On November 14, I had the privilege of testifying before the Senate Armed Services Subcommittee on Cybersecurity. The official title of this hearing was “Department of Defense’s Cybersecurity Acquisition and Practices from the Private Sector.” The committee is gathering information on meeting the challenges of today’s sophisticated and coordinated nation-state cyberattacks. They are seeking guidance on incorporating the best cybersecurity strategies for the DoD by consulting leaders in the cybersecurity industry. I was deeply honored to be among those chosen to participate.
I’m offering the written testimony I shared in a series of three blogs, starting today with my introductory remarks on threat hunting.
I co-founded CrowdStrike® more than seven years ago with a mission to stop cyber breaches, including those caused by some of the most sophisticated adversaries. Today, it is one of the world’s leading cybersecurity firms and protects thousands of enterprise and government networks across over 100 countries. As part of our efforts, our endpoint security technology is deployed on IT systems and collects over a trillion security-related events every single week. On a daily basis, we engage in virtual hand-to-hand combat with sophisticated adversaries from global criminal groups and nation-states such as China, Russia, Iran and North Korea seeking to compromise our customer networks. Our job is to hunt such adversaries and eject them rapidly from those networks, before a breach occurs. We are exceptionally good at this job. I’m here to offer you a perspective based on this experience.
The Department of Defense (DoD) faces a similar challenge to that of the private sector. The very same threat actors targeting private industry today, to steal intellectual property and sometimes carry out destructive attacks, are trying to break into DoD networks to conduct espionage and degrade our warfighting capabilities.
In facing this threat, DoD has a number of advantages. In terms of experience, DoD deserves credit for having first defined, a generation ago, some of the concepts that still guide the field today in network defense. DoD’s cybersecurity operators are every bit as talented and motivated as their private-sector counterparts. In fact, some of the best people we have at CrowdStrike have backgrounds with the Department and our military services. And as a nation, we have applied significant resources to DoD cybersecurity. There likely is no organization on the planet that spends as much on cybersecurity as the Department.
Still, the private sector has the advantage of operating in the relatively unconstrained commercial environment. This environment has fostered agile responses to our shared threats, that outpace DoD capabilities in some notable ways. The Department, of course, has some unique challenges in terms of the size of its IT enterprise and geographic dispersion. But I view scale as an advantage. The most capable private-sector organizations have succeeded by maintaining a primary focus on rapidly detecting and ejecting adversaries from the networks which they are infiltrating on an almost constant basis.
I believe that applying a similar focus to DoD’s defensive mission will advance the Department’s ability to protect its enterprise and, thus, the security of our nation. The three most important strategies DoD should utilize to gain an upper hand in this fight are: hunting, cloud technologies, and the 1-10-60 rule.
First Strategy: Hunting
First, DoD needs to refocus on continuously hunting for adversaries on their networks. Much of what the Department does today is cyber hygiene. Implementing security controls is hygiene. Patching vulnerabilities is hygiene. Building an asset inventory is hygiene. All are important but are not sufficient to stop sophisticated breaches. No matter how good the Department gets at these tasks, they alone will not accomplish the most important mission: stopping foreign intelligence and military services from countries such as Russia and China from breaking into our networks. Let me reiterate this critical point – good cyber hygiene will not stop determined GRU or PLA cyber actors – just as having locks on the door of your house would not stop Navy Seals from getting in if they have a mission to do so. And too often these hygiene efforts come at the expense of hunting down and ejecting adversaries that are likely already in the network.
Hunting is assuming that adversaries are in your network and proactively searching for them by looking across your assets for indicators of malicious activity. Simply investigating alerts generated by security tools is not hunting. Good hunters have an offensive mindset and think like the adversary. They ask questions such as: If I were them, where would I hide? How would I move around this network? What trail would I likely leave? They also construct and test hypotheses about new attack activity based on previously observed adversary tactics, techniques, and procedures. They identify subtle distinctions among ostensibly legitimate behaviors or patterns. They understand the environment and how to concentrate their efforts, and adapt their process as adversaries demonstrate new capabilities.
Hunting is less labor-intensive than it may sound. For example, CrowdStrike’s Falcon OverWatch™ service, which hunts 24×7 across thousands of networks and millions of machines around the world that make up our entire customer base – far larger in aggregate than the entire DoD enterprise – is comprised of approximately 20 people. We do have top-tier talent in these roles; our customer environments are well-instrumented; and we have architectures in place to support the mission. But DoD can use similar capabilities and ramp up their hunting operation without an enormous personnel mobilization effort.
Please Note: Part Two of this testimony, which is on cloud technologies, will be published next week.
For More Information:
Watch Dmitri’s testimony at the Hearing of the Senate Subcommittee on Cybersecurity.
Learn about the CrowdStrike Falcon OverWatch managed hunting team and why it is an integral part of the Falcon platform.
Download the report, “Observations from the Front Lines of Threat Hunting: A 2018 Mid-Year Review From the CrowdStrike Falcon OverWatch Team.”