HUNT OPERATIONS

FROM THE EDITORS AT CYBERSECURITY VENTURES

Q1 2017

The HUNT Operations Report is a destination for chief information security officers (CISOs) and IT security executives to follow the emergence of hunt operations to combat cybercriminal activity occurring in enterprise networks.

FLESH AND BLOOD

root9B goes HUNTing for hackers

johnmelloembossedJohn P. Mello, Jr.

Menlo Park, Calif. – Mar. 8, 2017

Eric Hipkins is a bit of a contrarian.

In an industry hot to automate every aspect of information security, the CEO of root9B is promoting a solution with flesh and blood at its core.

Current thinking about securing networks embraces the idea of “defense in depth.” That calls for defenses to be layered. A firewall, for example, would be a layer. Network monitoring would be another, as would be endpoint protection software.

That approach is good, but it doesn’t go far enough to protect a network from the kind of threat actors marauding the Internet today.

“Defense in depth continues to place automated solutions in the network and hopes they can outthink the adversary,” Hipkins says. “It’s a failed strategy.”

Turning Defenders into Hunters

An indicator that it’s a failed strategy is that dwell times — the time between compromise of an organization’s network and discovery of that breach — remain high. In a report released last year by FireEye, it calculated the global mean dwell time to be 146 days.

That contrasts starkly with the results of root9B’s approach. “We’ve been able to close that down to minutes, hours or single-digit days because we live on the network and have a full understanding of it.”

Hipkins emphasizes that automation is important to network defense. “You absolutely need those capabilities, but it cannot be the final layer of security,” he says.

grayfooterline

HUNT GRAM: 47% of all manufacturing sector data breaches involve an advanced adversary. HUNT provides increased ROI for insufficient passive and automated security systems.root9B

grayfooterline

“We use that automation to inform our hunters and then go live on the system to remediate any issues that they do have,” he adds.

Those hunters use an approach pioneered by root9B called HUNT. “HUNT is a defensive strategy that incorporates an active cyber defender to proactively hunt for and engage an adversary within an organization’s network,” Hipkins explains.

“It’s all about arming a human defender with an advanced detection, proactive response technology and relying less on automated capability to outthink the adversary,” he adds.

Rooting Out Net Rats

Hipkins founded root9B in 2011 along with four other employees, all with military and intelligence backgrounds. The company’s name is a compound of two ideas. “Root” refers to “rooting” a system. When attackers root a system, they own it and can do whatever they want with it. root9B aims to prevent that. “9B” is a hexadecimal number that when converted to decimal form is 911, a reference to an infamous date in American history. Hex is a base 16 number system commonly used in electronics and programming.

“I felt that the community had already conceded their network to the adversary and were focused on post exploitation versus pre-exploitation,” he explains. “I felt that given the right group of talent and building the right capabilities, we could stop that.”

grayfooterline

HUNT GRAM: Over 90% of malware hashes are seen in the wild for less than a minute. Active HUNT can detect adversaries subverting automated and passive security systems.root9B

grayfooterline

Initially, root9B focused on cybersecurity training. After establishing a top-notch reputation in that field, the company was able to diversify into cybersecurity software tools and services. It was purchased in 2013 by the Premier Alliance Group for $1.75 million in cash and stock. When Premier later repositioned itself as a provider of cybersecurity and regulatory risk mitigation services, it changed its name to root9B Technologies.

Hipkins’ root9B is headquartered in Colorado Springs, Colo. where it employs 40 people and employs 40 more at three other offices. The company also has its $2 million Adversary Pursuit Center in Colorado Springs, which provides cloud security services and training to its customers.

Training remains an important part of root9B’s product mix. It recently formed a partnership with Science Applications International Corp. (SAIC) to offer simulation and training to U.S. government.

Companies Want Military-Grade Solutions

root9B has two software offerings: Orkos and Orion.

Orkos is a credential assessment program. Credential compromise is often used by attackers to enter a system and set up shop. Orkos can help identify exposed credentials and prevent a threat actor from moving laterally in a system.

Orion is a software platform that ingests automation information from across an organization’s network and allow a root9B operator to perform live reconnaissance on that net, as well as remediate any adversary activity found there. Hipkins adds, “Built into the Orion platform is the ability to interrogate live memory, where a lot of these adversaries operate.”

Tools, while important, take a back seat to humans in root9B’s cybersecurity approach. However, the standards for those human defenders is very high. In a report authored by Hipkins, COO John Harbaugh, CTO Michael Morris and Chief Scientist David Aucsmith, it’s noted that the implicit assumption in root9B’s defensive approach is that network defenders will know how to look for and recognize the adversary, deal with them when found, and leverage actionable threat intelligence to prevent the breach in the first place.

grayfooterline

HUNT GRAM: Less than 1% of system drivers are unique. HUNT will identify end of life systems which provide additional attack surfaces for your adversary.root9B

grayfooterline

“The defender must understand the adversary’s mindset, motives, tactics, tendencies, and exploitation techniques,” the authors continue. “They must be well-trained, intimately familiar with both their adversaries, as well as the tactics and techniques employed by these threat actors.”

“They must understand not only their adversary, but also the vulnerabilities and potential targets within the organization they are defending,” they add. “All of this must be backed by business context driven, specific, and actionable threat intelligence.”

If all that has a military sound to it, it’s not accidental. As threat actors become more sophisticated, companies have begun looking for military-grade solutions for their cybersecurity needs. “They understand,” Hipkins says, “that the adversary that they’re facing, in many cases, has military or intelligence ties.”

John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.

grayfooterline

Q4 2016

The HUNT Operations Report is a destination for chief information security officers (CISOs) and IT security executives to follow the emergence of hunt operations to combat cybercriminal activity occurring in enterprise networks.

FEATURE STORY

No. 1 Cyber Defense Firm Goes On The Hunt

stevemorgancvheadshotSteve Morgan, Editor-In-Chief

Menlo Park, Calif. – Nov. 30, 2016

The editors at Cybersecurity Ventures recently caught up with Eric Hipkins, Founder, Chairman and Chief Executive Officer at root9B, a rapidly expanding, publicly-traded cyber defense firm focused on advanced adversary pursuit — a.k.a. HUNT. Hipkins has served as CEO since May 2011. He has built a team of more than 50 tier-I Cyber Network Operators and Security Specialists, some of the top cyber-fighters in the world.

In a nutshell for people who are not familiar, what exactly does it mean to HUNT?

Hunt is a defensive strategy that incorporates an active cyber defender (human) to proactively maneuver through the organization’s proprietary network in order to identify indicators of an attack and preemptively counter these threats. In this approach, the human defender is armed with network telemetry and intelligence coupled with advanced detection and proactive response technologies. Essentially, the approach pits an active, thinking defender against an active, thinking attacker.

grayfooterline

HUNT GRAM: HUNT surveys reveal 1 out of every 125 PE files have a unique hash; which may be indicative of polymorphic code.root9B

grayfooterline

Is HUNTing defensive or offensive?

Active Adversary Pursuit, or Hunt, in its purest form is Defensive; but is based on the model of thinking offensively in nature; “think like the attacker” to conduct defensive operations.

This man-against-man defensive concept is a familiar and proven approach in the physical landscape. The use of manned guards has become all too familiar in sensitive areas of both commercial and government organizations. The defender in the physical space leverages technology (fences, alarms, cameras, locks, etc.) to augment or supplement his or her ability to rapidly engage an adversary attempting to breach the perimeter or operating within the protected space. Should the guard identify a breach, he or she is equipped with appropriate defenses to actively secure the physical space and take action. These human defenders, are actively patrolling and investigating, cued by technology where there are indications of a breach in their space.

The concept of HUNT for Cyber operations is really no different. It is bringing the human defender back to the center of cyber defense while leveraging advanced technology to meet and defeat the human adversary. This defender must occupy the center of cyber defense while leveraging advanced technology to meet and defeat the human adversary residing in the uncontested network space. This implies a dedicated intelligence capability that studies the adversary and develops specific tools, techniques, and procedures to counter the adversary.

grayfooterline

HUNT GRAM: Effectively integrating host and network data analytics to drive HUNT operations can reduce adversary detection time to 30 minutes vs months.root9B

grayfooterline

To effectively HUNT, what type of skill set is required?

There are a number of fantastic security engineers in the cyber defense space with skill-sets that facilitate HUNT. These include backgrounds in security assessments, forensics, malware analysis, reverse engineering, incident response, etc.

That said, regardless of the specific skill-set, the defender must understand the adversary’s mindset, motives, tactics, tendencies, and exploitation techniques. They must be well-trained, intimately familiar with both their adversaries, as well as the tactics and techniques employed by these threat actors.

They must understand not only their adversary, but also the vulnerabilities and potential targets within the organization they are defending. All of this must be backed by business context driven, specific, and actionable threat intelligence.

grayfooterline

HUNT GRAM: 4Credential risk assessments of large networks will reveal 75% of accounts lead to privilege escalation and domain admin access which is a significant attack surface for any adversary.root9B

grayfooterline

Can corporations train their own IT security people to HUNT?

Absolutely.

Unfortunately, in order to conduct HUNT operations you really have to focus your training on understanding the mentality of the attacker and where they would focus their efforts. Rather than “reacting” to network attacks, HUNT Operators have to be focused on proactive surveillance of their networks. True security requires defenders to constantly evaluate their networks in order to deter attacks, create mitigation techniques, provide attribution, detection, and an appropriate response. They have to be prepared to adapt to their threat and tailor an appropriate solution.

Does root9B have products that support HUNT operations?

root9B has developed several products that directly support Adversary Pursuit Operations or HUNT. These products enable cybersecurity professionals to actively maneuver and engage adversaries in their proprietary network. Examples include ORION, which features an agentless remote interrogation capability that provides full chain-of-custody, data analytics and live memory analysis. ORION delivers the expected level of back-end data analytics and easy network implementation for the client to realize immediate benefits from HUNT operations. ORKOS, provides interactive credential risk assessment and remediation by identifying the credential risks that lead to network breaches and adversary lateral movement within an enterprise.

grayfooterline

HUNT GRAM: Since 2013, the #1 tactic used by adversaries is leveraging stolen or weak credentials. Anti-virus & anti-malware products do not detect this. Credential/login auditing and HUNT operations is how you catch these root9B

grayfooterline

root9B brings vast military cyber experience to private sector firms and commercial enterprises.

Offering people with HUNT backgrounds to CIOs, CISOs, and IT security teams who are struggling with cyber operations and threat defense in the face of a severe cybersecurity workforce shortage is what really sets root9B apart from the rest of the field.

Steve Morgan is founder and CEO at Cybersecurity Ventures and Editor-In-Chief of the Cybersecurity Market Report and the Cybersecurity 500 list of the world’s hottest and most innovative cybersecurity companies.

grayfooterline

© 2016-2017 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.