The sport of threat hunting, and who should be in the game
According to Field and Stream magazine, this is an oft quoted hunting expression. There is irony in applying this quote to the cyber security industry where hunting is indeed a sport. The good guys and the bad guys both know that they are in the game.
Joseph Loomis, CEO of CyberSponse, works closely with the cyber units at the FBI, DHS and Secret Service described this trendy new cyber sport in which the good guys try to entrench themselves into the world of the dark web.
“You want to understand the psyche of the adversary and what motivates them,” Loomis said.
Whether hunting for known or unknown threats, “You typically look for what someone has to gain. The unknown that’s nearly as important as what the gain is. When looking at adversaries whether it’s initiatives or groups, you need to know what drives them,” he said.
This collection of threat intelligence will drive how an enterprise does a threat hunt.
While hunters deep in the dark web can’t break the law to enforce law, they can, said Loomis, “Flip bad guys into good guys because they are already trusted.” These informants are already in the lines of communication and know what bad guys are looking for.
One of the most high profile bad guys turned informant is the nefarious Albert Gonzalez. Larry Johnson, senior vice president at Nehemiah Security and former Secret Service agent recalled the days when Gonzalez was offered a deal.There had been some high profile attacks in which a couple retailers were hit hard, which was a turning point in cyber crime, said Johnson.
"Back then, all cyber crime was financial crime," Johnson said. In the early part of the 21st century, though, criminals realized the gains that could be garnered by hacking into enterprises across industries.
Though he had been arrested for a petty crime, police found a collection of laptops and other equipment when they searched Gonzalez's home.
"We flipped him because he was arrested by a New Jersey police department. Our guys from the New Jersey office went out and found out that he was involved in one of the ShadowCrew carding gangs, an online forum where hackers traded secrets," Johnson said.
It was around the time of Gonzalez's arrest that the FBI and Secret Service started handling more cyber crime cases involving national security, organized crime, identity theft, computer fraud, and access device fraud. Flipping informants proved to be a good strategic move.
If Gonzalez hoped to have the charges against him dropped, he had to cooperate, which gave rise to the government agencies involvement in threat hunting. Certainly the goal of the FBI and Secret Service was to find and arrest the criminals, but the average enterprise really just wants to protect itself against known and unknown threats.
Loomis argued that, “Automation is the future of cybersecurity,” but other security practitioners said that threat hunting will always rely on the human factor.
Specifically, Neumann Lim, senior information security systems engineer at D3 Cyber, said, "It's a war of attrition. One human versus another. What they put in their code, we need to find out what it is, what it’s doing, and what they can take."
Hunting the known threat is a little bit easier than pursuing the unknown. "When hunting known threats, they have already been discovered through signature or indicators of compromise," said Neumann. Unknown threats can be more time consuming because it's like searching for a needle in a haystack.
A challenge with threat hunting for many of the good guys is that legislation prevents a lot of threat hunting on the good guys side. "When you hunt for threats, you need to do a little bit of offense. Probe networks to find out what things are happening and where they are occurring. Both Canada and the US say you can’t do that, even if your intentions are good," said Neumann.
Taking this moral high ground somewhat handcuffs what responders can do. "If we look at an IP that’s been attacking us for 24 hours, we can determine that it looks like it’s coming from Russia. Is it really Russia Without probing that trail, we may never know," said Neumann. Knowing your opponent and how they fight is the key to beating them.
In order to know an adversary, there has to be a human being involved at every level of the hunt. SANS Institute course author and instructor and CEO of Dragos Security, Robert M. Lee said, "There are a few core components to threat hunting. It has to be a dedicated focus. Security analysts can’t be writing reports. It's analyst driven and you can’t automate."
Robert M. Lee, CEO of Dragos Security
At the beginning and end of a threat hunt, though, Lee said, "There has to be an analyst asking questions. A general core component of any activity is a hypothesis of where an adversary might be. Threat hunting is the process of engaging in the answer."
It's easy to get caught up in the new trends in search of the cyber security silver bullet, but Lee warned, "There are not many companies dedicating teams solely to hunting, but there is so much work to be done. A lot of these smaller companies don’t have the same threat landscape."
Fortune 250 companies have a very different risk level from SMBs and local mom and pop companies. "Everybody wants to gravitate to the new shiny thing, but there is a whole gradual scale. A sliding scale of cyber security. We see some companies say wow that’s cool, but neglect architecture and don’t get as much return on investment. There is a maturity scale to all of this," said Lee.
In his blog, Enterprise Detection & Response, David Bianco shared a simple hunting maturity model to help organizations determine where they are in their security maturity process and whether investing in threat hunting platforms would yield a strong return on investment.
According to Lee, not many people do threat hunting correctly, which he attributes to the intense market pressures of the security industry. "You hear a lot about the adversary is evolving but defenders aren’t. The thing is, most adversaries don’t have the need to innovate," Lee said.
Because no company wants to come out and say they got hacked by a super basic adversary, it's easier to use a doomsday smoke screen. The fear of sophisticated hackers innovating faster than defenders imbues a dependence on products, Lee said. "In reality, we are actually seeing defenders make huge strides. Defense is more and more do able; however, the marketing pressures of that can quickly bastardize the industry," Lee continued.
Because both the good guys and the adversaries know that they are in the game of threat hunting, the sport will always demand human intelligence. Lee said, "It is harder to talk about the upside of the industry because that doesn't sell, but the industry as a whole is drastically getting better. What it boils down to is that the threat is a human. The whole concept of the hunt understands that. Only the humans are going to defend that architecture."