Cyber Hunting: The Importance of Threat Intelligence

Rackspace security analyst at work in the security operations center

The old adage “the more you know” definitely rings true when it comes to cyber hunting.

When conducting cyber hunting activities, it’s not about finding a needle in a haystack, it’s about finding a needle in a stack of needles. The advanced cyber adversaries of today have the financial backing, the intelligence and the wherewithal to conduct extremely advanced attacks.

So advanced in fact, the attack may remain completely unknown to not just end users, but even the security tools a business may have in place. The majority of advanced cyber-attacks we see today do not appear abnormal in any way.

The steps taken to breach a network and steal target data or financial information might very well appear as normal user or administrative activity. Knowing your adversary and having insight into their tactics, techniques and procedures is paramount when conducting cyber hunting activities.

This is where threat Intelligence comes into play. There is a multitude of threat intelligence sources and many security tools are able to incorporate some sort of processed threat intelligence. But, a well-equipped analyst, armed with this intel, can usually find the most obscure methods being used by adversaries.

Good threat intelligence helps not only discover breaches or anomalous activity, but it can also help catch adversaries early in the attack lifecycle. Studying advanced adversary tactics, techniques and procedures can help pinpoint reconnaissance and weaponization methods before the breach occurs. This can save the target organization hundreds of thousands or even millions of dollars in damages.

A good threat intelligence program can enable front-line analysts to focus their hunt missions in areas some managed security service providers may not even be aware of. As adversaries continually update and adapt their methods, so too must the analyst during the hunt.

Analysts must understand how the adversary relates to the target environment. Initial insight into reconnaissance methods can help to not only thwart the adversary before the breach but also determine where to go from the point of entry if they’re reacting to a breach that has already occurred.

Keeping up with current attack trends, attack vectors and adversary “chatter” can help determine when, how and why an adversary may attack a particular network. There are many motives for attacking a particular target. It may be based on the target organization’s industry vertical.

It may be based on exfiltration of data such as intellectual property or customer information. And it could be to simply deface the organizational website or to steal credentials for future use. There are more motives than one can count. Threat Intelligence can help, not only in driving hunting operations but also in enabling the organization and its affiliates to better understand the risk.

Understanding how adversaries create and weaponize their campaigns is also of immense value. Analysts conducting hunting operations need to understand the weaponization of not only actual malware, but “malwareless” attacks as well.

Knowing how these adversaries sink their teeth into their victims is a key element of discovering attacks that may otherwise go unnoticed. It’s not always as easy as looking for the malicious executable.

Threat Intelligence is also key in determining adversary capabilities. It’s true that some adversaries are more advanced than others. Some cast wide nets and see what they can haul in. Others take a more low-and-slow approach and are very targeted in their actions. But, if their capabilities are lacking, what does that mean for the target organization?

Studying these adversaries and determining not only how and why they got in, but how capable they are once they’ve gained access to the target environment is a necessity. Knowing how the adversary maintains persistence, knowing how they move within the environment and having insight into where they may go next can tremendously speed up remediation and possibly help with damage control and future attacks.

Shooting an arrow at a brick wall may not produce much of a concern, but shooting a mortar round at the same wall is a different story. Highly advanced adversaries know how to get through the toughest security measures. Knowing their capabilities through the use of verified threat intelligence can help determine where to begin the hunt once a breach is observed.

Finally, threat intelligence can help indicate adversary actions on objectives. Knowing what the adversary is looking for, what they plan to do to the target organization’s environment, and how they plan to use it can greatly increase the victim’s chances of securing the data. Threat intelligence can help pinpoint the adversarial end goals and thus guide hunt missions in the right direction.

In conclusion, threat intelligence can provide the proverbial edge over adversaries. It can also help assess the extent of the damage and impact to a business. More information about attacks is being shared and this helps keep the good guys more secure. Threat intelligence is and should be an integral part of any good security organization and its importance cannot be overlooked.

In addition to saving countless man hours of hunting through the target environments, threat intelligence can help thwart the attackers before they get in. These advanced operators cause not only risk to the target environment in a cyber-sense, but also in a business sense. The fallout from major breaches goes far beyond the ones and zeros.

Do you have questions about cyber hunting or other ways managed security service providers are helping businesses protect themselves from cyber-attacks? Visit Rackspace to find out more about our managed security solutions and the ways our security analysts are hunting for adversaries.

Curt Buchanan is a team lead and senior cyber security analyst for Rackspace Managed Security. He has 20 years of intel experience in and around the NSA and Department of Defense. Over the last eight years, Curt has focused specifically on cyber intelligence and cyber defense and has done everything from collection to analysis and reporting. He spent two and a half years as a cyber defense analyst for the DoD and more than five years as a cyber threat intel analyst. Curt joined Rackspace in September 2015 where he built and now leads the threat intelligence and reporting cell for the customer security operations center.


  1. He has 20 years of intel experience in and around the NSA and Department of Defense. Over the last eight years, Curt has focused specifically on cyber intelligence and cyber defense and has done everything from collection to analysis and reporting


Please enter your comment!
Please enter your name here