The Evolution of the Cyber Hunter
DISA matures its skill in stalking network threats.
The U.S. Defense Department’s cyber warriors continue to improve their ability to sniff out intruders who sneak past the defenses at the network’s perimeter—a perimeter that is disintegrating with the march toward mobile devices.
Cyber hunting is a more proactive approach to locating network threats. (See also “In Cyberspace, It’s Always Hunting Season.”) It offers the opportunity to observe and analyze an adversary’s actions, and it provides insights into a network intruder’s tactics, techniques and procedures. Actively hunting for cyberthreats also enhances investigatory capabilities, explains Roger Greenwell, chief of cybersecurity and authorizing official, Office of the Risk Management Executive, Defense Information Systems Agency (DISA). “As we collect more data, bringing that together gives you a much better ability to deal with the investigation of an incident that may be detected on the network without having to go back and do post-forensic gathering of data. You would already have a lot of that information readily available to support incident analysis,” Greenwell says.
In an article posted on the DISA website, agency officials list three components to cyber hunting: cyber protection teams, integrated security and identity management. The cyber protection teams under DISA’s control receive extensive training, including immersion training alongside red teams responsible for finding vulnerabilities. The teams also receive enhanced training on tools and systems that provide broad visibility across the Department of Defense Information Network (DODIN).
John Hickey, DISA’s cyber development executive, underscores in the DISA online article the need for industry to deliver integrated security capabilities. Along those lines, officials tout milCloud 2.0, a commercial-grade private cloud being built exclusively for defense customers. The system is expected to increase security, save money and reduce the number of separate clouds serving the defense community.
In the area of identity management, DISA is working on derived credentials and form-factor initiatives to support mobile devices, including tablets and laptops. Adversaries, regardless of their origins, are going after credentials, which give them access to key information. Whether they gain entry through phishing activities or as insiders, the credentials are the literal keys. Once in, the intruders will move laterally through the networks to seek out stronger credentials for further access, the online article explains.
The concept of cyber hunting always has been a part of protecting the Defense Department’s networks, but it originally focused more on the forensics investigation after an intruder had been successful, Greenwell says. Now, the department’s cyber forces are evolving into a band of hunters capable of taking action before the damage is done. “We have in place capabilities such as firewalls, intrusion detection systems and other protective capabilities, but when an adversary escapes past that point, we want to actually look for their presence on the network,” Greenwell says. “That’s where we’re trying to evolve to with the concept of hunt.”
To hunt the bad guys proactively, DISA requires cyber warriors with bad-guy instincts. “The folks who are hunting actually have to think like an adversary in many respects,” Greenwell says.
He adds that the hunter must look at the data, hypothesize about the adversary’s potential actions and surmise what the intruder might do next. “When you think about ... the crown jewels that the adversary is going after, you have to be able to pivot around these different points to think about what the adversary is ultimately trying to do. You really have to think about where or how the techniques can evolve and what path the adversary may be taking,” he elaborates.
While instinct is critical, cyber hunters also must possess the kind of in-depth knowledge that can only come with extensive training. “They have to truly have a good understanding of the network construct, the defenses that are in place and the likely targets that the adversary is going after. They’re backtracking through what actually happened and following the train backward,” Greenwell says. “It’s that level of thinking, that level of mindset and also the knowledge of the threats and how the different attack vectors work. It’s having that in-depth knowledge of all those different areas.”
Of course, arming hunters and defenders with the proper tools also is essential to securing the network. Greenwell touts the importance of automation, artificial intelligence (AI) and patterns-of-life indicators. “The volume of data is growing. We need automation,” he says.
DISA officials see AI, including models of threat behaviors, as a developing technology that can transform the agency’s cybersecurity efforts. “We’ve been in an era, in many cases, of signature-based defenses where we find a certain attack signature, and we apply defenses for those signatures,” Greenwell reports. Part of the problem with that approach is that it may stop particular attacks, but then those attack signatures evolve, and the defenses have to be continually updated.
AI programs, on the other hand, can learn and adapt. Greenwell describes the need for “technology that gives us a ready means of deploying a capability that is self-learning, that is able to recognize underlying patterns and is able to take action on them in a more automated sense.”
Meanwhile, programs that analyze patterns of life advance the state of the art in authenticating users and identifying normal and abnormal network behaviors. “It moves even beyond the concept of biometrics in many ways when you think about how a person writes out something—how they hold a device, how they type, the speed at which an individual enters information. All of these things are essentially patterns of life that can then be used as indicators of who is actually using that device,” Greenwell offers.
Better authentication is important as mobile devices are added to the DODIN. “We’re investing so much effort on bringing that stronger authentication down to the device because the perimeter itself is eroding, especially as we think about where mobility is bringing us,” Greenwell states.
He credits the Air Force with coining the term “cyber hunt” roughly a decade ago as part of its hunter-killer concept. “That was the foundation of where the concept of hunt has evolved from. It has really taken off in the last few years, where you start to see industry and the Department of Defense using that term much more,” he suggests.
At this point, threat hunting is an integral part of the department’s network defense culture, even as officials seek to expand its capabilities. “Cyber hunt is evolving to become part of the day-to-day mission. Conversations about cyber hunt and how it works and the sharing of information is occurring as part of the evolving communications,” Greenwell declares.
DISA officials will describe their new approach to cybersecurity at DCOS 2017, being held at the Baltimore Convention Center June 13-15.