Why threat hunting is the future of cybersecurity

By Alex Hammond | 10 April 2017

bobsguide sat down with Peter Cohen, Strategic Director for Countercept at MWR InfoSecurity, to dscover more about threat hunting, cybersecurity’s newest trend that putting humans back at the centre of cybercrime defence systems in conjunction with innovative technology.

What role does MWR play in the financial services market?

There are two basic functions we perform in the market for financial services. The first is that financial services organisations ask us to simulate an attack on them from a certain threat class on a certain asset, adopting the role of a criminal group. We would then stage all the elements of an attack, from initial open source research on the people who work in the organisation and targeting them with phishing emails, to gaining a foothold on the infrastructure and then moving through the infrastructure until we have the capability to effect the action we are looking to complete, which is usually to remove money.

We then work with the bank to improve its defences and identify areas in which the tech response isn’t of the sufficient standard it needs to be in the face of that threat.

And then secondly we also get asked to provide threat detection and response capability as a service. So we have both an attack function and a defence function. We have some clients where we perform both attack and defence duties.

Is financial gain always the motivation for cybercriminals targeting financial services?

Different threat actors carry different capabilities and different motivations. The most sophisticated tiers can be divided into nation states and criminal groups.

From a nation state’s perspective the objective of the cybercrime might be to understand sovereign wealth fund statuses, understand the M&A positioning of key corporations in rival countries, or understand the financial situation of ultra-high net worth individuals or PEPs who bank offshore.

How often do new modus operandi occur in cybercrime? Do you see new strategies of attack on a weekly basis?

It depends how you define new techniques. Virtually every minute, a new piece of code designed to enable a threat actor to achieve an objective is created. In the main they are designed to bypass signature base detection mechanisms. Every few days there are new ways of working, new ways to persist in an operating system, or new ways to move laterally inside a network that might not have been used before. These are only tactical plays, but they do represent a development or evolution of capability.

Then there are the step changes in strategy, which are much more evolutionary than a tactical play or a new line of code. These don’t tend to come around every week, we probably see these new trends evolving and emerging every four to six months.

What are the key strategy trends you see cybercriminals employing at the moment?

A new strategy trend we have seen focuses on getting a lot of the research phase of the attack completed prior to the breach.

An attack typically begin with a degree of research i.e. who am I going to attack in this organisation and why? Then there is the initial breach where patient zero, the end point, is taken under control, followed by internal recognisance to ascertain if the person breached has the credentials to allow the criminals to achieve their objective. If they don’t then the intruder is going to have to do some lateral moving to work out where to go in order to compromise the people who represent the business process they need to replicate in order to transfer out the money.

What we’ve seen is more effort being put into that open source research on organisations pre-breach in order to breach the right person straight away and remove that lateral movement phase and that internal recognisance phase.

We’ve always had the term spear phishing, but this is phishing where you know when you’ve got access to an end point you’re targeting that you can complete your objective, it is even more precise.

What that does is reduce the time you have to detect a breach, from potentially several days when an attacker needs to manoeuvre themselves into a place where they can actually complete the task they want to do, to mere minutes. That is a big challenge at the moment.

Another new trend we’ve seen is that ransomware is being distributed in more targeted ways. Rather than ransomware being something that lands on a number of end points, now organisations are breaching key individuals within an organisation who they believe from open source research have access to the domain controller or some kind of centralised administration system for the infrastructure at large. They’ll then utilise that account legitimately to roll out ransomware as a patch update.

That’s something that is far more damaging, it’s not something you can simply press a button to rebuild, and it represents a step change in modus operandi for organised crime against financial institutions.

Is there any way to predict the next trend, or do you always have to be reactive to what you can see in front of you?

There are three ways to assess trends, and a combination of all three gives you the most visibility.

The first is to look at the data and understand what has happened when it happens in front of you i.e. if more and more of our clients are seeing the same attacks on their system, we can use that data to identify a trend.

The second is to delve into the online criminal forums and monitor discussions related to strategic cybercrime to discover the different motivations certain groups have and their capabilities. At a high level the results can affect strategy to a certain extent, although this augments rather than dictates defensive strategy because the research is not complete or reliable.

The third is to go into attack mode, and take all the latest techniques we are seeing and research what we would do differently to evolve that technique. This is the poacher turned gamekeeper approach, putting yourself in the criminals’ shoes.

Where is the cybersecurity technology in the marketplace at the moment falling short?

Anything that is purely technology-based falls short. Our attack division has a 100% success rate of breaching organisations without being detected any of the latest and greatest tech.

Specific technologies cover specific attacks, and a human who is motivated to breach an organisation will always win when faced with any system that is automated or machine learning based. An AI-based approach relies on what it has seen before and what it can predict, with imagination a talented human can always get around that.

So what is the solution?

I think there is a shift in the industry as people have realised the problem with tech and are embracing a more manual based intervention in conjunction with the technology. We are pitching people against people again instead of combatting people with computers, which doesn’t work.

Any automated security technology is reliant on technology firing an alarm to a human analyst, letting them know that an intruder is there. If the attacker avoids tripping the alarm, which is a pretty easy thing to do, then the alarm doesn’t fire and the person in the security team will never know. They are relying on that technology else they’ll never see the breach.

The change coming over the industry to combat this is a movement called threat hunting, which is a proactive search for those adversaries on your network. You constantly assume you have been compromised and go hunting for criminals based on your knowledge of what you would do as an attacker, looking for breadcrumbs as you go.

Is threat hunting something a financial institution would perform in-house, or would it typically engage a third party to do that on their behalf?

It can work both ways. If the institution has a sizable security team that is motivated to get to grips with threat hunting and are offensively trained themselves then it is something that they can attempt to do in-house.

But the people that make good threat hunters are people with knowledge of the attacker mind set combined with knowledge of incident response. The people who are really good at that tend to be motivated by researching new techniques, they’re investigative and try to push the boundaries of research. Those kinds of people tends to want to work for a security company or a handful of the world’s largest banks. As a mid-tier financial services institution you are going to struggle to retain that type of employee and keep your security knowledge current.

Will there be a significant level of adoption of threat hunting in the financial services industry?

Definitely, the conversations we are having at the moment are driven by our clients who want to get to grips with threat hunting, they know what they have in place at the moment is incapable of allowing them to detect and respond to attacks in a timely way. Certainly the more visionary companies are adopting threat hunting right now, early adopters are quite a way down the path of doing this properly.

Can we expect to see a number of threat hunting companies launch in the coming years?

Every year there is a new big thing. Last year was machine learning, the year before was anomaly detection, and this year it is threat hunting.

What you often see is smaller agile firms that are able to change their business model to deliver something properly, and going to market to add value and deliver what the new trend is. Larger firms will take more of a marketing lead approach because they can’t change their business overnight but can change the marketing message.

One of the things we are asked by our clients is who is actually doing threat hunting properly and what is just marketing. It’s going to be a big problem over the next few years, working out who is doing threat hunting and who is just doing using software and rebranding their service in line with the current trend.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development