- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
- This new wireless carrier promises ultra-secure mobile phone service
The Emergence of Dynamic Threat Hunting
A review of the evolving cyber security industry over 15 years in business
By James “Jim” McMurry, CEO / Founder, Milton Security, Inc.
No one can argue that cyber security is the same today as it was fifteen years ago. There have been numerous trends and companies that we’ve seen come and go over the last decade-and-a-half, but what is most intriguing is the evolution of the industry and the emergence of Dynamic Threat Hunting (DTH). We’ll get into the specifics of what exactly Dynamic Threat Hunting is and how it differs from the industry norms in a bit, but first, it is helpful to provide a backdrop for how we managed to get to this point.
Your Trojan War
When reviewing Greek mythology, the Trojan War was fought between the Greeks and the people of Troy sometime in the 13th or 12th century BC. We won’t get into the events leading up to the war, because those are irrelevant, however, just know that someone important was kidnapped – ever seen the movie Taken? Yeah, just like that. The war raged on for quite some time with the Greeks trying desperately to find any weakness in the defenses of the city…until one day, they just gave up.
Let’s assume, for this exercise, that your organization is the city of Troy. No, you didn’t kidnap anyone and you haven’t wronged anyone, you’ve just been doing your own thing, trying to be successful as a kingdom. You have been called in to put together a team to defend the city. Surrounding the city is a giant wall and outside that wall is a wilderness filled with threats to your livelihood.
As commander of the army of Troy, how would you go about defending the city?
Defending Troy with a Static Security Operations Center
You decide to place sentries atop the city wall who can see for miles. Your instructions are clear that they are to report back with anything and everything they see. You sit back and wait and almost immediately a messenger knocks on the door. They enter and tell you that Jane was planting flowers in the city garden.
Alright, that’s great, but not quite what you had in mind.
As the messenger is leaving, another knock comes at the door. Another messenger tells you that someone is approaching the wall on horseback. Great. This is the kind of info you were looking for. You tell the messenger to go find out more and report back.
There are so many messengers knocking at your door, that it seems like it will never end. Most of the reports are trivial, at best, with daily tasks from inside the walls.
There are so many pieces of data that are coming in that you are completely overwhelmed with trying to figure out what is relevant to your risk profile as a threat and what is just normal daily activity.
Thus is born the Static Security Operations Center. A place where all of the network data is funneled with no clear picture of what is going on. Who was the person on the horse? Did they keep advancing or turn and go a different way? Were they carrying anything that could be considered a threat? You just have to find that one messenger and hope that they didn’t get sidetracked or tasked with something else.
Organizations that stood up a static SOC quickly became overloaded with data and no context. So, you decide to tune your instructions to the messengers and tell them to only report on what is going on outside the walls.
Defending Troy with a Context-Driven Security Operations Center
The next day, the line of messengers is much shorter. That’s a good start. Until messengers begin entering and reporting their observations.
Each one has a seemingly frightening message. There were groups that were assembling outside the wall. Each group had a clear leader and it looked like they were planning something. Each leader was talking with their group, pointing to the city, looking down at a piece of parchment, perhaps a map, and drawing things in the dirt.
As the day goes on, the messengers keep coming, all providing the exact same report. You hear the same thing over and over and over again with no additional information to help you determine what, if anything, you should do about these groups gathering outside the city.
This is where security tools and platforms emerge to help provide context around all the network data flooding in. Organizations began to paint a better picture – maybe there is something that we need to pay attention to. And just like the messengers now, alerts as far as the eye can see. Now, you’re beginning to worry that they are, indeed, planning something, or even worse, something already got by the defenses.
It makes a lot of sense to begin watching for suspicious activity within the walls again, not all activity, just anything that looks suspicious. And probably time to equip the sentries with some armor and weapons to help defend against a possible breach.
Defending Troy with Managed Detection & Response (MDR)
The next day you give new instructions to your sentries and verify the supplies are delivered to help protect Troy. Messengers begin to arrive and let you know that sometime overnight, there was a delivery of wood and nails to the groups outside the city. Unsure of what the materials are for or who delivered them, the groups are clearly beginning to work together.
Occasionally, a few individuals on horseback ride closer to the wall and the sentries fire arrows in response to deter the threat. The messengers are reporting this activity every time an arrow is fired. It looks like everything is working. You are successfully defending the city and deterring the threats.
Managed Detection and Response has been the status quo for the cyber security industry for quite some time now, but imagine this same process going on for years. The same events get reported over and over again. There is more wood and nails being delivered each day. Individuals try to breach the gates but are deterred by your defenses. On and on it goes. This is event fatigue and what we have observed is that eventually, your team gets tired of paying attention to the details. On the outside, the city looks completely secure and there is no need to worry.
Until one morning, the groups outside are gone. Just like that, they have all disappeared and the only thing that remains is a wooden horse parked just outside of the gate with a note that reads: “A gift for you.”
What do you do?
Defending Troy with Dynamic Threat Hunting (DTH)
At this point, we all know the story. The city rejoices and the gift is brought inside where the unsuspecting city of Troy falls to the adversary.
Wouldn’t it have been nice to know that the local sawmill workers have been working overtime for the last 10 years, milling more wood than the city needed? Or that the blacksmith spent his extra time crafting millions of nails and tools?
Wouldn’t it have been great to understand that during the dark of night, there were meetings going on between people inside the city and the leaders of the external threat groups? Together, they were coming up with a creative plan to deceive the sentries and evade being noticed?
Not every breach has an inside threat component to it, but sometimes, people, processes, and technology lend themselves to being an easy target. Like assigning everyone local admin rights to their individual computer so that when a link is clicked in a phishing email, the attacker now has absolute control over that machine.
Dynamic Threat Hunting is when you pair the wire-speed of AI and ML with the creative understanding of human Threat Hunters to provide an intelligent, context-aware, and just-in-time security operation that not only collects and analyzes the data but actually thinks like attackers and looks beyond the data, alerts, and events.
To the trained Threat Hunter, a simple daily event can be the key to turning a scouting session into a deep hunt. Pairing that with the speed of machines processing messages and telemetry about what is going on in the world and within your network, a crystal clear picture can be uncovered. From there, you have the ability to cut off the attack before it happens and keep your organization secure.
Defending Troy, like protecting your organization, is a monumental task and no quantity of tools or platforms alone will get the job done. Likewise, you can’t just throw a bunch of bodies at it to solve the problem either. It takes the two working in unison to successfully perform Dynamic Threat Hunting
It is no easy task to stand up a Dynamic Threat Hunting team with the ability to see through all the noise and find the needle in the haystack, but it’s what Milton Security has been working towards for the last 15 years. We were the first Dynamic Threat Hunting provider, and after all this time, we’re still the leader.
About the Author
James “Jim” McMurry is the Founder and CEO of Milton Security, the leading provider of Dynamic Threat Hunting. With over 30 years of combined experience in Security, Information Technology, Telecommunications, Networking, Management, and Software development, James founded Milton Security with the vision of bringing exceptional network security within reach for all organizations.
Prior to launching Milton Security in 2007, he worked with a broad spectrum of companies ranging from startups to Fortune 1000 in and around the Bay area. He also proudly served as a member of the U.S. Coast Guard aboard the USCGC Taney and USCGC Morgenthau.
McMurry has a passion for Bourbon and a deep hatred of beets. He openly shares both with everyone.
For more information on Milton Security, please visit https://miltonsecurity.com; for more about James, follow him on LinkedIn, Instagram, and Twitter.
FAIR USE NOTICE: Under the “fair use” act, another author may make limited use of the original author’s work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material “for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.” As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner’s exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.