Name: Katie Horne
Years hunting: 2
Favorite datasets: Network flow, application level data, firewall/switch/AP logs, file/process data, Windows event logs
Favorite hunting techniques: Searching, grouping, intel analysis
Who are you?
I'm Katie Horne, although my on-the-job nickname is Hunter Killer. I’m a security analyst and shift lead at the GoSecure Active Response Center in Eastern Canada, and a malware analysis aficionada.
Why do you hunt and what is your experience hunting?
Professionally, I have been a part of the GoSecure AAP threat hunt team for almost two years. As a member of the ARC team, threat hunting is in essence what I do on a daily basis. The security of our clients is at the heart of everything we do at the ARC, and as such a proactive rather than reactive approach to threat mitigation is what is required; ergo, enter The Hunt.
I hunt because I have to. Life would be bland without the thrill of the hunt. As a hunter, your opponent ultimately is other people - not malware, not vulnerabilities, not outdated software, but the people that are looking to exploit any weaknesses they can find in order to gain something at the expense of others. And people are never static. They’re thinkers and innovators, and often seemingly unpredictable. A threat hunter never gets to relax, and take a break, and waste time. As a hunter you never run out of things to do with your life. And that is valuable to me.
What projects and organizations are you involved with?
I’m currently heading GoSecure AAP’s deceptive tech project. I can’t give too many details, as doing so would defeat the purpose of deception, but it’s very cool.
Additionally I’ve very recently become interested in the Sagan log analysis engine, and have offered up one or two small rules which Champ, the genius lead dev behind the project, has been kind enough to accept. Plus there are more to come!
What hunting techniques, tools, and datasets do you use most frequently?
My hunting technique, if I had to describe it, involves looking at the whole picture of network traffic, logs, system-level activity and user behaviour, as well as keeping an eye on trends in the wild that may have a bearing on client environments (and my own life!).
I really lean towards using open source tools as I truly believe collaboration is a must among security professionals. Among my favourite tools are Suricata, SpamScope, Sagan, STIX, various honeypot projects (cowrie, YALIH), and CuckooML.
I also find the work done by certain other members of the information security community to be an invaluable resource in terms of gaining insight into what indicators of compromise, or spoor, if you will, may be valuable to look for. I would count intelligence gathered by researchers such as Techhelplist, Daniel Gallagher, MalwareHunterTeam, Decalage, Broad Analysis and Brad (Malware Traffic Analysis) as a tool. Twitter is a great tool for communication with fellow cybersecurity warriors, such as the aforementioned.
My favourite datasets are whichever ones help me get to the bottom of an investigation! If I had to pick I would say network connection flow and application level data, firewall/switch/AP logs, file/process data on the system-side, and Windows event logs. Every case is different, so while one set of data may be helpful in honing in on a threat in one instance, the next time it may be a completely different set. I’ll take all the datasets I can get!
What value do you actively see come out of your hunting activities?
The value lies in catching your quarry and protecting your clients, and the feedback you get from clients when you have helped to protect them. There’s nothing like the surge of joy you feel when a client thanks you for finding a threat on their network, except perhaps for the jolt of adrenaline when you catch the scent of a potential threat.
What types of friendly intelligence are most useful for a hunter to have in an investigation?
It is very useful to receive pointers from more experienced cybersecurity professionals. As a relative newcomer on the threat hunting scene, I often find myself doubting my instincts and findings. It is very helpful to be able to reach out to others that have been in the field longer than I have for their input and for a second opinion.
Otherwise, knowing your environment is key, so if you’re hunting threats in a client environment, it is an absolute necessity to obtain as much information as possible from the client to best serve their needs and rule out false positives.
What general advice do you have for new Threat Hunters?
I am a new hunter (or so it feels)! But I have found a pitfall for new hunters in jumping to wild conclusions based on very little evidence, and because of chasing after the wrong trail time is wasted when a little logic and calm deliberation at the start could’ve quickly helped rule out a false positive and allowed the hunter to continue in the right direction. Yes, speed can often be of the essence in what we do, but that is why it is so important not to waste time by rushing headlong into a mistaken determination.
What would you want to see Threat Hunting develop into across the industry in the future?
I would like threat hunting to become more of a collaborative effort, and have this collaboration not be driven by what organizations may gain, but rather be driven by a desire to protect individuals and give white hats a fighting chance against cybercriminal organizations.
Check out our full Hunter Profile series for different takes, tips and tricks on threat hunting from the experts!