Lessons From the Cybersecurity Trenches

Threat hunting not only serves the greater good by helping keep users safe, it rewards practitioners with the thrill of the hunt and solving of complex problems. Tap into your background and learn to follow your instincts.

Danika Nilson, Cyber Threat Hunter, Forescout Frontline, Forescout

August 16, 2022

4 Min Read
Treasure map
Source: marcos alvarado via Alamy Stock Photo

Growing up in the Pacific Northwest, I was fascinated by treasure hunting. I love the idea of finding something valuable or important. I had an arsenal of tools even the most seasoned treasure hunters would envy: a metal detector, a bucket, and a plastic shovel. Yet the most valuable tool I possessed was my firm belief that I would find treasure as long as I looked hard enough.

Threat hunting is like treasure hunting in many ways. Threat hunters also have their tools of the trade.

Several years ago, I traded that plastic shovel for a data visualization tool (i.e., Kibana) and too much coffee. I still feel the excitement of the hunt for something valuable. You see, treasure hunting and threat hunting both stimulate the mind. They are both filled with hidden clues, there is no set path, and sometimes you must solve complex problems. There is unmistakable value in discovering threats, so that we can improve the security of our organizations.

At one point in my military career, I worked as a networking specialist on a cyber-protection team, where I became a network traffic analysis expert. The mission was simple — just hunt. Remember, no good treasure hunt starts without a treasure map. That's where this threat-hunting story begins.

I received a PDF version of the network map that contained hundreds of endpoints, ports, protocols, and services (PPS) to quickly identify acceptable and normal network traffic as a baseline. The posters we printed from the PDF were the size of twin-sized blankets. Yet, we hung them up on the ops floor. We had our "treasure map," and set out to analyze the hex and packet captures (PCAPs).

We found nothing that deviated from the baseline and PPS listing. But I still had the unshakeable belief from my youth that I would find something if I looked hard enough. We were parsing through millions of network events and terabytes of data. I decided to investigate the top-talking ports – even the acceptable ports outlined on the PPS.

"Manual" threat hunting, for lack of better words, relies on highly skilled people and the knowledge they have collected over years in the field. Down the list I went looking at HTTPS, HTTP, DNS, SMTP, and so on. Finally, I arrived at port 1433, or SQL, which is the primary language used for managing data. This was significant as it's often a large attack surface for hackers and adversaries. I built a query and modified data fields to quickly identify the IPs communicating with one another.

One pair of IPs looked a little unusual and didn't fit into the schema of the other IPs. It stood out to me because I understood the network (thanks to our trusty map). That's when I discovered unencrypted SQL data. I could see everything and the data in these tables made my jaw drop. This data was leaving the network unencrypted. I immediately notified my mission commander, who carried it up the chain – we discovered it was a configuration error that was quickly fixed. The goal of discovering threats was so that we could take action to remediate them.

Learning From Experience

Eight-year-old me would have been very proud of my ability to find such a significant threat – being able to improve our security was certainly of value. There were many lessons to be learned from this hunt that I have held with me over the years:

  • Understand the network you're working on to easily recognize patterns and behaviors that deviate from normal.

  • Question and review all traffic, even acceptable or normal traffic. Network traffic is guilty until proven innocent in the world of threat hunting.

  • Not every hunt will result in threats being found, but always listen to your instincts. If you know it's out there, it probably is.

Threat hunting is an opportunity to help a greater good. Cyberattacks are relentless. We must work together as professionals to change the playing field. Equally, be willing to accept help. I have been fortunate to find work that brings me so much joy. I love what I do because it connects me with a lifelong drive. There are many specialties within cybersecurity; finding your particular niche will make you successful in this field.

About the Author(s)

Danika Nilson

Cyber Threat Hunter, Forescout Frontline, Forescout

Danika Nilson is an experienced cyber threat hunter and member of the Frontline team at Forescout Technologies. She possesses a comprehensive background in defensive cyber operations, network security and forensics, digital forensics and incident response, intrusion detection and prevention, and cyber threat emulation. Danika is a proud veteran of the United States Air Force, where she served on active duty as a Cyber Warfare Operator. In her position, she performed vulnerability assessments, adversary threat detection, and compliance evaluations for mission partner networks. Additionally, she was responsible for the identification and remediation of cyberspace threats impacting critical nodes and infrastructure. Her career is supported by a master's degree in Cybersecurity and Information Assurance, a bachelor’s degree in Information technology, and extensive professional training. She is passionate about personal and professional development and is currently pursuing a doctoral degree in Educational Leadership.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights