Threat Hunter Profile: Kristina Sisk
Fortune 500 Financial Services Company
Application Compatibility Cache (Shimcache), webserver logs
Preferred Hunting Techniques
Python, Gephi, Linkurious
Who are you?
My name is Kristina Sisk. I joined the InfoSec community almost 7 years ago to use my computer forensics degree for incident response at Mandiant. After consulting, I moved to work on the continual services side, now FaaS, and ultimately created the detection strategy for the endpoint services. Now I lead the Threat Hunting team at a large financial institution.
What is your experience with Threat Hunting and for how long?
I started in incident response. By the time I was involved it was known the attacker was already there. When I switched to an analyst in the proactive service the natural inclination was to take the lessons learned from the consulting side and apply them regularly to customers with the assumption they were already breached. At that point, threat hunting as a service was born.
Why do you hunt and/or how did you get started?
My team recently split from being IR + Hunt. I got to choose which half I wanted. I chose Hunting and a large part of the reason was that I love the title Huntress.
In general, I am a natural blue-teamer. I think defense is more challenging than offense. You have to understand how numerous attackers think and what that means for your environment. Then you have to turn that knowledge into the ability to find evidence across various operating systems and platforms.
How would you define Threat Hunting?
Proactively searching for previously unidentified threats living in your environment.
Which of the hunts you’ve carried out was the most interesting or challenging?
The most challenging hunt was the first hunt the team did together on a predetermined high value target. The challenge came in discovering the available data sources for that target and determining how those data sources could be combined to hunt for lateral movement across endpoints and network data.
It can also be a challenge to hunt together. It can be hard not to chase the “white rabbit” and stay on task when hunting as a pack.
What value do you actively see come out of your hunting activities?
I want so badly to say its reduced dwell time, buts it’s not. Right now, the best thing my team provides is including our assessment of weaknesses and gaps identified in a hunt along with any malicious findings. We get the opportunity to validate that best practices are being followed, and that security trumps compliance.
What types of friendly intelligence are most useful for a hunter to have in an investigation?
Never underestimate the power of an up-to-date network diagram, but for me the best intelligence is around what my organization considers to be the “crown jewels”. A risk assessment and a threat assessment, with a monetary valuation provided, give me the tools I need to create a powerful story to my executives and a well-crafted hypothesis.
What general advice do you have for new Threat Hunters?
Do not belittle the knowledge you have gained from doing SOC alert review. It is the best way I can recommend to train your brain to quickly identify evil. In the beginning, everything looks evil. Threat Hunting when everything looks evil won’t work, so take the time to train your brain to filter out the usual, learn what normal looks like at your organization.
It reminds me of the difference in when I drive a new car versus my car. In my car, I don’t have to check the mirrors or the seat placement. I know the width of the car when I park and the way she breaks. In someone else’s car, the breaks may seem touchy and the steering wheel stiff. Once I get familiar with a car, my brain filters out all of these nuisances and I take it for granted. Learning your environment through alerts will do this for you.
Once you gain this awareness, advance to learn the threats facing your organization by creating signatures to alert on those threats. Finally, begin to hunt for those threats; at this point you know your organization and you understand what behavior a signature can catch and what needs a hunter.
What parts of a hunt could you see as being most successfully automated or assisted by a machine?
I hope that data collection for routine hunting operations is automated and I also hope that visualizing that data is also provided to hunters when appropriate.
What would you like to see Threat Hunting develop into across the industry in the future?
I am actively working to see Threat Hunting become more tangible to technology executives. Threat Hunting as a reliable source of detection is an expensive endeavor for an organization. It requires scarce talent and expensive tools to enable scale. To make it more accessible, I want to promote the values that threat hunting brings, whether an attack is identified in a hunt or not. I also want to create a compelling narrative as to how a Threat Hunting team compliments a well-structured blue team.