SO C Cyber Threat Hunting, brought to you by IBM. In this video, Sydney will describe cyber challenges faced by Security Operation Centers or SOCs, today. >> All the intelligence-led cognitive SOC. Now it's a lot of words, I realize, for how do you define SOC and how do you define next gen. Let's just simplify and say next gen SOC led by intelligence, driven by a proactive cyber threat hunting, is ultimately where we need to be able to get to. So as I said earlier in my introduction, I have worked within the SOC environment now for a number of years. I spent ten years at Unisys Corporation interfacing with working with the Security Operation Centers at Unisys and with the clients there as well as my role as executive architect. Very similarly here, my role was to, first and foremost, understand what were the clients requirements. Of course, that's a requirement we all have, whether that's internal or external depending on we're supporting clients or whether it's something we have to support internally ourselves. We have to understand what we're trying to achieve with our current state of protect and defend operations and traditional stock operations. However, what we're finding is that a number of our clients, a number of GSIs, a number of MSSPs are recognizing that I have got to find a way to start getting ahead of these threats before they become an actual problem. And so what we want to introduce here today is how do we actually start to do this now? I'm going to go back to my experience in the human intelligence space and the intelligence world. And here's one of the challenges that we're facing, and that is in the SOC security operations professionals, level one through four analysts, and engineers are very good at what they do in the context of the scripted environment that they need to work within. And there's absolutely no argument that the level three level four investigators, or actually analysts, are conducting cyber forensic investigation. But let's be very clear, that is not actual proactive cyber threat hunting. That is reactive cyber forensic investigation, and we're going to talk about what actual proactive cyber threat hunting is. But I want to share with you here is that in all things that we do in the world of intelligence, in the world of threat and threat vectors, the common denominator across each of these domains, whether that's cyber, whether it's physical threat, whether it's terrorism, whether it's nation states. The bottom line is is that this is all human driven. This is all human-oriented, all human originated. And therefore when you start looking at how do I identify proactively the threat vectors, understanding the transnational criminals, understanding how they're operating. Now how do I start to now formulate a strategy around how to do proactive cyber threat hunting? So the first place to start is how do you define what actual cyber threat hunting is. And the way IBM defines it in the context of the use of I2 is the ability to proactively and aggressively identify, intercept, track, investigate, and eliminate your adversary before they can become a problem to your organization or before they become a problem for your clients. This is the general direction. This is the next gen SOCs that we're talking about, the intelligence-led cognitive SOC that we're talking about. Now, of course, that needs to be linked to the cyber kill chain. Which then, of course, helps you understand the tactics, techniques, and procedures, the TTPs, as we define it in the intelligence world. Of course, this is terminology used heavily by intelligence as well as law enforcement. So as part of this, it's understanding what is cyber threat hunting, and I want to, again, clarify. Cyber forensic investigation is something that is done today by level three, level four analysts within the SOC, traditionally speaking, but that is reactive and that is a forensic investigation that you're actually doing. Now you could argue that say that, well, a threat has been conducted and a vulnerability has been executed, and we now need to conduct an investigation. Are you hunting for that threat? Yes, of course you are, but you're doing it within the context of a cyber forensic investigation. And what we're saying is that cyber threat hunting is the proactive ability and aggressively identify, interception and track and investigate and eliminate these types of threats before they become a problem. Which then goes back to what we said earlier. How do you identify with the 80% known that's there in your traditional protect and defend traditional SOC environment today? How do you evolve to the next level of the next gen SOC of proactive cyber threat hunting? And as you look at the skill set within the SOC, when you look at the skill set between the SOC, you're looking at skill set between the security analyst level one through four. And then what's really needed to conduct this type of work and how you structure a cyber threat hunting team is actually an intelligence-skilled person. And there's a gap there in the skill sets today. Now GSIs, MSSPs can structure teams to do this type of work. But this is, by and large, a different skill set, a different team, a cyber threat hunting team that consists of CTIs, Cyber Threat Inteligence, cyber threat hunting, web team, etc. But with the goal and the objective to drive toward actionable intelligence, which is the intent of proactive for cyber through hunting by design. Now, where do you start? if you don't have any place to begin, you don't really know where to begin on how to do proactive cyber threat hunting, you can start with a global threat landscape view. Bring it down to regional, which of course would include NDI and other locations. Industry, really tailoring the threat intelligence that we're identifying, threat vectors, threat actors etc. And then specific to the actual organization itself. And as GSI and MSSPs and as IBM security sellers, naturally as we work with our clients and work across these different industries, it's understanding what are the variables associated with this. And then of course bringing that down even to further levels, and that is how do you know yourself? How does the world see you? How do you know your enemy? How do you know your employees, your vendor, your customer? These are all variable to organizations, and if you're providing services to these organizations, if you want to help them, and help them move beyond protecting the thin space, these are all factors you have start incorporating in your environment. Now, know your enemy, but with know your enemy, and of course know any aspects but in particular knowing your enemy, you have to understand the cyber kill chain. And the first place to start with that, of course, is related to reconnaissance. And what do I mean by that? Related to reconnaissance means that these threat actors, whether that's transnational criminals or nation-states, are conducting reconnaissance on organizations on where they want to place their focus of targets. You can be a target of choice or a target of opportunity. But nonetheless, they are conducting their reconnaissance and they're gathering their information about organizations. Whether those are your clients, about your organization, about the industry, but understanding that when they define reconnaissance they're talking about executives. They're talking about hours of operation. Where do you do business? What is the easiest way in? And before we get into all the technical aspects of how to weaponize, deliver, exploit, install to command a control, and ultimately execute their actions and objectives, first place is reconnaissance. And they can have, as I said earlier, they have lots of time, lots of money, and lots of resources to do this. And they have got all the time in the world. An example of that is a bank in Chile that was targeted by that cost 10 million dollars. Now, there was also another attack on that same bank, but they lost 475 nmillion dollars. And they went low and slow in the environment because they were able to conduct a reconnaissance on where is the weak point in where they can deploy their malware to be able to execute these low-end transactions that never get recognized by rule-based system. So understanding the cyber kill chain is extremely important in this process. Now as you look at this visual of this graphic, please understand that the key driver here is the human element, it is the people. The art and science of threat hunting, all these factors around internal external data, statistical analysis, and intelligence has got to be driven and managed by the analyst. That is, an intelligence analyst with strong security background that understands the intelligence process and links it to all these, they have. And why is this important? If you don't understand who they are, what they're doing, how they're operating, where they're originating from. If you don't know how to ask those types of questions as it relates to conducting cyber threat hunting, then how will you be able to define where the data sources need to come from,? Both internal, external data sources from deep web, dark web, open-source, social media. Internal being your SIM, end-point, logs, etc. How do you bring all this data together? And if you don't have the skill set to understand the big picture around the threat vectors, the threat actors, who they are, what they're doing, how they're operating, then it's challenging for you to be able to ask the right questions without good intelligence. So you need a place to begin, and that starting place is your skill set. In this particular slide, I just want to be clear that what we want to be able to show to you here is that this is not a linear process. And so I hear often from organizations, Sid, before I go to this tier three advanced cyber threat hunting, I really want to be able to mature my SOC. Well I'm going to be very clear to everyone here on this call, that is a reality and a level of maturity you can't afford to wait to mature. If you're waiting to mature your SOC to get your tier one, tier two systems in the state of perfection and continue to work in the indicators of compromise reactive space, which we're going to continue to do. If you wait to get started on conducting proactive cyber threat hunting, please understand that is a risk you are taking on. Because the threat actors, the threat vectors,this is continually evolving for them, and they're already light years ahead of us in a lot of situations. And so how do you start to level the playing field? And the truth is that you really need to now start aggressively moving into this cyber threat hunting methodology space. Now, be very clear, indicators of compromise are reactive. We're all familiar with IOCs. IOcs are reactive indicators of compromise. What we're introducing here is a different type of IOC which is called an indicator of concern, which is proactive. I'm seeing various forms of intelligence that leads me to believe that there could be an attack on my organization and here are the types of actions, as a threat hunter, I'm recommending to my organization or to my clients of the actions and the steps that need to be taken. So this is how you start to mature your organization.
