Threat Hunting Offsets the Technology Gaps
December 21, 2020 • Caitlin Mattingly
Our guest this week is John Ayers, Executive Vice President, Chief Strategy Product Officer and head of Security Operations at Nuspire, a managed security services company.
Our conversation centers on John’s assertion that threat hunting has become an indispensable element of security strategy for many organizations. He explains the evolution of threats that led him to that conclusion, and we’ll discuss how organizations can best approach implementing threat hunting into their own defensive plans.
This podcast was produced in partnership with the CyberWire.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and welcome to episode 189 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.
Our guest this week is John Ayers, Executive Vice President, Chief Strategy Product Officer and head of Security Operations at Nuspire, a managed security services company.
Our conversation centers on John’s assertion that threat hunting has become an indispensable element of security strategy for many organizations. He explains the evolution of threats that led him to that conclusion, and we’ll discuss how organizations can best approach implementing threat hunting into their own defensive plans. Stay with us.
Where did I get my start? I would say I’d have to take it back to my military and law enforcement days. Physical security of course, close protection details. I’ve been in the space probably since the age of 17 in some form or fashion of security. I transitioned into the cyberspace in early 2000, working for Quest. I was part of the first development team launching Windows 2000 IP server L2TP VPN server. I was there. I had the fortunate, I guess you could call it, experience of being with Bill Gates and launching that in February of 2000 at the Moscone Center. It was the first appliance-based VPN service powered by Windows, and then I, working for Quest at that time, I also helped build out the first cloud-based IP VPN, cloud-firewall service powered by Shasta, at the time was Nortel and co-sign, so that dates me a little bit.
And then building out what was the first MPLS environment, building out using a 2547 with Juniper building out that virtual router type instance. So, I’ve been in security for a long time. Transitioned into more of a Layer 7 environment with Level 3 and building out an MSSP practice inside a service provider where we’d launched DDoS, so I was part of the 2014 NTP attack with using Radware as a way to combat the 2014 biggest DDoS attack at that time, building out also various types of security environments from secure email to secure access tunneling.
And then building out the first threat intelligence as a service, taking intelligence and curating that intelligence and turning it back and enriching that, and then empowering that into people SIMS, into client SIMS. So I’ve been in this space for quite some time and have done everything from being on the keyboard to developing and strategizing and bringing to market some of the most robust and I would say sophisticated security services that are out there today and still active today.
Well, when you look back on some of those earlier days, thinking back to something like the launch of, like you were saying, Windows 2000. I mean, can you give us some insights as to the evolution that you’ve experienced, the growth and the sophistication and capabilities of these tools?
Yeah. I mean, when you think about the evolution of this, it’s mind boggling to see how we have evolved so much from traditional tunneling-type activities to more cloud-based SaaS environments. No longer are we required to actually launch a client on your device when we’re using software as a way to connect, using an example, SSL TLS. Recently about a year and a half ago I built out an appliance-based service that allows us to run SSL connections and use open VPN to serve as a gateway and then out to the cloud. And basically all in auto, zero touch provisioning. So to evolve from having someone manually help you set up your tunnels, establish your tunnels, establish your pre-shared keys and connections and things of that nature to automatically enabling that.
It’s just, it’s crazy to see how we’ve evolved. And it’s actually quite exciting to see where we’re going to go because of COVID-19. COVID-19 has taught us so much that the next evolution of cybersecurity and this, what I would call borderless, environment is going to drive us to more cloud around monitoring the compliance and configuration changes and things that we did not do in the past that we’re going to be obligated to do in the future.
Yeah. I mean, that’s a really interesting point how we … I mean, I suppose it could be looked at as an upside, this push, pushing us outside of our comfort zones into new areas?
Well, I mean, you hit the nail on the head right there, comfort zone. Look, cybersecurity has never been a comfort. It’s always been complex. It’s always been hard to, let’s just call it like it is, one, to communicate to people. Two, to help them understand the value of it. And three, and I think the foremost is actually enabling it. Because too often what I’ve learned over my years is, it’s still a compelling event, meaning that, unless something happens to me, I don’t worry about it. And it’s so much like law enforcement, it’s a lot around activities, and let’s just take a home environment. If the house around a street got broken into, prior to that happening you didn’t do anything. But now that it got close to home, what are you going to do? You’re going to go get a big dog, you’re going to put cameras up, you’re going to put an alarm system.
The problem we have today is that we’re reactive versus proactive. And cybersecurity has been that way for the last, I would say 10 years, if not 15 years as we’re very reactive and we’re still reactive today, even though we’re being pushed outside of our comfort zone. I mean, think about COVID-19, it was reactive. We had to move quickly to accommodate a remote workforce. Now we’re coming back and doing what? Trying to figure out what holes did I open to enable that from that reactive aspect. So it’s a very interesting bell curve that I see that goes on where we’re going up and down and up and down, and it’s hard to keep out in front. It really is.
Yeah. You know, I think it’s a really interesting point. And I sometimes think about that CISO standing before the board of directors and saying, “Thank you for spending all this money on cybersecurity. Once again this year nothing happened.”
That’s absolutely correct. Nothing happened. However, that’s actually a very good news story.
That’s interesting you bring that up around the CISO, going in front of the board saying, “Hey, nothing happened.” However, what you’re finding more and more CISOs do, and I include myself as the CISO of Nuspire, is showing the metrics, the analytics of why it didn’t happen. What did we do to ensure it did not happen? Like vulnerability patch management? I mean, I hate to use the word justification, however, it’s because it is spending money you have to justify the means. And we’re seeing more and more CISOs do that.
Well, let’s go through some of the things that you’ve experienced over the past couple of decades when it comes to witnessing the growth of threat intelligence itself. Becoming something that for many organizations is now indispensable.
No, and that’s actually true when you think about threat hunting. I mean, I think you have to first think about the threats. What is a threat? And I think a lot of us have to step back and understand what is a threat in today’s world. And I actually sum it up in four very distinct buckets. Is there intent? Is there capability? Is there opportunity? Which then ultimately is the threat. And what I mean by intent is, are there the goals or the adversary to achieve something? And have you enabled them to give the capability? Now I’m going to stop there. This is, between capability, opportunity is where threat hunting I think is becoming a necessity. Today’s world is that bad guys are constantly scanning and looking for open doors. RDP is a great tool that people use today to do what? Manage your environments, but it opens a door of opportunity.
Because they see a way in, and if you’re not monitoring effectively on tools or looking for traffic that looks, let’s just say, call it, is normal. The opportunity there is now I can sneak in, I can sit there. I can understand and recon the environment and figure out other doors to come in, go out and come back. And that is where we’re at today. And I really believe that without some type of proactive threat hunting, looking inside your environment, it’s not if, but when, and then when it does happen, what do I do? Because we’re finding today that the dwell time obviously is what, a hundred and some 50 days, which has come down from previous years. We’re still finding the bad guys who’ve been sitting in networks for over a year, over a year when an incident response takes place.
And then finding out the bad guy has actually been there and has multiple ways in and out, and we’ve actually seen it, where coming in through multiple countries. Because your global environment, global companies are creating tunnels and they’re getting encrypted and they’re officiating themselves throughout the entire environment. So this is where threat hunting becomes so, so powerful in today’s world.
How do you describe threat hunting to folks who are unfamiliar with it? It strikes me that there seems to be often an incomplete understanding of what goes into it?
Well, that’s a great question. I think when you say, what is threat hunting, I think you have valuable stuff on your network. But you come back and say, “Hey, I have defenses and I haven’t been hacked.” I was like, “Okay. So in short, the bad guys, they want to attack you and they’re trying to gain access or a foothold.” So the whole idea of threat hunting is the whole idea of trying to figure out, it’s not if, but when, but the threat hunting is waiting for someone else to tell you you’ve been attacked. And why do you want to wait for that? Why would you want to wait for someone else to tell you you’ve been hacked? Why do you want someone else to tell you that the attackers are already in your environment?
Or better yet, do you want someone to tell you that all of your emails and their passwords and their hashes have actually been compromised and have been on the darknet being sold as part of database downloads? That is where you go back to threat hunting. You want to avoid that? I mean, today unfortunately we know this for fact that brand is an important piece in today’s industry. So if you go out and you have been breached, or your information has been sold on the darknet, and then it gets out into the wild, it’s game over for some companies. Some companies can never recover and others it takes years for them to recover. But my simple point when I go to someone is that, do you have valuable stuff? Do you have data on your environment that you feel that if you’d lost it today, what it would do to your company. And it’s sometimes it’s people, sometimes it’s actual data, and you have to help educate that thought leadership that has to happen today.
What sort of recommendations do you have for folks who want to get started in this? I mean, when you’re talking about organizations of different sizes, different capabilities, different resources, are there different ways that they can dial in how they go about a journey to include threat hunting in their day-to-day business?
Absolutely. I think when you start, when you think about wanting to do threat hunting, I think you always want to want to start with the end in mind. What is the outcome you’re trying to overcome? And the other thing is, and I get asked this question a lot is that if I’m a brand new CISO what is the number one thing I’m going to do? It’s really identify your data. Identify your assets, your resources, your sources of data, integrate them, make sure that you’ve got visibility into that. And then the biggest thing here is threat intelligence. Look, intelligence helps us do a few things. I mean, when you think about the military aspect of intelligence. They’re coming in and finding out what is going to happen when they get there and establish some type of beachhead.
Establish that same type of beachhead. Get that intelligence, enrich your information around that intelligence, and then begin. I mean, the whole idea here is you’re trying to get triggers or something to trigger inside your environment around some type of anomaly. A notification from maybe something in a global threat or global community. The ability to leverage some type of tool that’s going to alert you. And today more than ever as people go home and they start working from home, their home is no longer their home. Their home now becomes their office. And I think that is a problem right now that’s going to really expand the need for threat hunting, especially as we really continue to adopt the cloud and leverage the cloud and the ease of the cloud, and the fact that most homeowners today, let’s just call it like it is, when’s the last time they ever checked the firmware on their DSL or cable modem?
Do they even have a firewall? Do they have security turned on? Have they turned it off because of performance because they’re streaming? All these things are basically ways for bad guys now to say, “Hey, look, my vector or my tech is no longer going after the firewalls in a data center or inside Amazon or Azure. I’m going to go to the easy point. I’m going to go attack them at their house and come in through that way.” And because all the data’s mixed, you’ll never know the difference for the data. So you asked about getting … How do you go about approaching it? Always start with the end in mind, what are you trying to solve for? What is it you’re trying to look for and identify those data sources and really give visibility to it.
How do you deal with that co-mingling that you described? Someone’s at home and they’re trying to get business done, but meanwhile their kid is upstairs in their bedroom trying to do their homework or stream a movie on Netflix. And so it’s that whole notion of the castle walls or the moat around the business. And it’s kind of out the window these days.
Yeah, but it’s not though. I mean, look, there’s simple things you can do. Most of these devices today, even older devices support up to four different Wi-Fis, or we call them SSIDs. It’s easy enough to create a new V-LAN or SSID in your environment that can segment your home traffic from your work traffic. It’s no different than creating a guest network for your guests that come to your device. So why not create a work SSID? That way you have some, at least segmentation of your data. You have some way of separating your home environment from the other side. And that’s number one. I think that’s the start there, to have some type of segmentation in your home environment should be top of everyone’s mind.
The other goes back to the same thing, identify your data sources. Let’s map those things, find out what you have on one network versus the other. It’s not that hard. I mean, you could Google that today and see a lot of those things. These are simple blocking and tackling things that we should be doing no matter what, if you’ve got an IoT, a home. I mean, a lot of people have IoT devices today, and they’re still leveraging default passwords. Why not separate your work? So if I was coaching every CISO today, and you have a remote workforce, the number one thing is just provide them with a step-by-step guide of how to create a new Wi-Fi segment in your environment just for your work. Just so that you can separate your laptops that are connecting to the work from your home.
And it’s not so much to protect work, it’s to protect your home, because now your home is no longer an attack vector. I mean, it still is, but now you’ve made it a little bit harder. Because bad guys look for easy targets. They don’t like hard stuff that they have to work on. They’re looking for easy entryways and that’s the best way of doing it because most people are deploying endpoint protection and detection response on their laptops and things of that nature, which is great. But if you just segment it, give one more sense of segmentation in the environment that helps the threat hunter, it really helps the threat hunter to zero in on what they’re looking for or looking at.
What do you suppose we’re in for here? You know, looking down the road or the next year or so, having been through this with COVID and folks having to work from home, is that … I mean, are we on a fundamentally different trajectory now?
I would say we’re on a different trajectory. I think what we’re seeing is a new way of security operations. Look, this is not new for us, having a remote workforce, but remember most remote workforces were doing what? They were launching a tunnel, an IPSec tunnel or VPN client of some sort, and it was mandatory to come in. And today that’s just not feasible. Why? One is speed. Two is the compression obviously takes data to a whole new level. But right now that the biggest thing you’re going to see right now is how to protect the endpoint because now, look, I’m going to call it like it is, the war will be won at the endpoint, no longer at the cloud, because the endpoint is everywhere. It is anywhere, everywhere, connected to anything. And if you do not secure the endpoint, you will lose the war.
Really this emerging discipline of threat hunting. The problem you have right now is that the small, still a small portion of companies today do not deploy it. They don’t use it. They don’t understand it. And kind of what you were talking about, I think the only coaching I would give to companies today is not to say no to threat hunting, but to partner with a trusted advisor, a trusted partnership to help that. It’s an important piece of the tool set today because too often we’re relying on people, process, and technology. And then ultimately we rely on technology. Technology is a flaw. With threat hunting you offset the technology gaps. And I think that’s what I would coach or wrap this up is that, don’t be afraid of people. For the longest time we touted that the insider threat was probably the biggest thing. But right now the threat hunting tool, proactive threat hunting tool, or even a passive threat hunting environment inside your network will save you down the road.
Our thanks to John Ayers from Nuspire for joining us.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly. The show is produced by the CyberWire, with Executive Editor Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.