Threat hunting: the sport of the future?
Kacy Zurkus | CSO | May 13, 2016 4:14 AM PT
A few years ago, Dave Amsler, president and founder of Foreground Security, now Raytheon Foreground Security, began studying inefficiencies running in SOCs. Once discovered, he sought to answer the question, “Where should we be going?” He realized that threat hunting would be—in the words of John Cusack in the classic 80’s romantic comedy Say Anything—the ‘sport’ of the future.
Threat hunting is very different from bug bounty hunters in that, “Bug bounty is more offensive. The idea is for a hunter to find a hole in this code that they can manipulate. They are looking to find one thing wrong with the code, environment, or website. Threat hunting is a completely defensive mindset. You have to know how to look at and see all things traversing the environment and still find the bad guy,” Amsler said.
Key to the success of threat hunting, said Amsler are “Visibility. You have to have the data and analytical automated components, but it still relies on humans.”
In fact, “Almost 60 percent of what we find is because of humans,” Amsler said. Currently, many security practitioners are trained to rely on tools and wait for an alert. “That doesn’t work,” said Amsler who realized that they had to build their own talents.
“I actually went and bought a training company that specialized in developing customized security training. We worked for the last four years to build the curriculum to teach a human how to hunt for a threat actor,” he said.
“Fundamentally, we teach students how to look at networks and understand what the core capabilities are. We want them to be able to understand what networking traffic looks like. How do operating systems work?” said Amsler. While these are classic skills of a security practitioner, threat hunting is much more advanced.
“We look at how an OS stores things in memory and how attackers manipulate that? How do security tools work? How do you use them in order to give you the visibility you need? How do attackers operate? What are their attack methodologies? What are the phases of an attack and the techniques they use?”
All of these question delve into the very focused work of threat hunting.
Some of the courses, Amsler explained, are centered around being able to identify who the attackers are. “Where can you go to do research on them? and How do you do research? are key questions because when anyone is starting to hunt, they may see something that looks abnormal coming from a strange place,” said Amsler.
Perhaps that actor might be associated with a group, which usually means you don’t need to do research. Amsler said, “You can leverage intel from different partner groups, in the dark web and the open web, that attackers may be using."
What is most practical about the courses offered is that, Amsler said, “This is not just all online training in an MLS system. Pieces of this are in classroom and use real attacks in a real environment. We scrub them and put them into classroom trainings to recreate.”
Students also participate in a mentoring program where the student participant sitting side by side shadowing an advanced analyst. Effective threat hunting requires training humans and then training machines to look for anomalies and behaviors versus a known bad.
Raytheon Foreground Security and Foreground University believe this hunting concept is where the industry needs to go. Where a few years ago only an approximate 30% of enterprises said they needed a threat hunter, Amsler said that number has jumped to 78 percent. “The problem is that they can’t find, can’t afford, or can’t retain them. Ask an enterprise to hire and train a hunter, those skills are in such high demand it’s hard to retain," he continued.