Nuspire’s Threat Hunt team spends its days tracking down and resolving cyber threat cases. In fact, Jerry Nguyen, who heads up the team, has been involved in hundreds of these cases over the years. That includes his time at Nuspire, plus leading the Threat Hunting team at Herjavec Group and the Computer Emergency Response Team while he served in the U.S. Marine Corps.
No two days as a threat hunter are the same. But Jerry’s team follows a methodological approach to unearthing, investigating and mitigating threats.
Scanning the threat landscape
Nuspire’s Threat Hunt team starts each day reviewing information about potential threats from three core sources:
Threat feeds are super noisy and even when major threats and attacks surface, they might not impact Nuspire’s customers. As the team monitors the landscape of threats, it determines what to focus on. For example, ransomware is huge at the moment.
Assessing the scope of each threat and ruling out the impact on Nuspire customers is the first order of business.
Analyzing and ruling out threats
As an MSSP, Nuspire serves customers in a variety of verticals, providing a view into their environments and the threats present in their industries. At the same time, Nuspire is an MSSP in that its customers can use one or all of its services and capabilities.
With that in mind, Jerry’s team first assesses the scope of the potential threat by determining whether Nuspire customers are at risk. This is to head off unnecessary panic, such as what happened when the SolarWinds attack came to light. As more information emerged about SolarWinds, the Nuspire Threat Hunt team ruled out many customers as being vulnerable because they had taken the necessary preventative measures.
The Threat Hunt team is empowered to determine whether a threat is present in any customer environments because its SIEM (Security Incident and Event Management) system aggregates logs and alerts from all the customer devices that Nuspire monitors. When possible, the team combines this view with what is delivered via Nuspire’s vulnerability scanning service, which conducts both internal and external scans to reveal potential system and software vulnerabilities.
The initial goal is to identify any artifacts – or indicators of compromise (IoCs) – such as URLs, IP addresses, files and MD5 hashes. Next, the team comes up with a hypothesis or mechanism to search for these in customers’ environments. It then calls upon contextual data, such as time stamps on a malicious file, to correlate IoCs with events captured by Nuspire’s SIEM and scanning service to pinpoint which customers are vulnerable.
Stopping attackers in their tracks
While Nuspire customers and SOC analysts want threats identified and handled, threat hunters must also take a macro view. Jerry says to think of SOC analysts being like beat cops. While they are on patrol looking for and addressing discrete issues, threat hunters are like detectives and crime scene investigators who take a big-picture view.
As an MSSP, Nuspire can’t eliminate threats directly for its customers. However, after identifying a series of events or artifacts that need addressing, the Threat Hunt team escalates major threats to customers via Nuspire’s SOC by generating threat tickets – averaging about four to five per week. With that escalation, the team provides instructions on how customers can clean up or mitigate the threat.
During security reviews with customers, Nuspire discusses threats and mitigation approaches and what was resolved. For large-scale, ongoing threats like SolarWinds, Jerry’s team continues following the news and updating customers on the latest status. It also conducts follow-on hunts to ensure vulnerable customers have taken steps to mitigate/address the issue.
Hunting best practices
To enable its finely tuned process of proactive threat hunting, Nuspire’s Threat Hunt team relies on lots of data. In fact, the more data, the better. Hunting down threats is not about taking shortcuts. It’s about digging into all available data to spot vulnerabilities and correlations.
In the past, threat hunters would be handed a log file and told to figure out what happened. Today’s threat intelligence has dramatically evolved the process. While the threat hunt team is still handed a log of unknowns, it can uncover lots of details about customers and potential weak links – such as a manufacturer with multiple plants around the world relying on a proprietary process – helping narrow the search.
Nuspire’s Threat Hunt team also stays up to date on attack frameworks and tactics, techniques and procedures (TTPs). One source is the attack methods published by MITRE. For instance, if the healthcare industry is a focus of attack, the team reviews lists of attackers targeting the healthcare industry. This accelerates the process of identifying threats.
Hiring threat hunters
Threat hunters are essentially investigating a potential crime, so it helps to have an investigative mindset and be curious. These traits can’t be taught, so Nuspire is always looking for people with these natural tendencies. Jerry’s personal goal is to try to find diamonds in the rough, so to speak, by looking for potential threat hunters from unusual sources.
While those with a Computer Science degree make obvious candidates, Jerry also looks for people from smaller colleges, and those with law enforcement and military backgrounds. Many organizations are pro veteran but also require a college degree – yet the majority of veterans haven’t earned a degree. Jerry has taken it upon himself to pull those threads and build out programs for interns from these underrepresented groups with the goal of closing the gap in this profession.
Learn why every cybersecurity program should include threat hunting.
At Nuspire, our mission is to make clients fanatically happy through a relentless pursuit of excellence. Let’s talk about how we can work together to provide a new, fresh and inspiring approach to closing cybersecurity gaps.