Bounty Hunting, Cyber Style

SMALL cyber tuesday

Threat hunting is the act of aggressively tracking and eliminating cyber adversaries as early as possible in what Lockheed Martin has dubbed the “Cyber Kill Chain.”

-From a SANS Whitepaper, by Eric Cole, PhD

It’s likely most people who hear the term bounty hunter now, think of Duane Chapman, who goes by the name Dog, and who starred in a reality TV show named, incredibly, Dog the Bounty Hunter. But for me, the real bounty hunter is Steve McQueen, who played Josh Randall, a confederate Civil War veteran who made a living as a bounty hunter in the Wild West. Up until Josh Randall showed up, the term bounty hunter described an unsavory practitioner who lived on the fringes of the law. Josh changed all that, and the bounty hunter became, at least occasionally, a good guy.

The modern day version of Josh Randall is now bringing justice to the cybersecurity frontier. Increasingly, companies are hiring “threat hunters,” cyber experts who hunt through enterprise architecture, and identify, target, and eliminate threats that are hiding somewhere in the maze. It’s real-time hunting to detect malicious activity, performed by experts who have both tools and experience that enables them to carry out successful hunts far more efficiently than typically can be done by the internal security team.

A SANS white paper written by Robert M. Lee and Rob Lee explains the rationale that lies behind threat hunting. “Threats are human. It is the adversaries, not just their tools, such as malware, that interest threat hunters. These adversaries are persistent and flexible and often evade network defenses. The threats are often identified as advanced persistent threats (APTs), not just because of the capabilities that the adversaries wield, but also because of their ability to initiate and maintain long-term operations against targets. Focused and funded adversaries will not be countered by security boxes on the network alone. And threat hunters are not simply waiting to respond to alerts or indicators of compromise (IOCs). They are actively searching for threats to prevent or minimize damage.”

One of the more interesting aspects of the threat hunting approach lies in the human dimension. Writing in DarkReading, Jai Vijayan quotes Ben Johnson, co-founder and chief security strategist at security vendor Carbon Black, as saying what separates threat hunting from the usual security practices is its emphasis on human skills. Threat hunting, Johnson says, is about “using humans to find bad [guys] versus having an alert fire from a piece of technology.” In that regard this version of bounty hunting is not so terribly different from that practiced across the shifting sands of history. The biggest difference may be that when the bounty hunters squint today, it’s not the sun in their eyes, it’s more likely eye fatigue from staring at too many screens.

By Tom Davis, SDI Cyber Risk Practice

August 2, 2016