As Alexandre (for those wondering: the great-grandson of “the” Renoir) noted, “off the shelf” tools frequently are not the right tool to create the perfect finished product and the same applies to us.

If you do not know scripting or coding, learn some extreme basics. You do not need to be a programmer – just know how to cobble scripts together to help you parse, sift, and shape the data you need to be examined and audited. Building your own tools can lead to insights that cannot be found by everyone else using off the shelf tools.

“For me, the best situation is to sit in front of a blank canvas. Sometimes, I have an idea how to begin. Sometimes, I don’t need an idea. I just touch the canvas with a brush, and something goes on it and it starts.” – Yuval Wolfson

This one speaks directly to the aspiring threat hunter – those who manually find the threats that all other products and people have missed. The best hunters approach the forensic console as a truly blank canvas, and more importantly – they try not to paint the same painting multiple days in a row. This is one of the biggest challenges for most hunters.

Most hunters quickly develop habits and begin only hunting for the same sets of threat behaviors over time. Force yourself to be uncomfortable, hunting in protocols or data you are not familiar with. Ask different questions on different days. Paint radically different pictures with each hunt by treating each hunt as a truly blank canvas.

“I had a professor who started out day one with: ‘Be yourself. You will never be Picasso, but then again, Picasso will never be you.’” – Dominic Pangborn

We all learn and advance our craft from the same source: each other. We read the articles that others write and watch the presentations other researchers give. Most of us see that content and think, “I’m not good enough to do that.” The works we all learn from may seem like unattainable Picassos, but also remember, those authors also have their “unattainable Picassos” too. The advice from Dominic’s professor is fantastic. Do not worry about them – just be you and put your work out there for other analysts to benefit from, and possibly even be inspired by.

Overall, if you find threat hunting and research to be mentally stimulating, and even fun, you’ve already overcome the biggest hurdle to a successful career. As my previous articles recommended, take it upon yourself to document your research and share it with the industry. Whether you already have a job in cybersecurity or you’re trying to breakthrough and start a new career, it’s the best way to make yourself – and your skills – stand out.

Good luck on your journey.