Blogs & Stories

Trustwave Blog

The Trustwave Blog empowers information security professionals to achieve new heights through expert insight that addresses hot topics, trends and challenges and defines best practices.

Spotlight on Trustwave SpiderLabs, Part 2: Incident Response and Threat Hunting

This two-part article will introduce and provide an overview of the SpiderLabs team at Trustwave dedicated to finding and analyzing new threats, helping clients detect, fight, and recover from security compromises, and helping the cybersecurity field with original research and intelligence. Read Part 1 here.

Client-Side Cybersecurity

Trustwave SpiderLabs is responsible for the client-side work that’s done with Trustwave Managed Security Services (MSS) clients, including Trustwave Managed Detection and Response (MDR) clients, where they engage in threat hunting and incident and response as part of their Digital Forensic and Incident Response (DFIR) service.

Threat Hunting

Trustwave SpiderLabs has developed a hybrid framework of threat hunting that feeds them events, alerts, and data points via thousands and thousands of queries from automated tools and non-automated tools (as in, security researchers). According to Brian, “we’ve basically created a framework of tools that let us do a real deep dive on threat hunting. For example, if a client has 100 endpoints, we can attach a binary executable of our EDR tool on each endpoint that allows us to query for any kind of info we want.”

This framework allows the team to learn about the clients endpoints, environmental threats, ports, outdated software, flawed or vulnerable infrastructures -- anything that can be executed within their system, hashes via a custom hash database that allows them to grade it, system admin tools, known goods, and other data points that then be analyzed to find out whether or not a threat is present.

However, while traditional threat hunting is usually thought of as a process that looks for malicious actors within a network, the hybrid framework Trustwave SpiderLabs employs allows them to look even deeper to identify existing weaknesses, poor behaviors within an environment, and other indicators of security hygiene. “Our threat hunting starts with malicious actors,” says Brian “and ends with security hygiene.”

This approach also helps analyze whether existing tools are working effectively to block, detect, and prevent threats while also letting them proactively analyze a client’s environment to find vulnerabilities, outdated software, website flaws, in hopes that it’ll never reach the breach phase.

DFIR - The First Responders

Trustwave SpiderLabs Data Forensic Investigation Response team are the first responders in the event of a breach or if the threat hunting, pen testing, or tabletop exercises uncover something that requires a much deeper investigation

Mark likens Trustwave SpiderLabs’ DFIR team as “smoke jumpers—they jump into an organization and take charge, calm an organization, and use best practices to identify attacks that took place.” The team leverages Trustwave SpiderLabs research, resources, and tools to provide forensic analysis, and attribute the attack actor, method, and tools used. DFIR is essentially responsible for putting together how a breach happened, when, who might be behind it, and piece together the attack or reverse engineer any offending malware. One of the other benefits is they have hundreds of ethical hackers a key stroke or phone call away to collaborate with.

The investigation often starts using the threat hunting tools and feeds to contain the breach and do an initial analysis. Depending on how significant the breach is or how large the company is, it may end up being a much larger investigation.

Speed is key when it comes to breach investigations and analysis – “if you’re an enterprise with over 10,000 computers,” says Mark. “you need a lot of people to churn through the investigation. The whole goal is to investigate quickly.”

 The faster the investigation happens, the quicker the data can come through. However, the most efficient way of working is to have one person handle the first 24 hours to look at logs, get the breach under control, and have a single point of contact the affected organization can rely on. That person can then find out “how big the blaze is” and delegate the resources required for containment and full analysis.

Having the human element present in the investigation as soon as possible is extremely important as it can uncover details an automated tool can’t. “Automated tools only see the surface” says Mark, “but people know to look under that and potentially find new techniques automated tools don’t even know about. It requires really good training and skillsets.” When it comes to threats or techniques that have never been observed before, an automated tool isn’t equipped to detect or analyze it.

When that’s the case, the information is passed to the research team so they can identify it if any other company or organization has come across it before or attribute it as a new threat variant, actor, or technique.

How Trustwave SpiderLabs Contributes to Cybersecurity

Trustwave SpiderLabs’ continuous research has resulted in real-world improvements to the cybersecurity intelligence community. If they come across a new vulnerability, they follow a responsible disclosure process to alert the manufacturer so they can fix it before the vulnerability is made public. For example, Trustwave SpiderLabs will normally allow the vendor up to 90 days to fully investigate the issue and develop a patch, and even help them test it to make sure it is complete. However, in scenarios of elevated risk, for example if the vulnerability details are discussed publicly or if the issue gets exploited in the wild, the team will consider a much faster release, sometimes disclosing the details in matter of days. All in all, they  are responsible for around 10-12 public advisories a year and their blog also covers new threats, trends, and behaviors.

Trustwave SpiderLabs also works with several cyber intelligence organizations, other cybersecurity companies, and is part of various intelligence partnerships dedicated to exchanging intelligence and learning from each other’s’ efforts.

When given permission, any information or work they do for clients can also be used for future reference and the new data and knowledge is embedded in their future work and Trustwave tool development. As a result, Trustwave SpiderLabs is responsible for a wealth of new cybersecurity intel that’s used to improve Trustwave services and offerings but also the world’s intelligence resources and capabilities.

Ready to see how Trustwave SpiderLabs can help protect your organization? Learn more about this elite group of researchers, penetration testers and incident responders today.