The Emergence of Dynamic Threat Hunting

A review of the evolving cyber security industry over 15 years in business

By James “Jim” McMurry, CEO / Founder, Milton Security, Inc.

No one can argue that cyber security is the same today as it was fifteen years ago. There have been numerous trends and companies that we’ve seen come and go over the last decade-and-a-half, but what is most intriguing is the evolution of the industry and the emergence of Dynamic Threat Hunting (DTH). We’ll get into the specifics of what exactly Dynamic Threat Hunting is and how it differs from the industry norms in a bit, but first, it is helpful to provide a backdrop for how we managed to get to this point.

As with all good storytelling, it’s important to have a central metaphor that helps us tie everything together and better understand the key points. In this case, we’re going to use the classic story of the Trojan Horse, first because the story is well-known and second because it does an exceptional job helping to visualize the evolution into Dynamic Threat Hunting that we have been observing and preaching for years.

Your Trojan War

When reviewing Greek mythology, the Trojan War was fought between the Greeks and the people of Troy sometime in the 13th or 12th century BC. We won’t get into the events leading up to the war, because those are irrelevant, however, just know that someone important was kidnapped – ever seen the movie Taken? Yeah, just like that. The war raged on for quite some time with the Greeks trying desperately to find any weakness in the defenses of the city…until one day, they just gave up.

Let’s assume, for this exercise, that your organization is the city of Troy. No, you didn’t kidnap anyone and you haven’t wronged anyone, you’ve just been doing your own thing, trying to be successful as a kingdom. You have been called in to put together a team to defend the city. It’s a vast area with thousands of inhabitants, all of which have their own specific tasks and duties to keep the city running smoothly. There is a large gate encircling the city that provides an initial line of defense and protection for the people and goods inside.

Outside the gate lies the unknown, filled with malicious threat groups trying to lay siege to the city, attempting to capture all that they can whether that is protected information, riches, or even disrupting normal operations to the point where the city is hemorrhaging money. All they need to do is find a single way in.

As commander of the army of Troy, how would you go about defending the city?

Defending Troy with a Static Security Operations Center

You decide to place sentries atop the city wall who can see for miles it seems. Your instructions are clear that they are to report back to you with anything and everything they see. You sit back and wait and almost immediately a messenger knocks on the door. They enter and tell you that Jane was planting flowers in the city garden.

Alright, that’s great, but not quite what you had in mind.

As the messenger is leaving, another knock comes at the door. Another messenger to tell you that someone is approaching the wall on horseback. Great. This is the kind of info you were looking for. You tell the messenger to go find out more and report back.

Before they can leave, there is another knock, and when the door opens, you catch a glance of a line of messengers that stretches down the hall and there are more coming. Each one delivers a piece of information to you, with most reports being about the daily ongoings within the city. Someone is baking bread, the blacksmith is fashioning horseshoes, and another person is delivering milk.

There are so many pieces of data that are coming in that you are completely overwhelmed with trying to figure out what is relevant to your risk profile as a threat and what is just normal daily activity.

Thus is born the Static Security Operations Center. A place where all of the network data is funneled with no clear picture of what is going on. Who was the person on the horse? Did they keep advancing or turn and go a different way? Were they carrying anything that could be considered a threat? You just have to find that one messenger and hope that they didn’t get sidetracked or tasked with something else.

Organizations that stood up a static SOC quickly became overloaded with data and no context around this data. So, you decide to tune your instructions to the messengers and tell them to only report on what is going on outside the walls of the city.

Defending Troy with a Context-Driven Security Operations Center

The next day, the line of messengers is much shorter. That’s a good start, at least. Until they begin entering and reporting their observations.

Each one has a seemingly frightening message. There were groups that were beginning to assemble outside the city wall. Each group had a clear leader and it looked like they were planning something. Each leader was talking with their group, pointing to the city, looking down at a piece of parchment, perhaps a map, and drawing things in the dirt.

As the day goes on, the messengers keep coming, not in the same quantities, but all seeming to give the exact same report. You hear the same thing over and over and over again with no more information added to help you determine what, if anything, you should do about these groups gathering outside the city.

This is where we see the emergence of security tools and platforms that help provide context around all the data that was flooding in. This did help organizations begin to paint a better picture – maybe there is something going on that we need to pay attention to. Just like your messengers, you have alerts as far as the eye can see. And now, you’re beginning to worry that they are planning something, or even worse, something already got by the defenses and they are just waiting for a signal.

It makes a lot of sense to begin watching for suspicious activity within the walls again, not all activity, just anything that looks out of the ordinary. And probably time to equip the sentries with some armor and weapons to help defend against a possible breach.

Defending Troy with Managed Detection & Response (MDR)

The next day you give the new instructions to your sentries, and see to it that the supplies are delivered to help protect Troy. Messengers begin to arrive and let you know that sometime overnight, there was a delivery of wood and nails to the groups that were gathering off in the distance outside the city. Unsure of what the materials are for or who delivered them, it looks like the groups are beginning to work together. There is a clear leader among the different divisions, going back and forth between them and giving directions and orders.

Occasionally, a few individuals on horseback ride closer to the wall and the sentries fire arrows in response to deter the threat. The messengers are reporting this activity every time an arrow is fired. It looks like everything is working. You are successfully defending the city and keeping the threats out.

Feeling rather confident in your plan, you retire for the evening and look forward to the next day. Hopefully, the lack of ability to bypass the perimeter security will frustrate the groups outside the wall, and eventually, they will disperse.

Managed Detection and Response has been the status quo for the cyber security industry for quite some time now. There was a time, though, when it seemed like MDR was on the way out and Extended Detection and Response (XDR) would take over because of the ability to paint a clearer picture of what was going on outside your gates.

Imagine this same process going on for years. The same events get reported over and over again. There is more wood and nails being delivered each day. A few individuals try to breach the gates but are deterred by your defenses. On and on it goes. This is what we call event fatigue and what we observed is that eventually, your team gets tired of paying attention to the details. On the outside, the city looks completely secure and there is no need to worry.

Great. Until one morning, the groups outside are gone. Just like that, they have all disappeared and the only thing that remains is a wooden horse parked just outside of the gate with a note that reads: “A gift for you.”

What do you do?

Defending Troy with Dynamic Threat Hunting (DTH)

At this point, we all know the story. The city rejoices and the gift is brought inside where the unsuspecting city of Troy falls to the adversary.

Wouldn’t it have been nice to know that the local sawmill workers have been working overtime for the last 10 years, milling more wood than the city needed? Or that the blacksmith spent his extra time crafting millions of nails and tools?

Wouldn’t it have been great to understand that during the dark of night, there were meetings going on between people inside the city and the leaders of the external threat groups? Together, they were coming up with a creative plan to deceive the sentries and evade being noticed?

Not every breach has an inside threat component to it, but sometimes, people, processes, and technology lend themselves to being an easy target. Like assigning everyone local admin rights to their individual computer so that when a link is clicked in a phishing email, the attacker now has absolute control over that machine.

Dynamic Threat Hunting is when you pair the wire-speed of AI and ML with the creative understanding of human Threat Hunters to provide an intelligent, context-aware, and just-in-time security operation that not only collects and analyzes the data but actually thinks like attackers and looks beyond the data, alerts, and events.

To the trained Threat Hunter, a simple daily event can be the key to turning a scouting session into a deep hunt. Pairing that with the speed of machines processing messages and telemetry about what is going on in the world and within your network, a crystal clear picture can be uncovered. From there, you have the ability to cut off the attack before it happens and keep your organization secure.

Defending Troy, like protecting your organization, is a monumental task and no quantity of tools or platforms alone will get the job done. Likewise, you can’t just throw a bunch of bodies at it to solve the problem either. It takes the two working in unison to successfully perform Dynamic Threat Hunting

It is no easy task to stand up a Dynamic Threat Hunting team with the ability to see through all the noise and find the needle in the haystack, but it’s what Milton Security has been working towards for the last 15 years. We were the first Dynamic Threat Hunting provider, and after all this time, we’re still the leader.

About the Author

James AuthorJames “Jim” McMurry is the Founder and CEO of Milton Security, the global leader in Dynamic Threat Hunting. With over 30 years of combined experience in Security, Information Technology, Telecommunication, Networking, Management, and Software development, James founded Milton Security with the vision of bringing exceptional network security within reach for all organizations.

Prior to launching Milton Security in 2007, he worked with a broad spectrum of companies ranging from startups to Fortune 1000 in and around the Bay area. He also proudly served as a member of the U.S. Coast Guard aboard the USCGC Taney and USCGC Morgenthau.

McMurry has a passion for Bourbon and a deep hatred of beets. He openly shares both with everyone.

For more information on Milton Security, please visit https://miltonsecurity.com; for more about James, follow him on LinkedIn, Instagram, and Twitter.

August 17, 2022

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Global InfoSec Awards for 2024 are now Open! Take advantage of co-marketing packages and enter today!

X