\u201cHunting is not a sport. In a sport, both sides should know they're in the game.\u201dAccording to Field and Stream magazine, this is an oft quoted hunting expression. There is irony in applying this quote to the cyber security industry where hunting is indeed a sport. The good guys and the bad guys both know that they are in the game.Joseph Loomis, CEO of CyberSponse, works closely with the cyber units at the FBI, DHS and Secret Service described this trendy new cyber sport in which the good guys try to entrench themselves into the world of the dark web.\u201cYou want to understand the psyche of the adversary and what motivates them,\u201d Loomis said.Whether hunting for known or unknown threats, \u201cYou typically look for what someone has to gain. The unknown that\u2019s nearly as important as what the gain is. When looking at adversaries whether it\u2019s initiatives or groups, you need to know what drives them,\u201d he said.This collection of threat intelligence will drive how an enterprise does a threat hunt.While hunters deep in the dark web can\u2019t break the law to enforce law, they can, said Loomis, \u201cFlip bad guys into good guys because they are already trusted.\u201d These informants are already in the lines of communication and know what bad guys are looking for.\u00a0One of the most high profile bad guys turned informant is the nefarious Albert Gonzalez. Larry Johnson, senior vice president at Nehemiah Security and former Secret Service agent recalled the days when Gonzalez was offered a deal.There had been some high profile attacks in which a couple retailers were hit hard, which was a turning point in cyber crime, said Johnson."Back then, all cyber crime was financial crime," Johnson said. In the early part of the 21st century, though, criminals realized the gains that could be garnered by hacking into enterprises across industries.Is threat hunting right for you?Here are five tips from Exabeam's Director of Labs Barry Shteiman to help you answer that question.You\u2019re in a regulated industry and manage sensitive data \u2013 This makes your firm a likely target for hackersYou have difficulty eradicating malware from your network \u2013 Systems seem to get reinfected oftenYou\u2019ve had recent incidents with hackers or malware \u2013 Now is the time to elevate your monitoringYou have many admins or privileged users \u2013 These accounts are high riskYou don\u2019t know what to look for in your investigations \u2013 Iterating and pivoting help find the real problemsThough he had been arrested for a petty crime, police found a collection of laptops and other equipment when they searched Gonzalez's home."We flipped him because he was arrested by a New Jersey police department. Our guys from the New Jersey office went out and found out that he was involved in one of the ShadowCrew carding gangs, an online forum where hackers traded secrets," Johnson said.It was around the time of Gonzalez's arrest that the FBI and Secret Service started handling more cyber crime cases involving national security, organized crime, identity theft, computer fraud, and access device fraud. Flipping informants proved to be a good strategic move.If Gonzalez hoped to have the charges against him dropped, he had to cooperate, which gave rise to the government agencies involvement in threat hunting. Certainly the goal of the FBI and Secret Service was to find and arrest the criminals, but the average enterprise really just wants to protect itself against known and unknown threats.Loomis argued that, \u201cAutomation is the future of cybersecurity,\u201d but other security practitioners said that threat hunting will always rely on the human factor.Specifically, Neumann Lim, senior information security systems engineer\u00a0at D3 Cyber, said, "It's\u00a0a war of attrition. One human versus another. What they put in their code, we need to find out what it is, what it\u2019s doing, and what they can take."\u00a0Hunting the known threat is a little bit easier than pursuing the unknown. "When hunting known threats, they have already been discovered through signature or indicators of compromise," said Neumann. Unknown threats can be more time consuming because it's like searching for a needle in a haystack.A challenge with threat hunting for many of the good guys is that legislation prevents a lot of threat hunting on the good guys side. "When you hunt for threats, you need to do a little bit of offense. Probe networks to find out what things are happening and where they are occurring. Both Canada and the US say you can\u2019t do that, even if your intentions are good,"\u00a0said Neumann.Taking this moral high ground somewhat handcuffs what responders can do. "If we look at an IP that\u2019s been attacking us for 24 hours, we can determine that it looks like it\u2019s coming from Russia. Is it really Russia? Without probing that trail, we may never know," said Neumann. Knowing your opponent and how they fight is the key to beating them.\u00a0In order to know an adversary, there has to be a human being involved at every level of the hunt. SANS Institute course author and instructor and CEO of Dragos Security, Robert M. Lee said, "There are\u00a0a few core components to threat hunting. It has to be a dedicated focus. Security analysts can\u2019t be writing reports. It's analyst driven and you can\u2019t automate."What it boils down to is that the threat is a human. The whole concept of the hunt understands that. Only the humans are going to defend that architecture.Robert M. Lee, CEO of Dragos SecurityAt the beginning and end of a threat hunt, though, Lee said, "There has to be an analyst asking questions. A general core component of any activity is a hypothesis of where an adversary might be. Threat hunting is the process of engaging in the answer."It's easy to get caught up in the new trends in search of the cyber security silver bullet, but Lee warned, "There are not many companies dedicating teams solely to hunting, but there is so much work to be done. A lot of these smaller companies don\u2019t have the same threat landscape."Fortune 250 companies have a very different risk level from SMBs and local mom and pop companies. "Everybody wants to gravitate to the new shiny thing, but there is a whole gradual scale. A sliding scale of cyber security. We see some companies say wow that\u2019s cool, but neglect architecture and don\u2019t get as much return on investment. There is a maturity scale to all of this," said Lee.In his blog, Enterprise Detection & Response, David Bianco shared a simple hunting maturity model to help organizations determine where they are in their security maturity process and whether investing in threat hunting platforms would yield a strong return on investment.According to Lee, not many people do threat hunting correctly, which he attributes to the intense market pressures of the security industry. "You hear a lot about the adversary is evolving but defenders aren\u2019t. The thing is, most adversaries don\u2019t have the need to innovate," Lee said.Because no company wants to come out and say they got hacked by a super basic adversary, it's easier to use a doomsday smoke screen. The fear of sophisticated hackers innovating faster than defenders imbues a dependence on products, Lee said. "In reality, we are actually seeing defenders make huge strides. Defense is more and more do able; however, the marketing pressures of that can quickly bastardize the industry," Lee continued.Because both the good guys and the adversaries know that they are in the game of threat hunting, the sport will always demand human intelligence. Lee said, "It is harder to talk about the upside of the industry because that doesn't sell, but the industry as a whole is drastically getting better. What it boils down to is that the threat is a human. The whole concept of the hunt understands that. Only the humans are going to defend that architecture."