Trustwave launches proactive Threat Hunting service
- By Patrick Marshall
Trustwave, a Chicago-based cybersecurity company that has specialized in cyberattack response, has launched Threat Hunting for Government, a service designed to proactively and continuously search federal networks for intruders and malware.
The company decided to develop Threat Hunting, Trustwave Government Solutions President Bill Rucker explained, after seeing in practice the numbers of attacks and malware that managed to evade perimeter defenses such as firewalls and other security measures.
While the time between compromise and detection of an intruder on federal networks has been dropping, it’s still too long. “Four years ago, it was 172 days,” Rucker said. “Last year it was 80 days. This year it was 49 days. So we are getting better. But still, 49 days from compromise to detection is a lot time during which significant damage to our critical infrastructure, to our national infrastructure, could be done.”
The problem, he said, is that most system operators aren’t actively looking for intruders. He noted that one federal IT official recently estimated that 70 percent of his cybersecurity spend last year was “right of the boom, meaning post incident or post breach.” According to Rucker, “Threat Hunting flips the script.”
The premise behind Threat Hunting "is to assume you have been breached,” said Brian Hussey, Trustwave's vice president of cyber threat detection and response. “Assume you have an attacker right now in your system, and it is our job to go find it.”
After an overall vulnerability assessment is completed, the Threat Hunting endpoint detection and response tool monitors traffic between the network and devices that connect to it, whether locally or remotely. The EDR records that information in a database for further analysis, which can later be referred to after an unwanted event takes place.
“All good EDR tools that are worth their salt are going to have automated root cause analysis,” Hussey said. “If we find a piece of malware, they give you an automated chain of events that led up to it.”
An exploit might, for example, be traced back to a phishing email that came from a computer in Eastern Europe.
By itself, however, that’s not enough to allow researchers to be sure they’ve got both the right culprit and have determined the extent of the intrusion. “We need to take a look and do temporal analysis around each of these events,” Hussey said. “What other events happened? We need to be able to pull that malware out and do full reverse engineering on it. When we do that, we develop more indicators of compromise. Those IOCs fuel the rest of the hunt.”
“Finally, we believe that an external look is as important as an internal look,” Hussey said. His team also scans the dark web for signs of a client having been compromised. “Are a client’s credentials being sold on the dark web?” he said. “Are any of their products being sold? Are hackers discussing them?”
Of course, if an agency is going to subscribe to Trustwave’s Threat Hunting service, it must open its networks to the company’s research team -- known as SpiderLabs -- on an ongoing basis. While acknowledging the natural protectiveness of many system operators, Hussey said that heightened concerns about intruders has encouraged more openness to outside specialists who have appropriate security clearances.
“With a couple of really good threat hunting successes, word got around,” said Hussey. “They started coming to us and access issues started to go away.”