Name: Eric Cole
Organization: Secure Anchor Consulting
Years hunting: 10+
Favorite datasets: Firewall and router logs, Netflow, Windows logs and Syslog
Favorite hunting techniques: Connection analysis, kill chain orientation
Who are you?
My name is Dr. Eric Cole. I'm the founder of Secure Anchor Consulting, a researcher, writer, and speaker. In the past, I served as CTO of McAfee and Chief Scientist for Lockheed Martin.
Why do you hunt and what is your experience hunting?
I have been threat hunting since 1991 before it was called threat hunting. When I worked for the government my belief was always to be proactive in finding the adversary and minimizing impact to the organization.
I have always hunted because the adversary is not always visible. Many attacks are very similar to illness in the human body. Often when you initially get sick with a disease, there is no visible sign. Only once the disease gets really bad is there a visible sign, but at that point it is usually too late. The earlier you can detect a problem the better. This is the reason we have yearly physicals. Any good doctor will tell you the secret to health is prevention and early detection. I have a similar motto with cyber security: prevention is Ideal but detection is a must. The sooner you can detect an attack the less overall damage and impact to the organization.
How would you define Threat Hunting?
Threat hunting is proactive incident response. The definition I use for threat hunting is proactively evaluating an organization looking for indications of an incident to either confirm the entity is compromised or validate the entity is in a secure state.
What projects and organizations are you involved with?
My company Secure Anchor performs consulting working with a variety of organizations across retail, financial services, healthcare and utility companies to proactively find compromise and control the amount of damage caused by an attacker.
I also remain actively involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. I'm a SANS faculty Fellow and course author.
Which of the hunts you’ve carried out was the most interesting or challenging?
All of them, really. Every organization is unique and different, every attack is unique and different and therefore every hunt is unique and different. Probably the most interesting one was a financial service organization brought us in to hunt for compromises on their internal system and the investigation lead us to evidence that allowed for a successful conviction of one of the executives who was embezzling money from the organization.
What hunting techniques, tools, and datasets do you use most frequently?
The most common method of hunting for me is network based hunting. I'll perform some host based threating hunting, but in my opinion packets are the blood and life of the organization. If you look hard enough at network traffic, it will tell you all of the deepest darkest secrets of an organization. The focus I found to be the most effective is on the lateral movement and the command and control channels. Both components have unique characteristics of how they work and operate. The key network characteristics that I examine are: number of connections, length of connection and amount of data transferred and to do this for outbound traffic.
Two of the big mistakes I see organizations make is that they look at inbound traffic and examine the payload. There are three fundamental problems with this approach. First, most of the important traffic is outbound and that is ultimately when the damage is being caused such as data exfiltration. Second, inbound traffic is way too noisy. Third, most adversaries used encrypted channels so if you are looking at the payload and it is encrypted, you will not be able to do the analysis.
If you look at the characteristics in network traffic, you should notice something very interesting, that encryption does not matter. Whether the traffic is encrypted or not it does not greatly impact those characteristics. Once we find suspicious traffic, I then perform host based threat hunting. The key area of focus is what is running when the system starts. Adversaries when they compromise a system wants longevity. They want to be able to stay on a system for a long period of time, which means they have to survive a reboot. Since the number of ways programs run at boot up are finite, this is a great place to look for signs of compromise.
What value do you actively see come out of your hunting activities?
In the way I perform threat hunting, regardless of the results, it provides value to the organization. I know some people view threat hunting as a pass or fail activity: either we found a compromise or we failed. In my opinion that approach is flawed because either way you have provided value. If we perform threat hunting and find a compromise, that provides instant value to an organization because we have helped them control the damage; however, not finding a compromise is just as important.
If an organization has a business process that utilizes very critical information you would want to perform threat hunting on that system to either find a compromise and control the damage or perform validation that the system is in a secure state. With many of my clients they are replacing penetration testing with threat hunting as a form of validation. In order for this to work, a key component is to make sure the threat hunting has a very specific scope in terms of what is being evaluated.
What parts of a hunt could you see as being most successfully automated or assisted by a machine?
Automation is a key and critical part of threat hunting because the fundamental problem today is too much data and not enough people. Humans are great at the creative analytics and design and develop of new methods to hunt. Once they have been developed, it is important to automate those pieces so you get the economy of scale.
What would you want to see Threat Hunting develop into across the industry in the future?
I would like to see threat hunting become a regular security audit that organizations perform on a regular basis. Instead of utilizing threat hunting as a one-time project, it should be continuously done.
Check out our full Hunter Profile series for different takes, tips and tricks on threat hunting from the experts!