The Cyber5 Podcast

External Threat Hunting & Active Defense by Director of Adversary Management & Threat Intelligence at Intuit Shannon Lietz

Episode 39 | February 10, 2021

In episode 39 of the Cyber5, we are joined by Director of Adversary Management & Threat Intelligence at Intuit Shannon Lietz. Shannon discusses external threat hunting and an enterprise practitioner’s perspective of active defense.

Here are the 5 Topics We Cover in this Episode:

1) Defining Active Defense and External Threat Hunting: (01:34-02:51)

We start with a proper definition of active defense and external threat hunting. While both terms are often misunderstood, an appropriate definition is the deep understanding of adversaries and the company’s capabilities to defend from the outside the firewall looking in.

2)  Industry Trends versus Organizational Realities: (02:51-04:30)

When discussing intelligence gained from external threat hunting, industry should recognize the difference between what’s happening across industry and what is happening within the organization. Advice: Enterprise should focus on discerning threat intelligence and making it relevant to the organization through the lens of DEVSECOPS – resilience of prioritizing who is going to attack a certain business function/application – and matching with attack emulation.

3) Determining Urgency and Response Speed: (04:30-07:55)

To apply this to use cases, it’s critical to understand an ideal state of security within different functions such as, but not limited to, email security and fraud. The ability to decrease attacker dwell time and respond through meticulous log aggregation and analysis is important and needs to be understood at scale. For example, if one out of 250 emails is malicious but the amount of malicious web traffic hitting critical business applications is exponentially higher, a greater rate of speed and automation is critical.

4) Prioritizing What Requires Attention: (07:55-10:40)

Large enterprises have thousands of applications and no one is going to have situational awareness on all of them. Therefore, security teams need to prioritize threat models defining a target state metric beyond compliance and identify legitimate attacker traffic.

5) Measuring the Ability the Secure Your Business: (10:40-15:49)

Finally, “securability” is a critical metric looking at an organization’s attack surface and is defined in three parts: 

  • Attack resilience are risks an organization takes that allow adversary opportunity. 
  • Controls escapes are the controls in place to address the opportunity 
  • Adversary dwell time is the resources and time it takes attackers to convert the opportunity.
Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks