Yesterday, Delta Risk’s Andrew Cook and Infocyte Founder and Chief Product Officer Chris Gerritz presented a webinar on “Threat Hunting Versus Compromise Assessments: What’s the Difference?” In advance of the webinar, Dev Panchwagh spoke with the presenters to gain more insights into this subject, including common misconceptions and the impact of moving to the cloud.
Dev: I wanted to get your thoughts on the cloud. How are threat hunting and compromise assessments conducted in the cloud? What are some of the differences you’re seeing? Does it require different approaches and tools?
Chris: From the Infocyte side, we’ve developed our products specifically to assess any device that a hacker can get into – if a hacker can get into a cloud system, we need to be able to assess those systems. When you look at traditional technologies, like firewalls or proxies, these things didn’t even run on x86. You can’t put those technologies in the cloud. These appliances run on custom hardware. With Infocyte, all we handle is software – it’s x86-based, it’s all virtual machines (VMs) that are running in the cloud, whether it’s Linux or Windows. So step one is to be able to run on any device that’s operating on premise or in the cloud. It’s important to understand that a lot of the methods we use for our compromise assessments operate in the cloud and on premise.
Andrew: I’ve been working a lot with organizations migrating to the cloud to pinpoint risk factors and future attack vectors. When we’re doing compromise assessments, we have to keep up with the latest adversary tactics, techniques, and procedures (TTPs). As adversaries advance and find new ways to exploit the cloud, we need to evolve with them.
Compromise assessments in the cloud look for evidence of attackers who maintain a foothold within the cloud infrastructure itself. For example, AWS Lambda and other cloud-enabled DevOps features are powerful tools. However, they can be subverted by malicious actors to target and dwell in cloud infrastructures. In the same way we assess workstations and servers, we need to be able to assess the cloud infrastructure to see where cyber criminals could be hiding.
Dev: What other advice would you offer security professionals to avoid data breaches or security incidents, especially as it relates to third-party assessments?
Chris: We’ve seen companies with really good security and clean networks, and we’ve seen networks that are abysmal. It can run the gamut. Regardless of your current cyber security posture, a third-party compromise assessment is an essential starting point. Organizations trying to figure out a base level need to understand that threat hunting is essential. Regardless of how sophisticated your organization’s security program is, you need a third party to verify your security state. And if your organization’s program isn’t as sophisticated, it’s even more reason to bring in another set of eyes. You need to figure out where the holes in your network are and potential vulnerabilities.
Andrew: In terms of where organizations typically stumble, they expect their under-resourced IT staff to respond well to having more tools and technology. But they need time to use those tools. If anything, those new tools and data feeds just add to the list of things they need to learn and monitor. When evaluating new technologies, it’s always important to consider the time it will take for implementation and training versus the benefits from those tools.
For example, the Infocyte threat hunting tool has simplified the process for less experienced threat hunters, but it still takes time to look through the results and investigate them.
Ultimately, more technology isn’t going to solve the problem of lack of time. If you’re expecting your IT team to take advantage of these technologies, you need to give them the time and resources that they need. If you can’t give them that time, that’s when a third-party service comes in. We’ve got that time and hunting is all we do.
Chris: For folks who have worked in multiple networks, it’s also important to determine if you’re better or worse than average when it comes to threat hunting. Someone like Andrew and Delta Risk can give you an honest assessment, whereas your own security teams will only relay what they’ve been taught.
Andrew: Absolutely, that’s where a third-party can be useful. As a threat hunter, I’m frustrated when we don’t find anything on a network, but I have confidence in our capabilities to conclude that the network is likely clean. For cyber security folks within an organization who haven’t found an incident on their network for the past two or three years, it’s hard to know if that’s because they missed something, or because their company has the proper security controls in place.
On the other hand, if you have a company like Delta Risk probe your network and they can’t find any issues, that carries a lot of weight. We’re surprised when we can’t find something and can help validate what your internal team is seeing.
Dev: Any final thoughts on the future of compromise assessments?
Chris: I’d like to end on a prediction: compromise assessments will become more popular. Compromise assessments and threat hunting as a service are the next penetration tests. Just answering the question “can I be hacked?” isn’t good enough. You need to answer whether you can be hacked today, and that’s what the compromise assessment answers.
With the increasing risk of undetected compromise in many organizations, regulators and insurers are discussing requirements that this service be conducted on regular intervals. I’d also predict that compromise assessments will soon be mandated to meet compliance requirements.
Summary
Compromise assessments and other threat hunting efforts are important to a strong and proactive security posture. In addition to answering the question, “can I be compromised?” organizations need a way to check if they’ve already been compromised. Organizations that don’t want to be caught off-guard should start hunting now.
For more on this topic, you can view our on-demand webinar, “Threat Hunting Versus Compromise Assessments: What’s the Difference?” We discuss threat hunting and compromise assessment best practices and the consequences of delaying these assessments.