Articles / Tools for the Cyber Hunter

on 06 Mar 2018

Just weeks after my first textbook on computer security was published in 1994, a far superior book emerged from two of my colleagues. Firewalls and Internet Security, by Bill Cheswick and Steve Bellovin was not only a more interesting work, but it was hatched from the trenches of a live gateway rather than from the safety of a classroom. Their book changed the course of my own career, because after ingesting every word (three times), I decided I wanted in.

Specifically, what I desired was to join the actual game – the real game, of cyber security. This meant stepping outside the lecture hall, rolling up my sleeves, and engaging directly with the adversary. The ensuing quarter of a century produced more learning for me than you can imagine – although when seated in a courtroom across from an accused teen hacker staring me down, I wondered sometimes if I’d gotten a bit too close.

Last week, I spent an awesome afternoon with the principals of R9B, a firm you might remember previously as Root9B. After a recent change of parent ownership, the slightly rebranded cyber security company provides solutions that seem the modern equivalent of Bill and Steve’s firewall security. That is, the R9B offerings were constructed in the trenches of real cyber security. So, if you spend your waking hours there, then read on.

“What we do,” explained Steve Picot, who leads customer experience and marketing for the company, “is provide practical services, tools, and training that support the cyber hunter working in industry, government, and law enforcement. Our solutions trace their lineage to our government and cyber intelligence roots, but they have been tailored to address the types of threats targeting all types of organizations today.”

R9B organizes their cyber products into three platform components: Orion is their agentless hunt platform for the cyber hunter working in a modern SOC; Orkos is their assessment and remediation solution for dealing with stolen credentials; and Loki is their platform tool for live attack detection against control systems. All three product offerings are designed to integrate seamlessly with the on-going procedures and practices in a SOC.

Since I’d seen comparably designated offerings from other vendors, I decided to probe a bit. The credential orientation of Orkos seemed especially interesting, so I asked about it. “We’ve learned through practical experience,” the R9B team explained, “that reuse of stolen credentials is one of the most common exploits. When it is done expertly, there is no need to install malware. Everything looks legitimate.”

R9B takes advantage of the fact that poorly selected or massively duplicated passwords can often be detected through automation, especially in enterprise Windows-based environments. Since passwords are not salted in Windows – including Active Directory, it is not hard for R9B to audit an enterprise to discover conditions such as some obvious permutation of the word ‘password’ being used throughout the organization for single-factor authentication.

I wanted to understand the range of support for the R9B suite – and the team shared their views on the offensive lifecycle: They explained that the initial intelligence gathering phase continues to offer limited opportunity for hunters to detect emerging threats. The subsequent exploitation phase, however, does introduce early opportunities for SOC teams to detect threats – which explains why this phase is so commonly targeted by cyber security vendors.

It is the command and control phase, followed by the privilege escalation phase, however, that offers so much return to the cyber hunter. And it is here that the R9B tools provide the most benefit, especially in cases where attackers with stolen credentials have begun to move laterally across an enterprise. “Few products available today do an acceptable job supporting analytics and mitigation in these critical offensive phases,” Picot shared.

We spent time during our discussion covering how R9B brings their capabilities to market. It was interesting to hear that they offer security-as-a-service – both managed security and managed detection/response – as a complement to their platform offering. This will be particularly important for companies dealing with the complexities of transition to hybrid cloud, enterprise mobility, data center virtualization, and of course a shortage of talent. These initiatives will bring great solutions to CISO teams, and the convenience of managed services should help.

In the end, it does not surprise me that the cyber security capabilities from a practical, in-the-trenches firm like R9B would be laser focused on existing challenges in existing SOC ecosystems. This makes their offerings so valuable to practical hunters, because the support follows empirical and observed issues in live settings. My suspicion is that existing R9B customers are probably wildly enthusiastic about the support.

So, if you are currently in the real game of cyber security, dealing with intense threats from capable adversaries, then I suggest you give Steve Picot and the R9B team a call. Their range of solution offerings for cyber hunters offers practical, impressive, and well-grounded support for the day-to-day needs of the modern enterprise SOC. And please let us know how your evaluation goes.