Today’s cybercriminals are relentless, and they are constantly changing their tactics, techniques and procedures (TTPs) to evade detection and carry out attacks, as detailed in the Sophos 2022 Threat Report.

It’s never been more critical that organizations can quickly detect and respond to these threats in real time. Partners with 24/7 threat hunting capabilities are in high demand.

On the frontlines in fighting attacks, threat hunters have a unique skillset. Whether MSPs are building their own in-house threat hunting team or outsourcing these activities to a trusted security partner, here are the top qualities to look for:

Threat hunting and incident response are different, but they complement each other. Incident responders do hand-to-hand combat with cyber adversaries in emergency situations. They’re the ones who investigate environments that are already known to have been infected or breached. In most cases, its retroactive.

Threat hunters, on the other hand, are more proactive. The role is more of an analytics function, looking at data on a day-to-day basis to identify abnormalities and deconstructing the TTPs being utilized.

A threat hunter’s job is to be proactive. They need to have the ability to focus and the bandwidth to monitor an environment 24/7 to stay a step ahead of attackers. They need to always be on the cusp of cutting-edge threat intelligence, perform research on new attack methods and look comprehensively at a customer’s estate for anything that looks even the slightest bit off.

Indicators of attack (IoAs) and indicators of compromise (IoCs) are the telltale signs of compromised environments and/or impending attacks that threat hunters find across masses of data. But, as soon as these indicators have been discovered, attackers leave them in the dust and change their TTPs to stay effective.

Threat hunters need to pay close attention to detail to understand when old indicators are no longer relevant, and then have the ability to pivot with the adversary to stay a step ahead.

While cyberattackers often use similar TTPs, each threat hunt requires different measures. And based on initial findings, a threat hunter will need to dig in deeper. This requires flexibility and the ability to think on their feet.

And while there are a handful of best practices to rely on, threat hunters need to be able to pivot and tweak each method as the situation calls for it in real time.

A Threat Hunter’s Job Is Never Complete

Every threat or red flag detected is the first in an endless line of threats, and they all need to be investigated.

These threats are very real for all businesses of all sizes, and every organization needs to assume they’re a target. That’s the mindset that threat hunters need to have, as well.

Scott Barlow is vice president, Global MSP and Cloud Alliances, at Sophos, a global leader in next-generation cybersecurity. He oversees all MSP strategy, business direction and sales worldwide, with an emphasis on building revenue, marketing programs and relationships with partners. His role expanded this past year, and he also took over the management of Sophos’ public cloud business.

Scott also serves as vice chair for CompTIA’s Board of Directors and is a member of the Creating IT Futures Foundation board. Previously, he was vice president of sales and marketing at Reflexion Networks, Inc., which Sophos acquired in 2015.

He’s an industry recognized CRN Channel Chief, Top 50 Midmarket Channel Executive and IPED Channel Master, and has been awarded the Channel Partners Circle of Excellence Award and Channel Partners Top Gun 51 award. Scott regularly takes center stage to deliver keynotes and bring expertise to industry panels focused on adding security services to MSP offerings.

Scott holds a Master of Business Administration and a Master of Science Degree in Geophysics from Boston College.

This guest blog is part of a Channel Futures sponsorship.