• United States




Threat hunting: the sport of the future?

May 13, 20164 mins
Data and Information SecuritySecurity

Training humans for the cyber hunt

A few years ago, Dave Amsler, president and founder of Foreground Security, now Raytheon Foreground Security, began studying inefficiencies running in SOCs. Once discovered, he sought to answer the question, “Where should we be going?” He realized that threat hunting would be—in the words of John Cusack in the classic 80’s romantic comedy Say Anything—the ‘sport’ of the future.

Amsler also founded Foreground University, and since the acquisition, Raytheon has integrated Foreground’s online training curriculum offering 93 courses that help build the next generation of cyber hunters right out of college.  

Threat hunting is very different from bug bounty hunters in that, “Bug bounty is more offensive. The idea is for a hunter to find a hole in this code that they can manipulate. They are looking to find one thing wrong with the code, environment, or website. Threat hunting is a completely defensive mindset. You have to know how to look at and see all things traversing the environment and still find the bad guy,” Amsler said.

Key to the success of threat hunting, said Amsler are “Visibility. You have to have the data and analytical automated components, but it still relies on humans.”

[ RELATED: The sport of threat hunting, and who should be in the game ]

In fact, “Almost 60 percent of what we find is because of humans,” Amsler said. Currently, many security practitioners are trained to rely on tools and wait for an alert. “That doesn’t work,” said Amsler who realized that they had to build their own talents.

“I actually went and bought a training company that specialized in developing customized security training. We worked for the last four years to build the curriculum to teach a human how to hunt for a threat actor,” he said.

Understanding the intricacies of threat hunting requires a sophisticated and analytical mind that not only knows how to look at something but also recognizes when they see something bad inside it and where to go beyond that.

“Fundamentally, we teach students how to look at networks and understand what the core capabilities are. We want them to be able to understand what networking traffic looks like. How do operating systems work?” said Amsler. While these are classic skills of a security practitioner, threat hunting is much more advanced.  

“We look at how an OS stores things in memory and how attackers manipulate that? How do security tools work? How do you use them in order to give you the visibility you need? How do attackers operate? What are their attack methodologies? What are the phases of an attack and the techniques they use?”

All of these question delve into the very focused work of threat hunting.

Some of the courses, Amsler explained, are centered around being able to identify who the attackers are. “Where can you go to do research on them? and How do you do research? are key questions because when anyone is starting to hunt, they may see something that looks abnormal coming from a strange place,” said Amsler.

Perhaps that actor might be associated with a group, which usually means you don’t need to do research. Amsler said, “You can leverage intel from different partner groups, in the dark web and the open web, that attackers may be using.”

What is most practical about the courses offered is that, Amsler said, “This is not just all online training in an MLS system. Pieces of this are in classroom and use real attacks in a real environment. We scrub them and put them into classroom trainings to recreate.”

Students also participate in a mentoring program where the student participant sitting side by side shadowing an advanced analyst. Effective threat hunting requires training humans and then training machines to look for anomalies and behaviors versus a known bad.

Raytheon Foreground Security and Foreground University believe this hunting concept is where the industry needs to go. Where a few years ago only an approximate 30% of enterprises said they needed a threat hunter, Amsler said that number has jumped to 78 percent. “The problem is that they can’t find, can’t afford, or can’t retain them. Ask an enterprise to hire and train a hunter, those skills are in such high demand it’s hard to retain,” he continued.


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author