Hunter teams are emerging as a new tool in the world of cyber defense. Computer security continues to improve and evolve of overtime. One of the latest practices gaining momentum is the use of cyber security “Hunter teams”. Differing from how standard security operations function, hunter teams fill an important gap and push us one step further on the evolutionary ladder of cyber security. They are cyber-investigators which enhance an organization’s capabilities by supplementing the overall defense from persistent attackers. They are typically a group of bright, experienced, talented, and motivated professionals which work together to detect, identify, and understand an advanced and determined threat agent.
Hunter teams approach threats in a personal way. They seek the human origins of attacks and focus their attention on disruption or removal of those threat agents, instead of the attacks themselves. In simple terms, they target the attackers.
These hunter teams are sprouting and taking root in many different places. Anti-malware companies, research organizations, and internal security departments have begun to embrace looking for the attackers. Investigation teams, including cyber guns-for-hire which are brought in after the fact when serious breaches are detected, are also looking for the people behind the attacks. However, it has been the military and sensitive government organizations which have been most vocal in recruiting for hunter team talent. They have the long history of knowing the value of identifying the enemy and have been quick to embrace this practice and are serious in making it successful.
Hundreds of years ago Sun Tsu penned the authoritative tome on warfare strategy. One of its pillars is to know your enemy. A key to conflict is to understand that attacks are simply a method for the threat agent to achieve their objectives. An active defense not only shields against attacks, but also targets the attackers. Those people who would do you or your mission harm. Take the attackers out of the equation and the attacks also go away.
Hunter teams play an important role, different than standard security operations staff. In the past decade, we have seen the rise of security operations centers (SOC). Security operations departments are typically configured, resourced, and driven to contain attacks and remediate to a state of normal operations. They are in a continuous cycle of fixing the symptoms and tweaking the defenses so the organization continues to operate in a stable and expected manner. It is a never ending struggle which works best against the flood of broadly sweeping attacks on the internet, which look for any target of opportunity. In most cases, SOC’s are only interested in attacks which undermine the operational performance and value of the environment under their protection. They are well suited to tackle ordinary malware infections or plug understood exploit activities by using industry best-known-practices, but can easily falter when faced with something unique and specifically targeting only them. They are by design inwardly focused, limited to a technology sandbox of security control configuration or fixing assets within their internal environment.
Hunter teams take a different approach and seek the root cause, namely the threat agent themselves, who are initiating one or more attacks. This may be internal or external to the organization. Not satisfied with simply undermining the latest infraction, they want to quell the problem at the source and eliminate future attacks from the same threat agent, whom may possess the ability to coordinate completely unique and unpredictable maneuvers.
History shows why this is important. Attackers maintain the combat initiative and determine where, when, and by what method an attack will occur. Defenders typically respond to attacker’s moves and evolve the defenses to protect against those newly understood methods.
Attackers therefore have an advantage. It takes time, effort, and resources for defenders to recognize they are being attacked, decipher how it is being done, then develop a means to isolate the ongoing breach and block future attacks, and then remediate the affected systems. A threat agent who is determined to attack a specific target can try a number of methods until they succeed. Without threat of themselves being in jeopardy, they can continue varying the assault until they find an approach which works. The only effective way to stop such a persistent threat agent is to dissuade or remove them from the equation. This is where the hunter teams come into play.
Criminal investigators are a good example of the hunter team methodology at work. If someone breaks down a door to rob a bank, the security operations team looks to install stronger doors and maybe a better alarm system. They are inclined to identify and close the vulnerability. A criminal investigator will look to see who is trying to rob banks and target those threat agents. The investigator knows such a robber will continue to evolve their tactics until they succeed. Operations efforts to improve door standards, alarms, etc. are still fine measures which reduce the risk of loss, but the investigator’s role is just as important.
When I managed Intel’s Security Operations Center, I was also the Incident Commander for the company’s IT Emergency Response Process. This is the team that takes charge whenever the company’s computer environment is being attacked. I remember during a virus outbreak instructing the security operations team to track, isolate, and clean infected systems, and then turning to my intelligence section leader and asking him to go forth and determine whether the incident was simply a wild virus finding its way through the cracks or was it a directed attack specifically against our company. The challenge I assigned the intelligence lead was so I could understand if the threat agent was specifically targeting Intel Corp with their malicious attacks or if we were simply caught in a broader net cast with a generic attack. This would help me understand whether it was a fluke oversight in the configuration of our defenses or just the beginning of something far worse, potentially a directed campaign against our security infrastructure.
Cost and scalability limits will constrain their use, but hunter teams are an important step forward for the industry. Cyber security hunter teams have been in limited use for some time and are gaining momentum. The results can be seen in the news. Botnet takedowns, the breaking-up carding rings, shutting down of illegal fraud sites, malware author arrests, and the prosecution of insider theft and sabotage cases are possible because the attackers were targeted. What are not publicized are the equally impressive results which occur quietly in defense of highly protected networks. These teams can be valuable in identifying the root cause of problems, putting the puzzle pieces of seemingly disparate incidents together, identifying the offending attackers, reconnaissance for early alerting, and providing intelligence necessary to interdict and prosecute them. Hunter teams can be a very powerful tool and effective in stopping some of the most grievous threats.
These specialized capabilities come at a cost. In order to succeed, a combination of brilliant talent, tools, support from legal, and in some cases partnership with law enforcement and industry partners/suppliers/customers, is required. It is a significant investment to establish and maintain a team at a sufficient level to see worthwhile results. Additionally, something intangible is needed; patience. Even the most proficient team needs time to hunt and results can vary greatly.
Beyond costs, hunter teams also have a significant downside. They are not very scalable. Most teams work a single case or issue to closure. Some teams can multi-task, but at a great loss of effectiveness. I have been fortunate to be a part of a world class loss prevention team, specializing in detecting, tracking and prosecuting threat agents. When on the hunt, teams are narrowly focused. Timing is critical. Proficiency matters. Splitting attention to a multitude of separate cases is a recipe for disaster. Compared to security operations teams, which can much more easily multitask and close issues with great speed, hunter teams seem to move in slow motion. But what they lack in the quantity of case closures, they can make up for in results. Overall, the high costs and the lack of scalability are tall barriers which prevent widespread adoption.
Certain organizations, where the cost and scalability headaches are worth the additional security capabilities, should consider the use of hunter team’s. Environments where assets are targeted by persistent, creative, and resourceful threat agents, seeking explicit objectives, from a specific target will benefit the most. Identifying and understanding these dangerous and capable adversaries, who seek to undermine your security controls and compromise your environment, is an important step in countering massive potential damage. This is not important to most, but for those organizations which are under the pressure of being targeted directly by skillful and motivated threat agents, hunter teams are a viable and attractive option. I strongly suggest financial, defense, sensitive government, and high profile critical infrastructure organizations look into using them. Additionally, I urge security providers and consulting firms to evaluate offering professional hunter team services. The demand over time will continue to grow.
Hunter teams are a necessity in the evolution of cyber security. They are a pivotal step forward, applying desired pressure to attackers. Yet, they are not the final state. We will continue to evolve the practices and technology of targeting threat agents into something more scalable, affordable, and effective. But for the time being, I welcome hunter teams to the playing field. It is about time you showed up. We really need you. Happy hunting!