What it takes to be a cyber hunter
Raytheon experts teach a winning student team about cyber conflict
It could have been regular network traffic. But Matt Meltzer, a Raytheon cyber threat hunter, thought it seemed a little off, a little out of the ordinary.
“We are looking for behaviors that look normal, but after you analyze them for a while, you start to see the anomalies,” Meltzer said. “That’s when we pivot to our tools that utilize all the current threat data and long-term patterns."
Raytheon's advanced cybersecurity technology is capable of amazing detective work, yet instinct still plays a role.
"Tools are great and a part of the process, but you need the human element to be really proactive,” Meltzer said.
That was the message from Meltzer and Rebekah Wilke, Raytheon Foreground Security virtual-security operations center operations manager, to a team of eight students from the University of Maryland, Baltimore County: the “Cyber Dawgs,” 2017 champions of the National Collegiate Cyber Defense Competition. The team was touring Washington, D.C., to visit the nation’s top cyber research and national cybersecurity sites, courtesy of Raytheon. Stops included the White House, the Department of Homeland Security, the Secret Service and Raytheon’s own labs, among others. Raytheon has presented and sponsored the competition for the past four years.
Wilke stressed the importance of identifying behavior patterns that might seem normal at first, but show anomalies in time. Human perception is the best way to detect such patterns. making it a critical aspect of proactive threat hunting.
Raytheon’s cyber threat hunters use critical thinking to gain an edge. The volume of data on a corporate network can be overwhelming, according to Wilke. To identify malicious cyber actors, threat hunters review current threat data and long-term trends.
“We tune our cyber tools ourselves to ensure that we are taking advantage of our knowledge and insights from years of research, hunting and just pure passion for what we do,” Wilke said. “The tools are driving the outcome, but we are trying to show that the tools can be tuned by smart people; it’s the human that drives the data.”
Collaboration is key
“Everyone brings their own personalities, experience and research into the mix, so it is critical that we take advantage of all that knowledge to find the real threats,” Meltzer said. “When the goal is to narrow down data sets from millions of pieces of data to that one threat, any insight could be the thing that tips the scales in the defender’s favor.”
Wilke and Meltzer told the Cyber Dawgs that they still advocate automating processes whenever possible. That frees up time to look for new threats. Every additional cycle they get could be the one that leads to identifying the latest threat.
The pair stressed that before companies start to set up threat-hunting teams, they must do a visibility gap analysis. That identifies the tools and data needed to arm defenders. Then they should find the right people to hunt down malicious actors.
“The characteristics we look for in candidates are smart, persistent people with inquisitive and curious minds, who like to research the latest threats. And above all, collaborative and team players,” Wilke said. “Then we breed hunters. People like the Cyber Dawgs and their NCCDC peers. They’ve shown through months of competition that they thrive working as a team toward a collective goal. That’s a great starting point.”