Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

The Genesis of Trustwave’s Advanced Continual Threat Hunt

Trustwave’s recent revamp of its Advanced Continual Threat Hunt (ACTH) platform was inspired by the need to scale to meet a growing client base amid an ever-increasing threat landscape. Now with a patent-pending methodology, the SpiderLabs Threat Hunt team can conduct significantly more hunts and has an unprecedented ability to find more threats.

We wanted to hear more about the process and backstory that led to the development of ACTH, so we sat down with Shawn Kanady, Global Director of the SpiderLabs Threat Hunt Team, for a Q&A:

What was the core challenge that the Threat Hunt Team was faced with that you knew needed to be addressed?

Shawn: First and foremost, I wanted to go to sleep at night knowing that we were doing our absolute best to protect our clients. But more specifically, we knew we needed to scale. Trustwave as a business was growing rapidly, and at the same time, the threat landscape was increasing at breakneck speeds. We knew those trends were only going to continue, and that no matter how much our team grew to handle new clients, what we truly needed was a scalable tool that would allow us to stay ahead of our workload.

Once you realized that you needed the ability to scale, where did you start?

Shawn: I was first inspired by a tool called DeTT&CT that allows a person to map technologies to the MITRE ATT&CK Framework. It got my wheels turning about how we could apply the same logic but with threat groups. And for context, the MITRE ATT&CK Framework is a globally accessible knowledge base of adversary behavior. It outlines common tactics, techniques, and procedures used by cyber adversaries. In doing so, it provides a common language for defenders to have conversations about emerging threats and develop effective defensive strategies.

So, it was a lightbulb moment: we could map threat groups to the MITRE framework and then focus our hunts on Indicators of Behavior (IOBs) exhibited by our target threat group. This would not only scale well with a defined scope, but also give us an added advantage of discovering previously unknown Indicators of Compromise (IOCs).

How did you and the team bring the idea to life?

Shawn: After a few months of brainstorming, research, and testing, the idea began gaining momentum. It was a complete overhaul of the current methodology and no small feat for the team to pull off. And this was all while we were still conducting our scheduled threat hunts. We rebuilt our query library, essentially codifying the MITRE Framework by writing a query for any of the EDRs we supported at the time, and we also wanted the entire process to be automated.

We wanted to be able to just click a button for a specific threat actor, and the system would automatically pull those queries for the associated techniques that we made, and it would run the hunt. In response to this, one of our Threat Architects incorporated a tool that allowed hunts to occur simultaneously across all clients during an emerging threat investigation. 

Being able to hunt all our clients at once also changed how our team could operate. Rather than individually hunting, our team can now come together to research relevant threat groups and then divide and conquer the analysis across our clients. Now all our hunters use the same methodologies to find problems and ultimately discover more threats, more quickly.

How is it different than other threat hunting offerings?

Shawn: One of the primary differentiators is that this methodology is truly proactive. A hunt based on an IOC means that an attack has already happened and has been discovered. For example, an entity was breached, the breach became known, and an investigation was conducted. Only then would other offerings be able to hunt that IOC.

While it's good to look historically to see if a malware campaign impacted you, it's not very proactive. We wanted to offer our clients something different. Something that caught what others were missing. A situation where Trustwave is discovering new threats. And the exciting thing is that we’re witnessing this; our new methodology has resulted in a 3x increase in behavior-based threat findings that would have gone undetected by current EDR tools.

Can you share an example of how the new behavior-based threat hunts are conducted?

Shawn: Our first ACTH was on the Conti ransomware gang. Leveraging our threat intelligence, we built a threat profile based on Conti behaviors and hunted for those tactics across all of our customers environments. The hunt went very quickly and produced several findings, including discovering a Remote Access Trojan that had resided in a network for 11 months. Without ACTH, the malware would have gone unnoticed and eventually could have inflicted severe damage on the target.

At this point, one of the true highlights of ACTH became apparent. While searching for Conti, we found evidence of other threats and security lapses. Many of the techniques are common amongst different threat groups and these are now being discovered, along with general security hygiene issues like unsecured legacy systems, open ports, and people making foolish mistakes like storing passwords on their computers. And these issues are now all being found before they could cause a breach or security incident.

The modern adversary is constantly evolving and becoming more sophisticated in their attacks. As defenders, we too must evolve and become more sophisticated in how we detect and respond to them.

ACTH is now offered as an option in Trustwave’s Managed Detection and Response. For more information, please read Trustwave Revamps Continual Threat Hunting Enabling Significantly More Hunts and Unique Threat Findings.  




Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More