SHARE
Security / October 10, 2022

Meet Jeremy Brown, a Threat Hunter

This is a transcript of Episode 13: Meet Jeremy Brown, a Threat Hunter, from our podcast series “Navigating the Cloud Journey.”

Jeremy is a real white hat who has lived in the weeds of the cybersecurity industry for over a decade. In this episode, he shares his experiences, best practices, and industry recommendations for all the threat hunters and defenders who are on the front lines of protecting networks.

After we recorded this podcast, Jeremy wanted to share some additional thoughts with our listeners to help them understand his approach and perspective, which have been added at the end of this blog.

Now, on to the conversation. You can listen to the full podcast or go through the transcript below.

Important Threat Hunting Acronyms and Technologies: IOC, IDA, IPS

Jim Mandelbaum: So, you’re what we call this purple teams guy, and I love this because you hear about people talking about red team and blue team. What in the world is purple team?

Jeremy Brown: Yeah, to me and the team that I’ve built, we’re not pen testers and purple team per se, but we have to incorporate elements of blue team, so defensive, and many of us understand and have been red teamers and offensive people in previous parts of our careers. So purple team is really combining both of those and learning how to further your strategy with that. So, whatever that means for you.

Jim: We have some folks on here making this cloud journey. They’re not security folks, right? So, they don’t know when you talk about an IOC, and even the difference between IDs and IPS. So can you help explain this to some people in that space?

Jeremy: Yeah, absolutely. I’ll start with IOCs. I go back and forth on these. Some days they’re the bane of my existence, and other days, you know, they help with hunting and other things like that. And IOC stands for an indicator of compromise. You can think of these as three simple categories of things. These are domains, their IP addresses, and their malware hashes. And so, what they really mean are sort of post-compromise activity or things that you can see after the fact. And what they’ve really turned into is a way to sort of automate some parts of defense. So that’s what they are: They’re lists of good and bad things, if you will.

Jim: So, ways to know that you’re in bad shape. The one thing I want to do, because I want to get kind of into it, is the difference between IDS and IPS.

Jeremy: Oh, yeah. An awesome one. So, I never know what people’s level of understanding of these two concepts are, but there’s nuance that’s actually really fundamental. So, IDS stands for intrusion detection system. And this is what you think of when you think of passively monitoring a network and capturing traffic and then understanding things about it. So, these are your Snort and your Suricata and your open-source IDs, Bro and Zeek. These are the types of things you start to think when IDS comes up.

IPS is simply when you switch that over to prevention mode, and prevention can mean a lot of things, but it’s actually doing something about it when an initial signature hits. That may be blocking an IP, that may be blocking some indicator of compromise, or that gets all the way down into understanding the content of what’s inside network sessions and files. So IPS is the prevention and IDS is really just the protection.

Jim: And I am going to circle back on that IPS piece because you know, what you specialize in. I want to come back to that. What you guys do is really cool. And I want to hold that till later, ’cause I think it’s really cool. 

In the Cloud, Going “Beyond the Packet,” and Network Session Level Visibility

Jim: One of the things that I’ve heard you say that you need to go “beyond the packet.” What does that mean and how does this relate to cloud?

Jeremy: Yes. I like to use an analogy. It starts sort of simple. If we think about reading a book and you’re really trying to understand the story that’s in front of you. You really won’t do that if you’re reading word by word until you get to the end of the book. Well, a session versus a packet. So, packet is the word in the book. And a session is like, if you understood the entire story at the end, it’s a lot more powerful if you’re trying to get the context of what that story is about.

So, if we take that analogy and we move it to the network, whether you’re on-prem or whether you’re in the cloud, you are going to get a lot more context and fidelity out of being at a session level. So that means you take all of those packets and you put them together and you understand what happened in the network session. So that could mean something like understanding the whole content of a web request with a webpage in it that maybe had malware on it. That could mean the difference between missing an exploit and catching it.

And a lot of times when I think about packet-based intrusion detection systems or IPS systems, I am thinking about a system that’s from 10 or 15 years ago. And so, the industry at whole is evolving towards a session-based. And I would say in your journey to the cloud, in terms of network defense, you really have to insist on being session-based and having technologies that support that. 

“Complete” Security and Network Defense

Jim: I love how you said real security and network defense. When you say real and I’m sitting there and I’m a security guy, I’m like, well, aren’t I real? What does that mean?

Jeremy: Yeah, real, maybe I like it because it gets people’s attention, but maybe the better way to categorize it is “complete.” You want complete security. And when you talk about network defense, the real or the complete is having the entire picture in front of you. So, it goes all the way from visibility to prevention. If I know exactly what that network session that came in on, you know, last Tuesday had inside of it. And I can find that there was malware or prevent malware or an exploit or something like that, I am, as a defender, a lot more capable than if I missed it, or something like that. So, the real security piece is combining not only full session, but actually being able to prevent it. 

Unfortunately, it doesn’t always mean what defenders and CISOs and security teams think. It means quite often the people will use that word synonymously with, “I found something after the fact, and I alerted you about it.” Which I really think we need to get out of that habit. If you prevent something, you prevented it from reaching somebody.

Jim: Yeah, I agree with you. I think that most security teams are about “I recognize, I found it, therefore I’m giving you something that you can now go remediate it.” Versus “I found it and I stopped it.” And I think that’s a really hard concept, but I think that. Well, I’m going to put it this way: I love the concept of saying I stopped it, but we all know that, you know, based on statistics, how many millions of headcount short are we in the security industry, right? And we have not only a staffing shortage, but we have burnout. We have people with, you know, with alert fatigue. It’s just not enough people to staff cyber. 

Managed Service, Guided Service, and Guided SaaS Can Help Your Security Posture in the Cloud

Jim: What do you say for people that need to move to the cloud? And one of my points is I have a security problem. I have staffing, so I need to move it to the cloud so I can offload some of that. What are your thoughts there?

Jeremy: Yeah, I think that’s exactly what moving to the cloud is for in its purest intent. Is that you are starting to move towards a managed service or a guided service type of platform.

And that makes sense for a lot of people. I mean, whether you’re a security company or whether you’re a bank or whether you’re somebody who’s making that journey, we’re all struggling to find qualified candidates. And quite often what happens is those candidates will go work for the company where they can have the most impact, which means managed security companies, guided security companies. They tend to be able to have impact and prevention and work their magic on a lot of people at once rather than just one. So, you’re going to struggle to hire people. I would say that it’s really not over for you. It’s just thinking about moving in your cloud journey towards trusting professionals on the gaps that you have.

And that doesn’t mean that you have to have everything become a managed service. It just means you really need to carefully think about what you want to evolve into a managed service.

Jim: Yeah. I think you also touched on something else that I’m a fan of, which is the guided SaaS. And I think that there’s value there because what that means is I’m not just saying, “Here, you go handle it.” Instead, what I’m saying is that I still want to run my security, but I want to have resources available that are going to be able to help me when I need it and educate my team. It’s like, you know, teaching a man to fish versus saying, here’s your fish. And I think that, to me, I’m a fan of guided SaaS. But one of the things when we talk about this whole concept of SaaS services, we’re really talking, and you brought up with Zeek and Bro, we’re really talking about looking at the packets and the sessions. Let’s go back to yours. I want to look at the sessions and I want to look at the sessions’ data in motion, which is again, ultimate source of truth. 

The Future of NDR: On-Prem and in the Cloud

Jim: When I start looking at the concept of on-prem traffic and I start looking at cloud traffic, and so network detection and response is what we’re talking about here. What’s really the difference between on-prem and cloud?

Jeremy: Yeah. So, I think it depends on how do you define NDR? And so the market is sort of defined NDR as an offering where you expect talented professionals to take a look at the logs of your security devices. And so, what that means today is that we are constantly after the fact, right? It’s a detection and response loop. What NDR needs to be in the future is blending in a sort of a managed prevention. And that can happen from a lot of companies, but you can have that, whether you’re on prem or in the cloud, by allowing somebody to have access or a talented team to have access in secure ways to certain devices.

And we’ve seen many vendors that offer this solution, because what it really does is helps you make your journey to the cloud not all at once. You can get comfortable with a team that helps you. You can get comfortable with the expertise level. And it becomes less about you learning how to configure that next device and more about you learning how to collaborate with something like a really talented operational team or a talented analyst team.

And I think that collaboration is really more important. Let’s have a conversation about what we want done. Let’s have the conversation about the things that we’re scared about at night, and let’s have a conversation about how we can make those things go away together. 

Jim: Yeah. And that really does kind of correlate to what we were talking about with that guided versus a straight managed SaaS. And I agree with that completely. You did say the word “logs” though, and I want to make sure we set that straight that we are actually talking about the packets and the full sessions and not log data, because we know that logs are simply going to be — well, number one, you know, first thing I’m going to do as a bad guy is I’m going to go turn down the logging level, and then I’m going to erase the tracks that I was ever there. You can’t do that with packets because packets are packets. They’re going to be there, and we’re getting them in real time. 

So, one of the things that is kind of a futuristic thought. So, a lot of companies that are making this journey is they’re really in preventative mode, right? They’re trying to stop it from happening. But as they evolve. And I always say, even companies that are still in that mode preventative, need to set aside time to hunt. Even if it’s an hour a day or a few hours a week, I want to go data mine and I want to hunt. And I know a lot of people say, I can barely keep up. Well, if you want to keep your analysts happy, let them hunt.

Hunting for Threats — Best Practices

Jim: What are some techniques for people that are starting to hunt?

Jeremy: Yeah, and I teach this to my team, too. The best thing you can do when you’re starting out hunting is understanding the tools that are in front of you. So that’s number one. And it sounds really common sense, but I have — I can’t tell you the amount of times I’ve walked into a security operations team, and there are people who know about certain tools and use certain tools and other people who use others. That really brings up a point that analysts who hunt successfully need a federated point where all their tools, like a single pane of glass where all their tools are. They need training on what they are and what functions they cover.

And then once you sort of set that, that baseline, it’s really important to know how to take a piece of data and pivot. And so, that can mean different things for different people. Sometimes you can take one of those indicators of compromise, like I spoke before, and you can take and go pivot through a system that might capture network traffic or PCAP files.

And you can say, I want to know where on the internet was this IP address talking to. And start digging in through there. Sometimes it gets more technical. This is where context comes in. I may have a system that allows me to, let’s say, pull files out of network traffic and send them to places to do certain things. I’m going to want to start asking and tasking my analysts to hunt inside of files and start finding interesting things, exploits, metadata, stuff like that.

So, I’d say it really starts with the tools and federating them into one place. It starts with teaching people the mindset of being able to pivot off of pretty much arbitrary data. And then really making those analyst connections. We’ve heard this analogy before that sort of defenders think in and attackers think in graphs. And I do really, really think that that is quite true. When you think about putting connections together, you kind of need to think about putting them together in a graph. Well, you really need to connect the data points.

So, if you saw this IP talking to something here, and then a month later, you saw it talking to another thing at the exact same time — well, you should start to sort of put that together in a mental graph.

Jim: I like that. I talked about the concept that we really need to let people hunt, but I also think something that’s missing is we get people that are smart enough to know how to start hunting or smart enough to hunt. We need to make sure that we start training the next hunters and we need to make sure that our level-one analyst gets that time to hunt. Whether they really know what they’re doing or not, that’s okay. Teach them. You know, teach a man to fish kind of concept. And, if you’re using a guided SaaS, let the guided SaaS company guide you and get you to that point, and that’s value in guided SaaS. I think people neglect to understand that the partnership there and you guys obviously do that in your place. So, I think that’s a typical thing and a guided SaaS.

SASE – Secure Access Service Edge

Jim: We hear a lot about secure edge. I know that’s something you talked a lot about. Can you let me know what you have to say about that?

Jeremy: Yeah. I mean the secure edge is, you know, in my opinion it’s a market that’s learning where it’s going to be in the next two to five years. We see a lot of different capabilities being wrapped up. We see an evolution from perhaps the SASE market into whatever secure edge is going to turn into. I like to think of it quite simply…. 

Jim: You used an acronym. You used an acronym. You can’t throw an acronym without explaining it. 

Jeremy: Sure. Yeah. SASE. SASE is a conglomeration of a lot of different technology. There are policies like CASB (cloud access security broker). There’s policies around what things in the cloud can talk to each other. There are secure firewalls. There’s web application firewalls that protect your public-facing websites. There’s secure web gateways that do roughly the same thing. There are policy-based controls on these firewalls that let certain people get to certain places at certain times of day. And so, SASE really represents the conglomeration of all of those things, but then also tied back to somebody who is installing an endpoint agent on their computer quite typically that links their identity to that that sort of secure edge or wherever their traffic is going. 

Jim: Yeah. It’s a lot more than just straight DLP, which I think a lot of people… 

Jeremy: It’s a lot more. 

Jim: And again, I threw an acronym, data loss prevention.

Putting Defenders “In the Middle”

Jim: You talk about putting defenders in the middle. Can you tell us more about that?

Jeremy: Yes! Yeah. Yeah, one of my favorite things. I like to think like this, because it’s what my company does, but it really, really is a mindset. Let’s think about putting our best foot forward and our best technology between anybody on the internet. So, a corporate network and the internet or remote worker and the internet. What would you do if you had the ability to pull apart a full network session, like to its, you know, it’s DNA basically? And to understand that inside of that may be a one-to-many files and to parse those files out very quickly. Like, what would you do if you had this entire story in front of you and how would that change how you think about network defense today?

That defensive mindset in the middle. It doesn’t really matter what tech you use or what vendor you use. It actually matters that you insist that all of your traffic, whether you’re connecting to a SASE or SOC solution, whether you’re sitting in a corporate office, you insist that all of your traffic is treated in such a way where there are human eyes and defenders in the loop and where those defenders are enabled to see the most possible context they can from that traffic.

I think the EDR industry a little bit here, because they really like, sort of, pioneered that extreme forensic look into things that I think network defenders really needed the past 10 to 15 years. 

Jim: Endpoint detection and response — continue.

Jeremy: Yup. EDR — simply just the monitoring of processes and software executions on an actual computer. 

Jim: Yep. They pioneered it. Continue. 

Jeremy: They pioneered it, they did a fantastic job. And I think that that sort of mindset about not really stopping until you find where the thread is, is where the network defense industry needs to head, and it is where, you know, a lot of technologies are evolving. And that’s what excites me at the end of the day. My team are defenders in the middle. And we do really, really interesting things when we find malicious techniques, and now we’re in exploits and stuff like that. And because we insisted that we’re there.

Jim: Yeah. And that’s really important. I think people don’t understand. It doesn’t matter whether we’re talking on prem or we’re talking cloud. And I think it’s something that, you know, as you start making that journey, whether we’re talking private cloud, where we’re inspecting traffic for East-West within that private cloud virtual environment. Or we’re dealing with public cloud, which means I’m going to look not only for ingress/egress but also East-West. We need to be able to see that traffic, as you put it, not only as traffic, but it’s being able to sessionize it. And giving the defenders the ability to see it in real time. Getting the ability to see it as it’s happening so that even if it is that I need to mitigate it, but I need to be able to understand what happened, how it happened, so that the next time it won’t happen.

I mean, ultimately, there’s the rule that — and we’ve all heard this — “I have to be right every time, but the bad guys only have to be right once.” Right? And so that rule we’ve heard a million times. And to your point, you’ve gotta be a defender in the middle. I mean, your entire design needs to talk about giving your people a chance.

So, we’re almost out of time. Is there anything that you wanted to bring up that I haven’t asked you on this? Is there any things you want to throw out there? 

Final thoughts: digging deep into traffic

Jeremy: Yeah, parting shots is sort of a call to action for the technology and the network defense industry. We can do a lot better.

I think we really have to insist on thinking about faster performance at higher network rates. Being able to actually parse files inline and then being able to do something about it. I’m always going to take that stance because it works. I think a lot of people gave up on that a while ago because it was hard or because they didn’t have the technology to do it, or because they didn’t have the innovation. 

We are all a smart group of folks. Everybody knows that this is an attainable goal. And if we can put a little bit more preventative balance in the mix and not just rely on indicators of compromise and blocking and alerting, I think we’re going to be in a much, much better place. So that’s the final shot across the bow from me. Let’s do a bit better with our tech.

Jim: Absolutely agree a hundred percent.  

Well, I want to thank you for being my guest today. Folks, if you have any questions, we welcome you to reach out to myself or to Jeremy directly. And I want to thank you all and please remember to click subscribe and join us for the next one. 

Thank you everybody. And have a great day.


As mentioned above, Jeremy wanted to share some additional thoughts with our listeners to help them understand his approach and perspective.

Jeremy: We literally built our technology to put defenders in the middle of adversary tradecraft. That means we prioritize blazing fast, inline file and network protocol parsers that give deep and accurate context within sessions. We also pioneered actions beyond simple blocking (think next gen firewalls) or alerting; so, we can actively replace, remove, or modify content to stop attackers.

What this means for the Threat Analysis team here is that putting “defenders in the middle” actually lets us both detect and apply unique actions against nefarious malware campaigns, delivery of exploits, and other tactics like command and control. Furthermore, since we’ve got the entire session laid out in front of us, the sky is the limit about how creative we can get to stop attacker techniques. 

Here are some examples:

  • Removing the buffer overflow from Equation Editor (CVE-2017-11882) malicious documents and presenting a clean file to the user, fully inline 
  • Modifying known command and control traffic inbound (from adversary server to implant), which triggers a remote kill switch and uninstalls that implant
  • Removing command injection content before it hits a vulnerable public web server (think Log4J here)

The point is that active network defense technology belongs hand in hand with defenders in the middle. It should enable, not hinder them, to make complex tactics go away. If you’ve got the full session, protocols, and files laid out for you, the only question left to answer is: What would you do to stop it?

It’s worth mentioning that none of this is possible without visibility, which is why Trinity Cyber partners with Gigamon for SSL decryption and other excellent capabilities that supercharge defenders in the middle.

Featured Webinars

Hear from our experts on the latest trends and best practices to optimize your network visibility and analysis.

CONTINUE THE DISCUSSION

People are talking about this in the Gigamon Community’s Security group.

Share your thoughts today


}
Back to top