Antonakos got his start as an electrical engineer before becoming a computer scientist and security researcher. He credits his background with not only molding him to become a proficient security professional but also opening his eyes to the importance of programming scripts and developing tools that solve problems. Likening threat hunting to signals processing in electronics, Antonakos thinks of electric currents as no different than traffic and packets traversing a network.
“If you take the rate of occurrence between connections form a particular system on your network and plot that over time for every endpoint, you get lots of graphs within one big overall graph,” he said. “Patterns show up. It’s very hard for a human (inside a business) to look in to that.”
Especially at your average organization, where security maturity remains a choppy work in progress.
“When you look at a typical IT department, they have syslog servers gathering all their logs, SIEMs that events feed into, and they write some rules and get alerts generated,” Antonakos said. “That’s a very reactive way of doing security. But that’s what organizations do because they don’t have threat hunters there. They have people doing security things, but they’re not threat hunting.”
“With threat hunting, you are using information you’re getting, but you’re allowing a human to decide what to look for next or react to what they’re seeing,” he added. “Researchers are now putting artificial intelligence in the extrapolation of data from databases that contain all of the events that happened in the organization…This allows you to see those really drawn-out, slow attacks that a human wouldn’t be able to correlate.”
For Wooten, the biggest draw of threat hunting is its ability to rummage for cybercrime evidence on a much larger scale. And he knows a thing or two about being restricted by distance, growing up in Perth, Australia, which is considered one of the most isolated cities in the world.
Now, instead of analyzing a select number of systems that would need to be manually studied in person, he and his team can use automated means to gain visibility across an entire network – even one that stretches globally – in real time. The resulting scalability is what wows him.
“We can deploy our agents and search for IOCs (indicators of compromise) across networks of hundreds of thousands of PCs,” he said.
And it is this ability that further advances the argument that organizations, especially the ones that already have strong security in place, should adopt proactive threat hunting. Instead of waiting for the inevitable breach, which could lead to a disastrous egress of confidential assets, the functionality now exists for regular check-ups that can verify that the security technologies that organizations have in place are doing their job and that the bad guys don’t have a foothold across the network. It can also point out something more general, like poor security hygiene and a failure to map where data lives.
For example, Wilkinson described one case in which his team identified IP addresses within a network that were behaving strangely. The threat hunters turned that information over to the customer, which took three weeks to physically identify the offending machines – they were stored away, apparently unknowingly, in a cabinet somewhere. In another hunt, Wilkinson turned up a “Pokemon Go” mining operation in which a member of the IT team was using several systems to catch the animated creatures.
“Sometimes we learn things about the customer that they weren’t even aware of,” he said.
Proactive threat hunting will never yield a guaranteed bill of health, but it goes a long way toward mitigating risk. “It’s unlikely we’re going to say your systems are completely clean,” Wooten said. “It’s not a statement we like to make. You don’t know what you don’t know. But what we can do is give you a degree of assurance.”
Aaron Wooten maintains his childhood curiosity as he works to help organizations discover threats and respond to malicious activity.
One particularly vulnerable component of the IT environment are endpoints, which can range from desktops and laptops to smartphones or Internet of Things devices. Hackers like to start small and go after soft targets, which brings the added benefit of not raising suspicion or exerting too many resources. Endpoints fit that bill well. They are considered the most vulnerable part of the network and are often operated by users who are more than willing to lend a helping hand to attackers, predominantly through email phishing scams and website-based “watering hole” ambushes.
Antonakos and his fellow SpiderLabs threat hunters utilize several tools that reveal shenanigans happening on the endpoint. How a tool typically works: Trustwave sends a small software sensor to an organization’s IT person. They install it on their systems, and Trustwave threat hunters then manage alerts and information being generated by those sensors. “We have really good visibility into what is happening on the endpoint and control over it,” he said. “Our tools tie in with threat intelligence feeds that will alert on malicious files and block them from executing.”
When their day is over, and the Trustwave investigators return from the mercurial networks that are so often their hunting grounds, they are never deterred from the fight.
“The reason that we do what we do is to help people and make a difference,” said Wooten, whose desire for occupational nobility predated his work at Trustwave, when he spent three years developing the security architecture for the Australian government’s child abuse royal commission. “Without that sense of satisfaction, I don’t think many people would be in this role. It’s a high-pressure environment, but the reward is you are making a difference.”
For Wilkinson, who fell in love with security when he (innocuously) executed a buffer overflow attack on a popular anti-virus product in 1997 while bored in a college class, the gratification and bliss also comes from not knowing what is behind every door.
“No network is identical to another network,” he said. “We’re always coming across a program we haven’t seen before, a different configuration we haven’t seen before, different security products. It’s a never-ending learning experience, which is part of the attraction. It keeps you young.”
Maybe they can’t stay 6 years old forever, extracting BIOS chips while Dad is gone for a few hours, but that doesn’t mean the fun needs to end for these threat hunters. Turns out, little Aaron Wooten was on to something.