Active Threat Hunting Within Your Organization

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 93 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Our guest today is Mike Morris, chief technology officer at root9B, where he’s chief architect behind the design and integration of their active adversary pursuit threat hunting platform. Mike began his career in the U.S. Air Force, and was an integral part of many of the Department of Defense’s pioneering efforts to help protect the nation’s cyber infrastructure.

Mike shares the story of his professional journey from the military to the private sector, his philosophy on threat hunting and threat intelligence, and how he thinks organizations can best build effective teams. Stay with us.

Mike Morris:

I’m prior U.S. Air Force, so I’ve conducted cyber operations on behalf of the United States Air Force for approximately 10 years. I came out of the 315th network warfare squadron, which is the Air Force’s premiere cyber squadron for cyberattack and ISR-type [intelligence, surveillance, and reconnaissance] activities.

Dave Bittner:

When you were growing up, was technology something that you were interested in?

Mike Morris:

It absolutely was. It started probably around the time that I was 12. My family got our first computer, and it was a Gateway 2000. During that time frame, I taught myself the Windows file structures and started trying to understand how it worked, and then I think I moved into what would be considered cyber operations by punting people in AOL, many, many moons ago. Then that became the trajectory path for me wanting to move into this space.

Dave Bittner:

When you made your move into the military, were you in this line from the get-go, or was it something you pivoted over to?

Mike Morris:

No, I pivoted over. During the time when I came in, they didn’t have a cyber component for the U.S. Air Force. What they ended up doing is … I wanted to do a signals intelligence background, learning how telephony and everything else worked. Then I got put into my first mission at my first duty assignment and I was working operations. During that time frame, they put me through a one year computer science degree program at the University of Hawaii, and as part of that degree program … It was to teach me how to do collection, how to bypass capabilities, things of that nature. Then I started doing that on behalf of the Air Force in a special mission. Then I was pulled back to the 315th network warfare squadron when they started to formalize it.

I initially wrote [what was] basically the enlisted training manual. I wrote their initial component for what ultimately led into their cyber operations schoolhouse. Then I was grandfathered into what they call “one-bravo-four AFSC”, which is cyber operations. I was conducting operations all 10 years, essentially on behalf of the Air Force, but they really didn’t have the discipline — it wasn’t a known job title inside the organization until probably around the 2009-2010 time frame.

Dave Bittner:

I noticed in your bio here that you’ve gotten some recognition from both Presidents Bush and Obama for some of the work you did with cyber. Can you share with us, what was that about?

Mike Morris:

Yeah, well, they were classified cyber operations. One of the operations, well really both of the operations, they led to … During that time frame, led to sensitive access, is what I’d say, which initially let me step back — and in the early 2000s, as I had mentioned, cyber operations on the offensive side, it wasn’t a big thing. In fact, one individual used to say that cyber operations to influence intelligence collection and things like that, it was really the dessert. Then what ended up taking place is, as the intel community started to realize the effect and the impact that cyber could have on providing collection-type capabilities and intelligence, then it really became the main course. When I first moved into this, it was that dessert-type component where it was, “Hey, this is awesome information that we wouldn’t have been able to receive in any other way.” Then what it turned into is … It turned into the initial effect and impact to be able to pull back data and influence the battlefield.

Dave Bittner:

You eventually decide to leave the military and enter the private sector. What drove that decision?

Mike Morris:

Yeah, well actually a couple of things. I’ll give you the long-winded story. I was trying to go officer in the U.S. Air Force, and at the time the Air Force kept canceling the boards to go from enlisted to officer. I was coming up on a career decision: do I want to stay enlisted after 10 years and try to ride it out to 20? At the time, being an enlisted guy in a brand new career field, I would have gone into a spot where I was deployed to both Hawaii and deployed in place in Maryland, because we had that impact that I had talked about on the cyber field. In order to get promoted in the Air Force, though, in order to make E9 or something to that effect, I would have needed some remote deployments.

Unfortunately, being in the cyber career field, that really didn’t exist. Without being able to go officer, I felt it was really stifling my career in the military. So I decided to step out into the commercial sector, worked for another government contractor creating capabilities back for the Department of Defense. Then I just took a look at … That was my exposure into the commercial sector.

What I started to realize, being a former attacker, is that the commercial sector had this false sense of security that the U.S. government would protect them. They also thought they understood how attackers maneuvered, but as I would end up in conversations, I felt that the network security environments and the teams that were providing security were, not to any fault of their own, just misinformed and really didn’t understand.

I got together with a few folks that I used to work with in the Department of Defense in the joint environment and we started to take a look and say, “How do we really have an impact on this?” Then we decided that we wanted to come forward with hunt operations using that offensive mentality to provide defense, and we thought that’s what was missing in the space. When you really look at how cybersecurity is postured today, what I feel is, folks feel like they can go by technology and that’s going to solve the problem. Being a former attacker, what I’ll tell you is that no technology was able to ever stop me because once I had an exploit into a target environment, the next thing I would do is take a look at what security products did they have. I then go buy those products or download a 30-day free trial, create a virtual environment, or create a test bed, or a range essentially, and I would test my capabilities and my tactics against those and then I’d be able to outmaneuver and maintain persistent access.

What we really wanted was, when we took a look, we wanted to be able to create an organization of former attackers that were focused on the human and focused on the response activity to be able to get into a cyber knife fight.

Dave Bittner:

And that is the origin of r9B.

Mike Morris:

That is the origin of r9B. Yes, sir.

Dave Bittner:

Let’s talk about threat hunting. Let’s just start off with some definitions here. For those who may not be familiar, what exactly is threat hunting?

Mike Morris:

If you take a look at this space right now, there’s a couple of different ways that folks look at it. What I’d say most organizations are defining threat hunting as is really collection and analysis. What I mean by that is, they’re using automated security or perimeter security products and then they’ll pull back data and they look for an indicator of compromise, and then from there that leads into an incident response investigation.

That is very important, but in my opinion, that’s still very, very reactive in nature, but it’s still very, very important and it’s certainly a requirement. Threat hunting and root9B’s definition is really about proactive surveillance of the environment. Putting in an agentless-type capability in the environment and then maneuvering through the client’s proprietary network, looking for an adversary that’s bypassing automated security capabilities.

Then from there, you still have collection and analysis that’s taking place when you’re doing threat hunting in that manner, but really what our definition is, we focus on the response activities. As we identify a potential adversary in that environment, we use our expertise to be able to engage that adversary. I never go into a client and tell them that we will stop the organization from being breached. A well-motivated, well-resourced adversary will always gain access into an environment. What the goal of any security posture and of any threat hunting security posture should be is reducing the time that the adversary gets to live in that environment and stopping the adversary from being able to get to the “critical infrastructure” or achieve their motives.

Dave Bittner:

Help me understand the difference here between … Is it being proactive versus reactive?

Mike Morris:

It’s actually two components. When I look at threat hunting, the way I see it, there’s really two aspects. You have the proactive surveillance, which is basically doing reconnaissance through the environment, much like a pen tester would, but being able to pull back and collect data off of your endpoints and your infrastructure. That’s the proactive component. Now there’s a second component to that though, too, for successful teams. If they’re already collecting data in a similar environment to a managed security service provider where they have antiviruses, EDR platforms, perimeter security products, we will shove that data back. And other organizations, obviously finance industry, et cetera, can do the same thing, shove that data back to the team. That provides network telemetry so that you can now engage the adversary essentially in real time.

If I see, for instance, an antivirus, and let’s pretend it’s McAfee, if McAfee pops on an endpoint on some network segment, then the second component of hunt is allowing for that remote tactical incident response or being able to get on that target in near real-time. Again, with the focus of not allowing that adversary to gain access to their motives.

Dave Bittner:

As I’m planning out the defenses of my organization, for example, at what stage of the game is threat hunting something that I need to take a look at? Are there things that I should … That go ahead of the line with it, or where does it fit in?

Mike Morris:

Yeah, so what I would say is that threat hunting is a new layer of defense in depth, right? What I mean by that is, defense in depth is pretty much a static defense. Being able to put security products at each portion of your network, and then pull back that data. What we failed to do in this industry is, we failed to put someone on the inside living in there. The reason I give that is, each one of those other components are certainly necessary. The problem is, it doesn’t necessarily tell you how your network lives, breathes, and moves.

By putting threat hunting on the inside of that environment, it allows for you to start to figure out what your network really looks like. It allows for you to start to identify what tendencies inside your environment are normal, and it effectively starts to build baselines. What I’d say is, threat hunting really should be ingrained in all of the organizations. Now the problem in the industry obviously is lack of experienced personnel and knowing what to look for, but you have organizations out there that do threat hunting rather well in the fashion that I’m talking about, and they can be subscribed to as a security as a service-type model.

Dave Bittner:

How does it integrate with things like threat intelligence?

Mike Morris:

That’s a fantastic question. When I take a look at threat intelligence, threat intelligence is fantastic for being able to help provide you with informed hunt capability. When I talked through all of the existing security products, you know that technology stack and net organizations are doing, that becomes a network telemetry feed to help guide the hunter as they maneuver through that network. In addition, threat intel feeds and threat intel subscriptions to organizations that really provide threat knowledge help drive the way hunt operations should ultimately be conducted. Really what I’m getting at there is, the adversary adapts to the environment. If you recall, when I talked through my own techniques, the adversary adapts to the environment that they’re going into and they create tailored solutions to maintain access and really get to their motive.

Defense teams really have to do the same thing, and that starts with threat intel being an integral part to help drive what their collection is. What I’d say is, one thing that organizations that I’ve seen in the industry, which can tend to be a problem, many organizations will sign up for tons of threat intel feeds and digest those feeds. In a lot of cases, and that is certainly a requirement and certainly a necessity, but what I find is, many security teams then inundate themselves by chasing some signature around the environment trying to see if it’s in there.

I often liken threat intel to a crime blotter where, if I live in Colorado Springs and I’m receiving national information of cars being stolen in Detroit, although that’s good information, it doesn’t necessarily impact me. Well, in cybersecurity as organizations are often getting signatures, or getting these new hashes that are coming through, what they’re doing is, they’re looking through their data sets trying to find it, and they spend a lot of time trying to go through when perhaps that specific client isn’t being targeted by that specific signature, if that makes sense.

Dave Bittner:

Yeah, it absolutely does. As you integrate with other providers, as you become part of what an organization is depending on for their security posture, how do you keep from contributing to that information overload? How do you make sure folks aren’t being overwhelmed with information?

Mike Morris:

There are a couple of different ways. When we provide a security as a service, we focus on the tactics, techniques, and procedures. Instead of being really signature-focused, obviously we push those signatures in and we’ll automate many of those, many of those aspects to see if that exists, but really what we’re focused on … If APT 1,000,001 was able to exploit an environment, that human attacker follows a very specific methodology, and in most cases, they’re going to do the same thing every single time, but they might be using polymorphic code or a different exploitation routine. We build out ontologies on the back end, essentially playbooks. We build out those playbooks and then we will digest all of their data feeds, take all of their web data and your CIS log, et cetera, we shove that into the back end as part of a security as a service model, and then as we’re hunting through, we treat the hunt data as the only known good in the environment. Essentially, we assume that the network is compromised until we prove that it’s not.

As that data comes back into our data lake, we cross-correlate those events using an expert system and playbooks that we build out so that we can start to really refine the capability and really refine the dataset that organizations are looking at so that they’re not looking at four billion events that are going into a scene. Instead, they’re getting specific indicators that … There’s a “pass-the-hash type of event taking place, or there’s some type of spearphishing campaign, and so we’re taking all those events and we’re streamlining those into observe tactics based off playbooks that we build out as we start to identify them.

Dave Bittner:

I’m wondering, with your experience in both the military and in the private sector, do you have any advice for folks who are coming up in the industry? That person who might look at cybersecurity as a place they may want to pursue?

Mike Morris:

Yeah, so what I find is, most folks that are hobbyists tend to do pretty well in this industry. If they’re problem solvers, they’re creative thinkers, and they like cybersecurity, cybersecurity is really all about using intelligence and IT and OT security altogether. Being able to start to take a look at capabilities out there and testing, learning through trial, learning through failure, really trial and error, that often will help them end up gaining a higher level of knowledge in being able to be effective. Obviously, many organizations are looking for certifications and whatnot, but I tend to find that the hobbyist and the folks that are really, really tied into this and have a passion and a love tend to do the best in this industry.

Dave Bittner:

Yeah, I mean that’s an interesting insight. I think also for folks who are looking to employ people and are dealing with this shortage of folks out there that maybe you need to look past those certifications sometimes.

Mike Morris:

Oh, absolutely, and the other thing I would say is, everyone has different learning models and so being part of … As I mentioned in the Air Force, building out some of their training as an organization, we also trained many folks, and what I find is, building individual training plans for folks is really, really important because not everyone can be a jack of all trades. What I mean by that is, some folks may be better at an operating system, they might understand Windows inside and out, but not understand the concepts of Linux or vice versa. They may go through a pipeline, let’s say it was hunt, but really their heart is more geared towards forensics. Then really pushing your people and understanding their strengths and weaknesses you can build, as organizations, can start to build individual training pipelines for them to make them more proficient.

Really what it comes down to is investing in people at the end of the day. I mean we all see the stats of the shortage of the number of personnel that this industry is going to end up seeing. It’s not going to be a shotgun approach to be able to bring them on because you can take folks with any level of experience, and as long as they have the heart for doing this type of mission, they’ll find a way to get it done. Then you just have to continue to feed them and fuel them so that they become more successful.

I think as organizations start to go forward, as I had mentioned earlier, when you look at hunt, the piece that is missing, a lot of organizations don’t think they’re ready to do it. The problem is, it’s a soft, squishy center for attackers. Once they get past the perimeter security products, it’s 1995 hacking at its finest, and they’d use pass-the-hash SSH masquerade for the win.

When I really take a look at … Back to your one question, I think threat hunting needs to become an integral part of security because you need to be able to respond. What security really should be about is, right now the adversary has freedom of movement inside of the environments that they’re exploiting. In order to cause pain to the adversary, you really need to be able to start to burn their capabilities and take them from the net use in the pass-the-hash exploits, or techniques really, not even necessarily exploits, but from those techniques and start forcing them to use their 2019 zero days, right? Once you get to that point and you start burning their capabilities, that’s when organizations will start to see the attacker move to softer targets. I guess back to your one question, what I’d say is, in my opinion, hunting and integration of intelligence in there really needs to be at the forefront of security operations as organizations move forward.

Dave Bittner:

Our thanks to Mike Morris from root9B for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.