Now that cyberspace is a legitimate warfare domain with the requisite command issues for combatants, enterprise protection has had to shift. This is complicated by the often-unclear crossover between true acts of cyber war and more conventional criminal activity by bad actors. The community is still sorting this all out, but everyone agrees that organizations across every sector need a new approach to defending their networks.
Back in 2013, R9B introduced the concept of threat hunting to help with this enterprise defensive shift. The company has since prioritized development of threat hunting solutions to deal with this threat. R9B tools range from credential-based risk analysis to active adversary tracking and hunting across enterprise or infrastructure. Eric Hipkins, CEO of R9B, sat down with us recently to explain this mission. Here’s a summary:
EA: What are the typical tasks of the modern cyber hunter?
EH: Most actions by threat hunters are dependent on mission requirements, so it is difficult to identify a typical set of tasks. Some organizations still view hunting as analysis against passive collection techniques, such as reviewing logs or network traffic. At R9B, we view hunting as a human-led approach to pitting a thinking defender against a thinking adversary. In this regard, some common skills needed for any hunting mission include experience with operating systems and networking, as well as an understanding of how threat intelligence integrates with mission parameters to guide the hunt and adapt to the adversary. On top of technical knowledge, a hunter’s greatest ability is in creative thinking, generating hypotheses to identify adversaries that bypass traditional defenses and hide in the network.
EA: What are the offerings from R9B that assist hunters in their work?
EH: Since 2011, we have provided training on a broad range of topics that can significantly improve the efficiency and effectiveness of a hunter. That includes courses in cyber threat intelligence analysis, adversary tactics and techniques, PowerShell foundations, and OS-specific hunt certification. Our proprietary ORION platform was purpose-built for threat hunting. It is an agentless means of detecting, pursuing, and eliminating threats from networks. We recently gave it a new user interface and incorporated an API so that advanced hunt teams can customize it to their needs. Originally launched in 2013, ORION is currently used, and has proven effective, in both corporate and military environments. We also offer a credential risk assessment tool called ORKOS, which aids hunters by helping them quickly survey networks to identify connections that could make it easier for attackers to escalate privileges, moving from low-level to critical systems.
EA: Can you tell us more about how your solutions focus on credential risk?
EH: Early on, we recognized the importance of credential theft in the execution of malicious activities. In response, we developed software called ORKOS, a credential risk assessment tool designed for rapid deployment and credential risk vulnerability analysis. Administrators can quickly plug ORKOS into their network to get instant visibility into weak credentials. (We use proprietary rainbow tables and hash matching to identify weaknesses while protecting privacy.) Where ORKOS differs from less robust solutions is in its graphical representation of privilege associations, how they can create risks, and remediation recommendations. We believe strengthening passwords is a good first step, but we also want to make sure administrators know how an attacker might use a low-level frontline user to escalate privileges and move laterally through the rest of victim networks. ORKOS builds scenarios to provide custom remediation recommendations to mitigate identified credential risks within a virtualized environment.
EA: Do users have to be highly experienced in their craft to benefit from your tools?
EH: We have invested significant time and energy in making our solutions easy to use. Our experiences have taught us that even the most experienced operators still appreciate quick deployment, good design, and intuitive controls. Threat hunting against advanced adversaries can still require a highly-specialized skill set and tools are only part of the equation. At R9B, our mantra is “human-led. technology accelerated.” So, to be an effective threat hunter, it does take a lot of knowledge and experience, but for those who know what they are looking for, our tools make life a lot easier.
EA: What are some hunt-related trends you’re seeing in your customer base?
EH: As the security industry continues to adopt threat hunting, it has been encouraging to see an uptick in the pace of technological development. There is better collaboration across the board. Overall data management is still a major challenge, but artificial intelligence and expert systems are powering faster and more accurate analysis. We recently made a significant strategic investment in an AI expert system, which is helping our hunters find threats faster, so they can focus more on cleaning up the network. I look forward to continued collaboration, more development for API integrations, and better ways of making sense of the data.