Jennifer Ayers, CrowdStrike® VP of Falcon® OverWatch™ and Security Response, recently sat down with ISMG to discuss the importance of threat hunting and why it’s become such a hot topic in the cybersecurity space. The following is a summary of her insights and recommendations. You can listen to the podcast, “Why Managed Threat Hunting?”, and download a full transcription.
What Is Managed Threat Hunting?
The podcast begins with Ayers offering an explanation of what managed threat hunting is, pointing out that it has become a ubiquitous term in the cybersecurity industry, used to cover a number of different areas. She explains that it “is actually a very niche operating space, and there are different aspects of threat hunting capabilities that a vendor can provide or a company can build within their own environment.”
Ayers goes on to describe the three different layers of security response functions: the security operations center (SOC), responsible for monitoring and responding to alerts from some type of central system; the incident response (IR) team that investigates alerts and escalates them so they can be responded to by mitigating, reimaging the box, containing the system or taking some other appropriate action from the playbook; and threat hunting, where hunters look for “the unknown” — threats that haven’t been detected by passive monitoring tools. Ayers refers to this layer as the “human detection engine.” CrowdStrike’s managed threat hunting team, Falcon OverWatch, leverages the Falcon platform on behalf of customers to hunt for these unknown and stealthy attacks that standard measures can miss.
However, Ayers points out that trying to build a threat hunting team within an organization is challenging because, by nature, most organizations don’t get breached every day. She explains, “A lot of the customers that I’ve talked to tend to have people who have a dual role in incident response and threat hunting, which is also a challenge in itself because threat hunting is a full-time job.”
Why Is Threat Hunting Such a Hot Topic Now?
Ayers explains that while there has always been a need for threat hunting, what brought it to the forefront more recently is how security tools have changed over the last 10 years. Previously, these tools could not provide the full end-to-end visibility that effective protection requires. Instead, security teams had to gather everything together in a SIEM or some other central repository to be able to search through all the logs. “Most of the EDR (endpoint detection and response) tools that are on the market today are created by people like me, who had that experience of trying to wrench all of this stuff together and make a cohesive story, where all of this data is now being provided in one single place,” she says.
That’s why EDR tools like CrowdStrike Falcon provide a lot more information than has ever been available before, Ayers said. “You have detailed information around process execution. You have process trees, understanding what a parent process is doing, what kind of child process it spawned, or what its grandparent was, or what kind of process injections occur — this provides a wealth of information security teams need in a single place,” she says.
The Importance of Managed Services
Ayers contends that a major advantage of managed threat hunting is that it solves a lot of challenges that organizations are facing regarding funds and resources. Organizations turn toward managed threat hunting because it’s faster and more effective to have experienced hunters working 24/7 on your behalf, than to build an internal team and mature it. She explains that threat hunters look for adversaries that masquerade very effectively as legitimate administrators, but who might be doing one small thing differently. She describes it as “that little needle in the haystack that tells the Falcon OverWatch team that this is, in fact, adversarial behavior and not common to that environment.”
CrowdStrike’s Role in Proactive Threat Hunting
Ayers is enthusiastic about what CrowdStrike brings to the table. “ There are so many things that we (the Falcon OverWatch team) use to engage and work with our customers across the board,” she says. Some of these tools include:
- Falcon Insight EDR that allows “high-fidelity detection and prevention or protection capabilities,” enabling CrowdStrike to investigate what’s going on with a particular host by determining the types of behavior that occurred on that system, and what actions were taken based on that behavior. Ayers says, “We’re able to see effectively end-to-end, across a large-scale organization or any organization, in terms of what the attacker is doing and where the attacker is potentially going.”
- Falcon Complete™ combines technology, people and processes, providing integrated incident response and threat hunting that works on behalf of the customer 24/7/365. When adversarial activity is detected, or OverWatch notifies the Falcon Complete team of any anomalous behavior, “We are able to take remediation action immediately,” she says.
- With Falcon X™, CrowdStrike’s automated threat intelligence offering, Ayers says her team is able to know the attacker’s motives and where they are potentially going next. Ayers feels it’s a privilege to have access to the data that can help customers, allowing them “to understand from a global environment, down to an industry, down to a specific customer, what types of adversary activity is going on, whether it’s eCrime-related, whether it’s just malicious-software-related, or whether it’s targeted-adversary-related,” she says.
Combating Emerging Threats
Lastly, Ayers addresses the recent threats she has observed that organizations should be aware of. Many adversaries are still using techniques similar to those that have been used over the past 10 years. “One of the main things that I continue to see is a lot of web shell usage of web servers that are put on the internet, but that are not hardened properly. They’re not patched properly. They’re not set properly, in terms of being a World Wide Web server, allowing some threat actor to take over that particular box and use it to jump internally to the network,” she says. Ayers also says her team is still seeing a lot of password credential theft – and passwords that were stolen last year being used this year.
She advises that organizations need to get “back to the basics” and make sure they are patching machines quickly, using tight password policies and resetting passwords every 60 days — even though users may find that a hassle. She says, “Nobody likes changing their password and they definitely don’t like changing their password often. But the reality is, adversaries – once they have them, they’re going to keep reusing them. Why fix what’s broken?”
Ayers believes this focus on basic security steps is as critical today as it ever was. “Now, there’s no real methodology for getting the adversaries out of your environment, but you sure want to make it as difficult as possible for them to stay in it. And putting in proper security procedures will help,” she says.