Network security professionals are turning to an emerging concept known as “cyber threat hunting” to ferret out hackers from critical systems, said one expert.
“It’s designed to help surface threats that have evaded detection by other tools and sensors,” said Ely Kahn, co-founder and vice president at Sqrrl, a cybersecurity company based in Cambridge, Massachusetts.
Advanced threats can find their way around firewalls and perimeter security devices, he said. Often, they are undetected by traditional signature or rule-based systems, said Kahn, who also previously served as director of cybersecurity on the national security staff in the White House.
Threat hunting, on the other hand, is a “proactive human-driven approach to find the subtle indicators of those lurking threats that are already inside your network,” he told National Defense.
Sqrrl’s threat hunting platform is currently in use at a number of large security centers around the world, Kahn said. Traditional systems often look at low-level indicators when searching for intrusions, such as suspicious IP addresses. However, “what we actually recommend is instead of focusing on those lower level indicators … to hunt for the higher or more complex indicators that are often times referred to as TTPs — the tactics, techniques and procedures of cyber adversaries,” he said.
Typically, with a high-level indicator, an analyst is looking for a pattern, he said.
Sqrrl’s platform requires a human to be in the loop.
“[We] simplify the hunt by packaging together things into little tool kits that the analyst can analyze, but it’s still going to be the analyst that’s figuring out how to best apply these tool kits and algorithms and visualizations into the data,” he said.
In February, the company released an upgrade that improved the system’s machine learning algorithms to detect tactics, techniques and procedures associated with domain name servers, or DNS, data, Khan said.
“DNS in general is like the phone book of the internet. It translates IP addresses to URLs and pretty much every company as a result has DNS data,” he said. “Adversaries are actually using DNS data in very creative ways. They’re hiding command-and-control channels in DNS data.”
Sqrrl’s threat hunting product would be ideal for the Pentagon, Khan said.
“We are typically targeting security operation centers, so that is applicable to various parts of the Department of Defense,” he said. “Certainly the larger security operations centers are oftentimes the best fits for our products because we have a big data backend [so] we can scale up to massive amounts of data.”Photo: iStock