What to do When Attackers Hide in Plain Sight

Picture this: It’s Paris, 2010. A perfect spring day. You’re working at the Musée d’Art Moderne de la Ville, which houses some of the best and most celebrated paintings of all time: Picassos, Matisses, Modiglianis. Though the paintings are from another era, the gallery has updated its security systems to reflect current-day capabilities: motion sensors, safe hooks, glass break detection, and tiny GPS on high-value paintings. The museum has carried out regular risk assessments, similar to a pen test for digital security, and run mock exercises, like the exercises cyber security experts extoll in incident response planning and preparation.

When the museum closes for the night, security staff note that everything appears to be running as expected. No alarms. No anomalies. No apparent malfunctioning controls. Yet, when museum staff return to the gallery the next day, five precious paintings have been stolen! At first glance, there’s no sign of actual damage. How could that be? Why weren't alarms triggered and investigated? Surely the motion detectors would have picked up suspicious movement and CCTVs would have captured intruders.

In this famous art heist[1], a French thief named Vjeran Tomic managed to evade detection by leaping between rooftops and scaling walls of the museum. He’d honed his agility over the years and was a practiced, patient thief who’d one day noticed that one exterior security camera was slightly blocked by a parapet. Exploiting this opportunity and taking advantage of a malfunctioning alarm he’d noticed during his reconnaissance mission a few weeks before, he was able to pull off one of the biggest art thefts in history.

It’s this scenario, except in the digital realm, that keeps security practitioners up at night. And it's the very reason penetration testing and threat hunting were designed. Obvious to any security pro in 2020, continuous testing of network environments and controls isn’t enough; companies must think like thieves and actively hunt suspicious activity—like noticing mispositioned security cameras or carefully removed screws, or considering that an athletic criminal might use parkour-like skills to enter a building—to prevent major exploit.

Adding automation to exploration

However, threat hunting is time consuming and expensive. Is it less expensive to hire a group of full-time threat hunters than it is to lose $700 million USD by exposing the PII of roughly half of US citizens? Of course it is. But it’s a risk equation most companies bet against.

Not Uri May and Tomer Kazaz, two former Israeli Defense Forces officers who wanted to build predictability and scalability into cyber defense. In 2018 the pair founded Hunters to offer an automated threat hunting platform. During a recent briefing, Director of Marketing Noa Katz said that May and Kazaz wanted “to democratize threat hunting and make it accessible for companies of all sizes to track attackers who are blending in with the increasing amount of telemetry companies collect.”

To accomplish this, the founders knew that, one, the platform had to use all available sources of data deployed in customers’ environments, and, two, it needed to be machine led. In other words, while there is great value in human threat hunting, it’s not scalable and often cannot make optimal use of organizational data. Katz said that their technology proactively sifts through data, surfaces attack signals, automatically enriches data, investigates events or incidents, and correlates them across environments to infer attackers TTPs.

Combining capabilities

So far this sounds like what many other automated platforms might do. Hunters starts to differentiate itself with its internal threat hunting team, which may, at first, seem a little incongruous to the automation the company highlights on its website, in marketing materials, and during conversations. Regardless, Hunters maintains a team of active human hunters whose primary job is to train the platform with findings and attack techniques, and tweak algorithms so machine learning biases are limited.

In this way, Hunters isn’t removing the necessary human element from threat hunting; it’s removing the burden on the end user organization and augmenting the platform with human-found and -scrutinized insights. In turn, this means that business with limited SOC capabilities can now take advantage of threat hunting by deploying the company’s SaaS-based technology.

Nitsan Bider, Hunters' VP of Product, iterated that the value of their platform is predicated on detection methods and attacker TTPs that their internal threat hunting specialists build into the product. Companies with large threat analyst staffs can augment their capabilities with the automated functionality. Organizations lacking internal skill sets can start or grow their programs to become more proactive against shrewd thieves who constantly evolve their TTPs to evade traditional event and behavioral detection tools.

While the automated threat hunting space has become crowded in recent years, Hunters’ aptitude is tied to the company’s sole focus. Because of this dedication and passion (“We all left good, really secure jobs to bet on Hunters,” said Katz), the company just publicly announced its A round of $15 million, led by Microsoft’s Venture Fund and US Venture Partners, and backed by Okta Ventures. With such strong backing, we at TAG Cyber would bet big on this scrappy startup too.

_________________________________________________________________________________________________________________

[1] https://www.newyorker.com/magazine/2019/01/14/the-french-burglar-who-pulled-off-his-generations-biggest-art-heist