The Genesis of Trustwave’s Advanced Continual Threat Hunt
Trustwave’s recent revamp of its Advanced Continual Threat Hunt (ACTH) platform was inspired by the need to scale to meet a growing client base amid an ever-increasing threat landscape. Now with a patent-pending methodology, the SpiderLabs Threat Hunt team can conduct significantly more hunts and has an unprecedented ability to find more threats.
We wanted to hear more about the process and backstory that led to the development of ACTH, so we sat down with Shawn Kanady, Global Director of the SpiderLabs Threat Hunt Team, for a Q&A:
What was the core challenge that the Threat Hunt Team was faced with that you knew needed to be addressed?
Shawn: First and foremost, I wanted to go to sleep at night knowing that we were doing our absolute best to protect our clients. But more specifically, we knew we needed to scale. Trustwave as a business was growing rapidly, and at the same time, the threat landscape was increasing at breakneck speeds. We knew those trends were only going to continue, and that no matter how much our team grew to handle new clients, what we truly needed was a scalable tool that would allow us to stay ahead of our workload.
Once you realized that you needed the ability to scale, where did you start?
Shawn: I was first inspired by a tool called DeTT&CT that allows a person to map technologies to the MITRE ATT&CK Framework. It got my wheels turning about how we could apply the same logic but with threat groups. And for context, the MITRE ATT&CK Framework is a globally accessible knowledge base of adversary behavior. It outlines common tactics, techniques, and procedures used by cyber adversaries. In doing so, it provides a common language for defenders to have conversations about emerging threats and develop effective defensive strategies.
So, it was a lightbulb moment: we could map threat groups to the MITRE framework and then focus our hunts on Indicators of Behavior (IOBs) exhibited by our target threat group. This would not only scale well with a defined scope, but also give us an added advantage of discovering previously unknown Indicators of Compromise (IOCs).
How did you and the team bring the idea to life?
Shawn: After a few months of brainstorming, research, and testing, the idea began gaining momentum. It was a complete overhaul of the current methodology and no small feat for the team to pull off. And this was all while we were still conducting our scheduled threat hunts. We rebuilt our query library, essentially codifying the MITRE Framework by writing a query for any of the EDRs we supported at the time, and we also wanted the entire process to be automated.
We wanted to be able to just click a button for a specific threat actor, and the system would automatically pull those queries for the associated techniques that we made, and it would run the hunt. In response to this, one of our Threat Architects incorporated a tool that allowed hunts to occur simultaneously across all clients during an emerging threat investigation.
Being able to hunt all our clients at once also changed how our team could operate. Rather than individually hunting, our team can now come together to research relevant threat groups and then divide and conquer the analysis across our clients. Now all our hunters use the same methodologies to find problems and ultimately discover more threats, more quickly.
How is it different than other threat hunting offerings?
Shawn: One of the primary differentiators is that this methodology is truly proactive. A hunt based on an IOC means that an attack has already happened and has been discovered. For example, an entity was breached, the breach became known, and an investigation was conducted. Only then would other offerings be able to hunt that IOC.
While it's good to look historically to see if a malware campaign impacted you, it's not very proactive. We wanted to offer our clients something different. Something that caught what others were missing. A situation where Trustwave is discovering new threats. And the exciting thing is that we’re witnessing this; our new methodology has resulted in a 3x increase in behavior-based threat findings that would have gone undetected by current EDR tools.
Can you share an example of how the new behavior-based threat hunts are conducted?
Shawn: Our first ACTH was on the Conti ransomware gang. Leveraging our threat intelligence, we built a threat profile based on Conti behaviors and hunted for those tactics across all of our customers environments. The hunt went very quickly and produced several findings, including discovering a Remote Access Trojan that had resided in a network for 11 months. Without ACTH, the malware would have gone unnoticed and eventually could have inflicted severe damage on the target.
At this point, one of the true highlights of ACTH became apparent. While searching for Conti, we found evidence of other threats and security lapses. Many of the techniques are common amongst different threat groups and these are now being discovered, along with general security hygiene issues like unsecured legacy systems, open ports, and people making foolish mistakes like storing passwords on their computers. And these issues are now all being found before they could cause a breach or security incident.
The modern adversary is constantly evolving and becoming more sophisticated in their attacks. As defenders, we too must evolve and become more sophisticated in how we detect and respond to them.
ACTH is now offered as an option in Trustwave’s Managed Detection and Response. For more information, please read Trustwave Revamps Continual Threat Hunting Enabling Significantly More Hunts and Unique Threat Findings.
