Every Side of Cyber - Building a Nation-scale Quick Reaction Force

This blog was originally published on CyFIR.com and has been reposted as-is here following eSentire’s acquisition of CyFIR Inc. in June 2021. As of the date of the acquisition, no changes have been made to the content below.

CyFIR Founder, Ben Cotton, recently joined a panel discussion moderated by Jason Miller, Executive Editor, Federal News Network, including other industry experts such as Dr. Shue-Jane Thompson, Vice President and Partner, Cyber & Biometrics Practice, IBM.

It’s been almost three years since the White House issued Presidential Policy Directive 41 (PPD-21) and the corresponding cyber incident response plan. PPD-41 outlined some key concepts around defining what a cyber incident and a major cyber incident meant, while also providing guiding principles for incident response. From that PPD, the Homeland Security Department developed a national cyber incident response plan (NCIR), providing even more details about the activities and the lead agencies for each activity.

But PPD-41 and the NCIR are reactive documents and plans that come after being victimized by a cyber attack. What is missing is how agencies can get ahead of the attack through proactive threat hunting and a more strategic response.

The evolution of cyber tools and capabilities over the last few years, most notably the sharing of threat intelligence, has enabled agencies to do more to get ahead of the cyber threats.

In the 2018 national cybersecurity strategy, the White House specifically called out the use of cyber threat hunting capabilities, saying the government “will be able to assess the security of its data by reviewing contractor risk management practices and adequately testing, hunting, censoring and responding to incidents on contractor systems. Contracts with federal departments and agencies will be drafted to authorize such activities for the purpose of improving cybersecurity.”

There are several benefits from this proactive stance agencies are starting to take, including reducing damage to the organization and improving the speed to response.

Agencies need to consider several factors as they move more toward this proactive model. Watch the 3 segment videos on Threat Hunting and Incident Response, The Use of Data, and The Cloud Impact to hear Ben's contribution to the discussion.

Threat Hunting and Incident Response

Think Forensics First™

(Minute 6:05) "To see more is to know more. If you take the threat intelligence data and then you apply it to a forensics process that has visibility on every single aspect of what’s going on an endpoint then you are able to ascertain if those threats do exist inside of your environment. The trick to that is to do that in a timely fashion so that you are looking simultaneously across all of your end points and you are not focused on a narrow lane where you miss those threats that exist on other endpoints or other parts of your network."

The Use of Data

Data Collection Use Cases

(Minute 5:07) "There's the automatic collection of data by necessity requires an automated correlation of the data. From an example standpoint, we had a client that had a very good IDS system in place and they were receiving IDS indicators that they had a compromise but it was taking them 24 hours to correlate that IDS, back to a person, back to a process, back to the endpoint at which it actually occurred. So it's about the right type of data, the correlation of that data in an automated fashion, and it's also about search. As we talk about hunting, at the very root of hunting is your ability to search across your network and to be able to do that very quickly.

It's not just about processes, and it's not just about network connections, but it's also about what is existing on those hard drives, even down into the unallocated space of those hard drives. The more sophisticated actors can actually customize the addressing of their malware into the unpartitioned space on a hard drive.

A good hunting team not only has the automated collection piece, but also has the ability to pivot and simultaneously ask very complex questions across their entire environment, and get that data back extremely quickly."

Automation in Forensics

(Minute 10:15) "Remember we think forensics first on all of this data collection. The analysis of that data, I like to think of it as weeding the wheat from the chaff, so that you can get 100% of your human capital gray matter focused on the problem very quickly. I think there's a consensus here with the panel that that human gray matter, as good as AI (artificial intelligence), as good as ML (machine learning) will get, human gray matter is never going to be eliminated from the equation. From a forensics standpoint, the automation, the AI, the ML, is leveraged to sort that wheat from the chaff and get down to what's important very quickly and focus on that."

The Cloud Impact

Skillset for Threat Hunting Today

(Minute 5:35) "Most of those skillsets have remained consistent. You need to have a firm foundation in technology. You need to understand networks. You need to understand how computers work. How those types of things function. But one of the unique things we look for when we're hiring people is actually called Investigative Mindset. The ability to pick out an anomaly and then have that urge to dive down into it to figure out why it's there, what it's doing, how it got there and what the result is as it influences the investigation."

"It's about is this going to be the person who's going to have the independence, and the curiosity and the knowledge base to answer those tough complex questions that are asymmetric in nature."