Enabling The Cyber Hunter - “Detection After The Fact”

 Originally published on January 05, 2018 by Matt Conran
Last updated on January 09, 2018 • 16 minute read

We keep hearing about the staggering volumes of Terabyte attacks. The only way to neutralize such attacks is an distributed stateless approach combined with state of the art machine learning algorithms.

Downtime at this scale seems to generate more of a reader's interest but there is a lot of important unread news in the background that doesn't hit the headlines. The below-the-radar attacks hit the organizations unnoticed, compromising the valuable assets when it's simply too late.

As you know, targeted attacks are often combined with heavy hitting attacks acting as smoke to camouflage. This allows the bad actor to gain access to valuable assets as the operations team is busy combating the initial attack with traditional packet captures, Simple Network Management Protocol (SNMP) statistics and manual tracebacks. While fighting the DDoS, these tools leave you, the operator, puzzled on your knees. Dealing with the financial and public relation of these threats sends a chill down the spine.


iSNMP stands for Simple Network Monitoring Protocol. Its usefulness in network administration comes from the fact that it allows information to be collected about network-connected devices in a standardized way across a large variety of hardware and software types. SNMP is a protocol for management information transfer in networks, for use in LANs especially, depending on the chosen version. Read more ...


If an attack goes unnoticed how do we stop them? The only way to prevent this type of bad actor is adding human and empowering them with the right kind of technology.

Machines can offer an edge in the automated world of the future but to combat cyber criminals you need a human. Humanity kicks in and it must become personal to win and catch the bad actor; something a machine cannot offer.

Cyber Hunters

As cyber hunter, you have to be relentless and invest in exposing these attacks. They take on an entirely different approach to security. A too narrow frame on the network can drive many infrastructures to the graveyard upon cyber threat. And this is evident by the news that surfaces everyday reporting some reputed organization’s infrastructure was reduced to dust.

To catch a thief, you have to think like one. Therefore, a much wider view of the network is needed and this can only be done with the proactive activities of a cyber hunter. Cyber hunters are a rare breed of operators proactively sniffing the darkest corners, examining the network at every angle, not waiting for an automated alert to trigger the cyber hunting workflow.

Cyber hunting is the art of seeking out and understanding an intelligent persistent bad actor that is trying to infiltrate your network to gain access to valuable resources. Cyber hunters spend a lot of time observing the bad actor before attempting to stop them. Unnoticed observation is the key to role providing a “look before you leap approach”.

Cybercriminal Activities

Understanding common security defenses, the cybercriminal treads lightly, changing penetration tactics to gain an even stronger foothold. They move silently throughout the network penetrating the segment’s weakest link, hopping from one location to another -- disguising their traces and setting false traps evading detection.

The initial stages may enable access to a regular user's laptop before they gain a foothold to stronger assets leading them to the required resource. By lateral movements, foot-printing a network is not easy to detect and the bad actor knows how to use techniques that are not readily detectable.

The cyber hunters spend their time analyzing unusual or anomalous patterns of behaviour that could be reminiscent of an advanced intruder attempting to grow their footprint. They sink their teeth into the freakish patterns at the drop of the hat.

Targeted Attacks Are The Biggest Threat

If you drill down and examine what's happening on the network, malware, viruses, script kiddies and botnets are not the biggest threat. They are not the ones that can open the gateway to the Personally Identifiable Information (PII).

The biggest threat from a financial and public relations point of view is when an infrastructure is compromised by someone that is both intellectually and specifically targeting the infrastructure; the one who understands the typical defenses and can route around them unnoticed.

The ones to be scared about are the persistent attackers lurking under the hood of automated detection systems. Targeted attacks on assets are an organization's biggest risk. Bad actors nowadays have a clear understanding of the underlying security technologies and their vulnerabilities. They are well-versed with the nuts and bolts and how to trespass to accomplish their evil means.

There is usually a lot of pre-investigation of an organization's system before they carry out the attack. They know the technologies that are in place. They are extremely organized and well funded. They have their own event security lifecycle and follow software development lifecycles.

Cyber Hunter Challenges

Institutional and business support is a must. Having the best tools are only a subsection of what’s required. If results are disregarded, it’s better to have not started in the first place. One of the hunter’s biggest challenges is data acquisition and getting hands on the right data and additional telemetry information.

They need empowerment to shut down firewall ports, access logs and data collection from various infrastructure modules which may cause resistance amongst other teams.

Supporting the cyber hunter with NetFlow is highly recommendable as the data source makes the overall task easier. You don't need special requests as most devices will export unsampled flow data as a part of their basic configuration, not causing taxation or increasing latency on the network.


i NetFlow is a protocol for collecting, aggregating and recording traffic flow data in a network. NetFlow data provide a more granular view of how bandwidth and network traffic are being used than other monitoring solutions, such as SNMP. NetFlow was developed by Cisco and is embedded in Cisco’s IOS software on the company’s routers and switches and has been supported on almost all Cisco devices since the 11.1 train of Cisco IOS Software. Read more ...


Time and team collaboration are the essence of a cyber threat. No one can add hours to the clock but tools like NetFlow provides the right data easier and faster. When organizations reinvent their old workflows in NetFlow, they can do it more quickly especially if the old tool was a basic packet capture.

Team Collaboration - Let’s Work Together

Team collaboration amongst different technical teams is an issue for most organizations, especially when it comes to troubleshooting. Team members dealing with cyber threats are often distributed, wearing different technical hats potentially in different time zones. Getting them all to talk efficiently at one place is a challenge even for the most experienced managers.

More than often, security and network professionals may talk for the first time upon a threat. The collaboration amongst them is never fine-tuned or workflows automated. NetFlow is a tool that is already in place and brings everyone to the same page. It is being used by all teams before actually the threat happens. As a result, the team members do not interact for the very first time and have pre-established relationships.

Previous relationships amongst different technical teams, is the core for effective troubleshooting. NetFlow enables the operators to annotate alerts on hosts from knowledge that is gleaned from one team to the other, acting a central glue spot.

The alerts enable operators to tag people in order to bring items to their attention. Additionally, a text box is used for extra information that can for example, list the ticket number in another system.

Global Collaboration - We Have To Work Together

There are plenty of company success stories but that’s the easy pill to swallow. The bitter pill to gulp is when there is a data breach or some kind of network downtime. It's about learning from failures among organizations that allows us to change the direction and spot cyber threats quickly.

Success stories encourage everyone but talking about failures is invaluable. Its lessons are open and shared. A recent trend is forming for cross company tool collaboration about threats. More of an informal community is forming where the hunters associate with one another. The ability to get cyber hunters talking amongst each other is a prime development that the arena of security has witnessed so far.

There is not much to be invented regarding data collection; it's more about improving and helping on the cognitive side.

Cyber Hunter's Tool Kit

Traditionally, forensics was carried out based on past events. Nowadays, the proactive cyber hunter carries out forensics on ongoing events that are happening right at the moment of the attack. Earlier, forensics was often carried out employing full packet captures. However, these days, networks are a lot larger, compiled with increasing data volumes making flow technologies an enticing alternative.

Once the cyber hunter has gained a full understanding of who they are dealing with, for example, mapped external IP address and determined assets that are compromised, they plan and launch a comprehensive mitigation plan to disable the bad actor. If the compromised asset is under the control of the bad actor, it's unlikely that the cyber hunter will immediately switch the system off. The art of mitigation becomes the game of cat and mouse where he or she will try various techniques to determine where the threat is coming from.

The cyber hunter’s mitigation plan involves a number of stages including reimaging computers, lock individual files or even replicate assets already compromised to lure the bad actor into mitigation trap. Majority of security professionals have a reactive approach to security and rely on alerts to trigger troubleshooting workflow. The cyber hunter has a distinguished role and works with a certain level of proactivity.

A good cyber hunter actively tries to find out things instead of waiting for the evidence to land neatly on his or her lap. They are less process–oriented, acting as the network cowboy with a lot more rope and access to telemetry information than a normal security or network professional would have.

The Perfect World For A Cyber Hunter's Toolkit

Supporting the cyber hunter with the perfect toolset consists of visibility, visibility and visibility from every nook and corner of the infrastructure, nothing can be left out. They must be aided with multiple vantage points at a network and host level combined with for example syslog data, endpoint telemetry systems and access to one or more threat intelligence fields.

NetFlow is a critical tool used to identify any security breach and anomalous activity. It allows operators to reconstruct the sequence of events and provides accurate details of what is happening in the network.

NetFlow offers a very deep and broad view, especially useful for observing abnormal behaviour. So when a break occurs, your capabilities need to be in place for two things - complete visibility and control of the network. Scrutinizer gives both.


We are going to see more downtime that could have been stopped by the cyber hunter. Cyber hunting has only started to gain popularity as to what it’s doing for organizations. A cyber hunter is a vitamin, not morphine. It's hard to quantify what you would have lost financially if you didn't have a cyber hunter. They are always busy and on to something. They are capable to sense slightest of the ripple and probe into the cause.

When protecting your business from the big battalions of cybercriminals, technology is only part of the solution. The rest is the people such as a good cyber hunter and the policies, procedure supporting them.

The ongoing cyber crime is growing to a global phenomenon. It’s not just a technological issue, it’s a business issue and prevention is certainly better than cure. The crippling digital attacks on organization’s infrastructure are inevitable. So we either dial down our dependence on a hyperconnected world or take a more proactive approach to security.

Still at least - and at last - real steps are finally being taking to restrict the shameful way cybercriminals are penetrating in the networks. Cyber hunters with global support and appropriate visibility tools are the only way forward.


This article, like the previous two, was created by Matt Conran, a freelance author who writes regularly on our blog about the topics of Network, Security and Cloud.