Trustwave Goes Threat Hunting

Reports surfaced five years ago that the Kremlin had started buying typewriters to avoid computer leaks. Suffice to say, it’s a complicated cyber world out there today–from nation states to cyber criminals to organized crime to 400lbs guys in their bedrooms in New Jersey. And, in this dynamic environment, the only thing we know for sure is that the way we’ve done things before won’t protect us anymore. Trustwave Government Solutions is debuting its new Threat Hunting service for forward-leaning government agencies that are tired of having their cyber clocks cleaned.

Cyber EO–Focus Left of Boom

Bill Rucker is the president of Trustwave Government Solutions.

“The Cyber Executive Order was a real game changer,” said Bill Rucker, president, Trustwave Government Solutions. “It calls out proactive defense and prioritizing agencies’ high value assets, and that maps to threat hunting. When we talk to our government customers, we’re hearing that 75 to 80 percent of their cyber spend is happening right of the boom–after a breach. But we’re starting to see a shift in that they’re looking to amp up their investments before they’re compromised, and then acting fast to remediate and shut the bad guys down. The average time it takes organizations to realize they’ve been compromised is 172 days–think about having burglars in your office for six months before you locked the doors.”

Brian Hussey is the vice president of cyber threat detection and response at Trustwave.

Brian Hussey, vice president of cyber threat detection and response at Trustwave, added, “The fundamental conversation has changed. We used to say, it’s not a matter of ‘if’ you get breached, it’s ‘when.’ We don’t say that anymore. We assume breach. We had an engagement recently where we were asked to reverse-engineer some malware. Within one of the instances, we found nine independent variants set to deploy at a later date. These attackers knew their target, their users, and how to compromise them–it was very targeted, very sophisticated, but we were able to nip it in the bud.”

Let’s Go Threat Hunting

So, okay, it sounds edgy and aggressive, but what is threat hunting? “It’s a service engagement built on four pillars–penetration testing; researching what the bad guys are up to; incident response analysis; and threat operations, mapping key real-time learnings from across our managed services clients,” Hussey said. “But, our secret sauce here is our award-winning SpiderLabs team of 160 highly specialized security experts.”

Rucker explained that it all starts with a threat model, in which Trustwave works with agencies to map their highest value assets, understand how they connect to the network, and consider who is most likely to target them.

“Then we move into endpoint detection and response, partnering with best-of-breed tools vendors like Carbon Black, CounterTack, and Secdo,” Rucker said. “We deploy an agent on each endpoint, which provides visibility into what’s happening on every system. Then we correlate endpoint activity across the organization using AI to detect anomalous patterns. This is not signature-based detection of known threats. Most hackers that attack the government are sophisticated bad actors–and they employ polymorphic tactics that are constantly changing. So, you need a dynamic defense.”

Hussey added: “Outside of endpoint hunting and investigation, we also examine all network traffic utilizing artificial intelligence and anomaly detection to identify attacks in log data. Findings generated from network traffic can immediately pivot into deep dive host-based investigations. And then there’s the manual side–where we move and act like hackers. Our SpiderLabs pros live and work under cover on the Dark Web. They have built trusted personas over time and can listen in to test the vibe, hear who’s talking about our clients, follow the various exploit kits out there, and see who’s buying what. We keep tabs on your employees’ identities–are they for sale in the darkest places on the internet? That’s real proactivity. Combine this approach with state-of the art incident response and threat mapping across our entire SpiderLabs customer database–and that’s not your ‘father’s cyber security Oldsmobile’.”

“So, yes, we do penetration testing–and many agencies already do pen tests,” Rucker noted. “However, we bring a new rigor to the process. If your agency has been using the same pen testers for years–it’s likely you’ve both become complacent. We’ll run analysis of agencies and send them a report before we even meet with them–it’s an interesting and effective way to open a conversation.”

CDM in Focus

Trustwave Government Solutions is no stranger to government agencies. Its database and application security offerings are standard issues on DHS’ CDM contract, and its Threat Hunting service is available on the vehicle as well, via line items for Incident Response and Managed Detection and Response for Endpoints.

Rucker praised the CDM program and stressed the important alignment between the new CDM Dashboard and the Cyber EO. “Clearly, everybody’s focused on cyber security–and there’s very close alignment between the Cyber EO, the White House’s IT Modernization Report, and the MGT Act. That drives to Cabinet secretary-level responsibility for cyber shortfalls–and the CDM Dashboard provides the transparency to hold executives accountable.”

Turn Down the Volume

When asked to identify the biggest cyber challenge facing agencies today, Rucker said, “In a word, volume. The sheer quantity of attackers, threats, and breaches–it’s staggering, and it’s not going away. Agencies are under constant attack, and the volume of security vendors and technologies is also a challenge. How do you find the right solution for your complex problem amidst all the noise? It’s not just about the technology and tools; for us, it’s about our people–the expertise, experience, and practical knowledge we’ve gained from working in the underground, side-by-side with hackers. That’s what makes us different.”

So, if you’re not up for trading your laptop for an IBM Selectric, maybe you want to go threat hunting.

Recent