In episode 39 of the Cyber5, we are joined by Director of Adversary Management & Threat Intelligence at Intuit Shannon Lietz. Shannon discusses external threat hunting and an enterprise practitioner’s perspective of active defense.
Here are the 5 Topics We Cover in this Episode:
1) Defining Active Defense and External Threat Hunting: (01:34-02:51)
We start with a proper definition of active defense and external threat hunting. While both terms are often misunderstood, an appropriate definition is the deep understanding of adversaries and the company’s capabilities to defend from the outside the firewall looking in.
2) Industry Trends versus Organizational Realities: (02:51-04:30)
When discussing intelligence gained from external threat hunting, industry should recognize the difference between what’s happening across industry and what is happening within the organization. Advice: Enterprise should focus on discerning threat intelligence and making it relevant to the organization through the lens of DEVSECOPS – resilience of prioritizing who is going to attack a certain business function/application – and matching with attack emulation.
3) Determining Urgency and Response Speed: (04:30-07:55)
To apply this to use cases, it’s critical to understand an ideal state of security within different functions such as, but not limited to, email security and fraud. The ability to decrease attacker dwell time and respond through meticulous log aggregation and analysis is important and needs to be understood at scale. For example, if one out of 250 emails is malicious but the amount of malicious web traffic hitting critical business applications is exponentially higher, a greater rate of speed and automation is critical.
4) Prioritizing What Requires Attention: (07:55-10:40)
Large enterprises have thousands of applications and no one is going to have situational awareness on all of them. Therefore, security teams need to prioritize threat models defining a target state metric beyond compliance and identify legitimate attacker traffic.
5) Measuring the Ability the Secure Your Business: (10:40-15:49)
Finally, “securability” is a critical metric looking at an organization’s attack surface and is defined in three parts:
- Attack resilience are risks an organization takes that allow adversary opportunity.
- Controls escapes are the controls in place to address the opportunity
- Adversary dwell time is the resources and time it takes attackers to convert the opportunity.