• United States




The Knights Fork: Hunting the hunter

May 10, 20173 mins
AnalyticsBackup and RecoveryInvestigation and Forensics

An effective hunt can mitigate lateral movement and the exfiltration of the crown jewel, but the true utility of an effective hunt team is to inhibit destructive attacks and effectuate attribution.

1 tracking hunting dogs horse
Credit: Thinkstock

We are being hunted in cyberspace. Gone are the days of smash and grab cyber burglaries. In today’s increasing punitive cyberspace cybercriminals have transitioned from burglary to home invasion. Victim organizations are experiencing multiple criminal schemes of monetization. Data is stolen and subsequently the brand is used against her constituency via watering hole attacks and business email compromise campaigns.

It still takes months for a victim organization to respond to a cyber-intrusion. Given the reality that the cybercriminal has a footprint within ones’ network for an extended period one must alter their security posture. The metric by which we can assess the potency of a cyber-countermeasure, is how effective it decreases an adversary’s dwell time. Decreasing dwell time is the measurable metric by which we can value a return on investment for an enterprise.

Diving down into that decreasing dwell time. The true ROI of cybersecurity investment is the delta in dwell time. There is direct correlation between cybersecurity investment and brand protection. Hunting gives an organization the opportunity to turn the tables on an adversary. Whereas an effective hunt can mitigate lateral movement and the exfiltration of the crown jewel, the true utility of an effective hunt team is to inhibit destructive attacks and effectuate attribution.

Hunt teams must be established. The team must be multidisciplinary. These hunters  must have incident response and forensics experience. They must play chess and possess knowledge of geopolitics as understanding motivation for an attack is paramount. Assemble a team of operators who understand that the solution to identifying an active compromise on the network requires knowledge of not only technical solutions (endpoint monitoring, passive network monitoring, memory augmentation), but also knowledge of current exploits, vulnerabilities, threat actor methodology and TTP.

Develop a threat profile. This will help a hunter know where to prioritize hunting (and ultimately where to start hunting). Apply big data analytics and memory augmentation. Big Data to consolidate efforts, sort information faster, and enable tools to do the target acquisition for the team. This results in a force multiplier to your hunters. Finally develop rapid response protocols. Deciding when to turn up the volume is critical as counter-incident response measures and destructive attacks are becoming the norm.

You might now ask yourself with what do we arm our hunters? A threat hunt is most effective when employing both active measures (agents deployed to endpoints) as well as passive measures (netflow, packet capture appliances). User entity behavior analytics must be employed as it is critical to baseline “normal” network and host behavior in a threat hunt; contextualizing normal behavior is the most effective way of determining where an adversary might lie in wait.  

Hunters should evaluate users with higher levels of access to a network’s “crown jewels” and Deceptiongrids should be deployed around these users and hosts. Lastly deploy memory augmentation to facilitate situational awareness and reverse search for attribution. This capability will serve as your night vision goggles.

An effective hunt will result in a knights fork wherein a single piece makes two or more direct attacks simultaneously. An opponent must move out of check but in the process they sacrifice their queen. The queen in cyber is the clandestine footprint on your network. Happy hunting.

Hunting for a comments box? It is over on our Facebook page.


Tom Kellermann is a cyber-intelligence expert, author, professor and leader in the field of cybersecurity. Tom is the co-founder of Strategic Cyber Ventures and serves as a Global Fellow for the Wilson Center.

Having held a seat on the Commission on Cyber Security for the 44th President of the United States and serving as an advisor to the International Cyber Security Protection Alliance (ICSPA), he has worked in the highest levels of cybersecurity. He has applied his expertise in the corporate world, as Chief Cybersecurity Officer for Trend Micro Inc. where Tom was responsible for analysis of emerging cybersecurity threats and relevant defensive technologies.

Prior to Trend Micro, Tom served as the Vice President of Security for Core Security. Tom began his career as Senior Data Risk Management Specialist for the World Bank Treasury Security Team, where he was responsible for cyber-intelligence and security policy as he advised central banks around the world about their cyber-risk posture.

In addition to his professional work, Tom believes in sharing his knowledge to benefit others in order to combat cybercrime. Tom was a Professor at American University’s School of International Service and the Kogod School of Business, and he co-authored the book “E-safety and Soundness: Securing Finance in a New Age.” He regularly presents at global cybersecurity conferences and is a contributor on cyber analysis for major networks. Tom is a Certified Information Security Manager and is a Certified Ethical Hacker.

The opinions expressed in this blog are those of Tom Kellermann and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.