Interviews | August 5, 2020

Organizations Need Intelligent, Self-Learning Cyber Defense Capabilities

CrowdStrike | Darktrace | ReliaQuest

Elia Zaitsev
CTO of the Americas


Q1. What are some of the biggest challenges that enterprise organizations face with respect to threat hunting? Where do the biggest capability gaps exist?

The first challenge they will encounter is gaining proper visibility and telemetry into the enterprise. Not all telemetry is created equal; network data is easy to get - for example taking it directly from the span port of a router - but it suffers from a lack of actionable insight due to the pervasive use of encryption. Security is often blind to activity occurring outside the physical network perimeter, which is especially important today with so many organizations adjusting to rapid work from home adoption. Telemetry collected at the endpoint is typically the most valuable as this is where the "action" is from an adversary perspective.

Identifying and collecting the right event data is just half of the job; the other key to success is being able to store it in a centralized location and make it available in real-time and at a scale to support hundreds of thousands of devices.

The second challenge comes when it's time to convert the millions of events and records you collect from all of the devices into hunting leads, investigating them, and making the right decisions. Tools and technology can help here and are vital when it comes to improving efficiency through automation, but ultimately there is no substitute for human experts. Hunting teams should be dedicated rather than moonlighting in their spare time (who actually has spare time in this business?). The difference between normal and unusual behavior can be slight and nuanced and can evade even the most sophisticated AI models; teams need deep experience in technology, signals, and human intelligence, to be able to efficiently look at a series of events and quickly determine if it is benign or suspicious and warrants further investigations.

Most organizations struggle to find and retain these experts - the skills shortage in cybersecurity is well documented - and being able to staff a 24x7 team is even harder. This is where CrowdStrike spends a lot of time thinking about how we can help our customers do more with their existing staff; how can we provide more actionable context, how can we guide analysts to the right decision point, and how can we give them the confidence to take action.

Q2. What kind of endpoint controls do organizations require these days to deal with the latest threats and adversary tactics? What's the most significant way in which endpoint threats have evolved/changed in recent years?

I'll answer this question in reverse order as I believe the threat landscape is what should guide the controls organizations use to deal with them. It is well known that adversaries are increasingly using native tools and techniques (living off the land) to achieve their objectives. Even when malware is involved, we are seeing a steady decline in traditional binary-based attacks in favor of malicious scripts.

Ransomware for example continues to evolve at a rapid pace and remains one of the most existential threats to an organization. The trend now is towards "Big Game Hunting" and extensive use of Ransomware as a Service (RaaS) platforms. That said, the execution of the ransomware itself is usually the last step in the attack. Usually it's preceded by an extensive campaign that typically starts with social engineering or phishing to gain initial access, followed by elevation of privileges, credential theft, lateral movement, and extensive reconnaissance that often utilizes living off the land techniques.

In a recently publicized event, an adversary using "Ragnar Locker" made recommendations to their ransomware victim while negotiating for the restoration of their data. Many were basic security measures and hygiene protocols - disabling local admin accounts, restricting use of domain administrator accounts, minimizing privileges to existing accounts to the bare minimum necessary, and changing passwords frequently to name a few.

More interestingly, the attackers said "Don't count on the Anti-Virus, there is no AV that really helps" while simultaneously recommending the deployment of Endpoint Detection and Response (EDR). Despite its source I would second all their advice and add that an EDR tool is only as good as the team operating it. I discussed the challenges organizations will face in building out an effective threat hunting program in the previous question. For many organizations a managed threat hunting service in combination with a managed service provider operating their EDR platform will be the most effective solution.

Q3. What does Crowdstrike plan on highlighting at the Black Hat USA 2020 virtual event?

At the first ever virtual Black Hat, the CrowdStrike team will present informative sessions on critical topics, demonstrations of the powerful CrowdStrike Falcon platform and opportunities for one-on-one meetings with CrowdStrike world-class experts.

During the sessions, we'll be exploring the uptick in sophistication behind ransomware attacks, and what tactics, techniques and procedures (TTPs) the more prolific ransomware operators are employing to prey upon the remote workforce.

We'll also be sharing lessons from the front lines of incident response and real world applications from our CrowdStrike Services team. Last but not least, another session will take a deep dive into the CrowdStrike Falcon platform's APIs for threat intelligence feeds, real-time reporting and dynamic response. Below are the full details for each session:

Dealing with Ransomware While Your Workforce is Remote
Jesse Travis, CrowdStrike Sales Engineering Manager
Thursday, August 6, 11:00-11:40 a.m. PDT

Avoid the Breach, Save the Weekend: Top Lessons Learned with CrowdStrike Services
Tim Parisi, CrowdStrike Services Director of Incident Response
Thursday, August 6, 1:30-2:10 p.m. PDT

Working with CrowdStrike API
Adam Hogan, CrowdStrike Sales Engineering Manager
On Demand

Justin Fier
Director of Cyber Intelligence & Analysis


Q1. A lot of people have talked about the benefits of AI-enabled cybersecurity. How concerned are you about AI-enabled attacks? How would such an attack look like and what's needed to protect against them?

Our networks become more complex – spreading across SaaS tools, IoT, home environments and beyond – and our workforces have become more disparate and dynamic than ever before. This means that detecting and responding to genuinely threatening activity is becoming an impossible task for humans alone.

The advent of AI-powered attacks will only exacerbate this challenge. In the near future, we're going to see AI begin to be leveraged by sophisticated attackers, and governments and organizations will have to fight back with their own AI.

Consider the sophistication of today's cyber-attacks, many of which are low, slow and stealthy, trying to go undetected, while others move at machine-speeds. All these different types of attacks place a huge burden on human security teams who cannot possibly keep up with the scale, speed, and stealth of the attacks without the right technology and strategies in place.

Go one step further to think about AI-enabled attacks. It will be all but impossible for humans to replicate AI attacks that will fly under the radar of all but the most advanced AI defenses. We can't bring humans to a machine fight, so the only way to protect against AI-enabled attacks is with AI on the defensive side as well.

Technology that uses AI empowers human security teams by autonomously defending against attacks that move at machine-speed, before they escalate into crisis.

To detect advanced attacks, companies will need to adopt equally intelligent security tools. AI driven cyber security has already proven to be successful, so it is natural to think the attackers will also adopt this technology on the offensive side, if they have not already.

Q2. You've expressed concern about attacks like the recent one on Twitter, becoming the norm this year. Why do you believe that will be the case, and what threat would these attacks likely pose to enterprise organizations?

We have to accept that sophisticated, deliberate, machine-speed cyber-attacks are now a part of our reality and this future of cyber-attacks will continue to be nearly impossible to detect and stop with legacy tools alone.

We have entered an era where nation states along with criminal groups are making persistent and advanced attempts to cause disruption, steal data, spread misinformation or even cause physical harm. Attacks on critical national infrastructure are all used to cause confusion and chaos ahead of important events like elections.

Intelligent, self-learning cyber defense has never been more in demand as threats have evolved from an individual bad actor to more complex groups with technology as their disposal.

Cyber AI is already providing this level of protection for thousands of organizations around the world and is necessary to protect against threats wherever they occur. The next battle enterprises, governments and organizations will face is against adversarial AI, and they must be ready to fight machine with machines.

Q3. What is Darktrace's focus at Black Hat USA 2020? Is there a particular theme or topic that you plan on highlighting at the event?

We will be focusing on debuting our cyber AI analyst technology, which took years of development in order to teach AI to emulate the investigation, analysis and reporting processes performed by a cybersecurity analyst. The cyber AI analyst is currently deployed for thousands of customers and is able to take subtle, nuanced skills and implicit knowledge of an analyst to detect genuinely threatening activity.

In order to mimic human thought processes, the technology learned from more than one hundred threat analysts as they performed threat investigations. Beyond just lab testing, cyber AI analyst has proved its worth and strength in the real world, and now performs over one million investigations per week. In our session, we will demonstrate how Darktrace was able to catch an APT using a zero-day, weeks before public attribution, using cyber AI analyst technology.

Another announcement and focus we have at Black Hat is on our technology's ability to defend the entire dynamic workforce, with a guest feature from McLaren. We have a joint session with McLaren Group CIO to discuss how AI is able to keep pace with the speed and innovation of McLaren on and off the race track. Only AI is capable of keeping pace with McLaren's rapidly changing environments and their digital innovations across their entire workforce.

Joe Partlow
Chief Technology Officer


Q1. What are some of the biggest obstacles to automating threat detection and response for enterprise organizations? For organizations that want to automate the process, what's a good place to begin?

A couple of the biggest obstacles we see to automating threat detection and response include getting visibility across the majority of the environment – SIEM, EDR, point tools, and multi-cloud – then getting buy-in from other operations teams. Most organizations struggle with an ever-changing network and application environment, so getting insight into what is normal or not is an everyday challenge.

Automating any actions is extremely risky without knowing the context of what device or application you are taking actions against. It's not enough to know that device or app is present. You also need to know how critical it is to the organization before automating an action that could possibly result in the device or app being unavailable. The other common obstacle we see is when the operations and security teams are not working together on the common automation goal, with the operations team pushing back for fear of unnecessary outages, and rightfully so. Both teams need to be aware of what automations are being implemented and any additional context, checks or exclusions that would need to be placed before an action can be taken against that device or application. We have seen the most success when both teams are on the same page and working together on the automation project.

A good place to begin for organizations looking to automate their processes would be to make sure they have a good inventory of all the devices and applications running on the network along with the documented manual process that is going to be automated, so they can ensure that the flow is already correct and approved. Involving the operations team or any other relevant group early to ensure no critical system would be adversely impacted is critical for the project to be successful.

Q2. What was ReliaQuest's goal in acquiring ThreatCare last October? How are you leveraging the company's technology?

ReliaQuest is laser focused on delivering world-class cybersecurity outcomes through its SaaS security platform, GreyMatter. Those outcomes are driven by the platform's unique ability to integrate an enterprise's disparate technologies and centralize visibility across their environments – then automate across the full security lifecycle, from detection to investigation, response and remediation. Last year, ReliaQuest had identified cyber assurance as part of realizing this vision, but believed existing, ad hoc approaches, such as red teaming and pen testing alone were insufficient.

Instead, ReliaQuest identified a need for a new approach: attack simulations that were fully integrated with other security technologies, with continuous sequences to reflect how real-world attackers think. The team explored various options to execute quickly and met a like mind in Marcus Carey, best-selling author and founder of attack simulation vendor Threatcare. ReliaQuest acquired Threatcare in October of 2019, bringing its core technology together with ReliaQuest's SaaS security platform, GreyMatter and significantly expanding its capabilities. The result is a library of simulations to quickly build campaigns that are fully integrated with alert sources, then view the results from the perspective of both attacker and defender. Through use of persistent and dissolvable agents, certified integrations, and flexible simulations with impact ratings, GreyMatter enables cyber assurance across disparate environments and provides continuous, actionable results.

Q3. ReliaQuest demoed GreyMatter in a major way at Black Hat USA last year. What do you have in store for this year's event?

ReliaQuest is excited about this year's Black Hat USA and all the new ways in which we can "go big" and engage with attendees virtually. We will be showing off the latest innovations in our GreyMatter platform – so attendees will be able to see what it looks like to gain centralized visibility across their SIEM, EDR, multi-cloud and point tools. They can also see end-to-end automation in action—from the assembly of research packages at the investigation stage to play they can run in response and continuous attack simulations to validate controls work as expected. There is a demo video available in our booth, as well as the opportunity to request a personalized demo in real-time.

We're also looking forward to a couple of presentations by our Enterprise Architect, Marcus Carey. On Wednesday, August 5th, from 8:10-8:25 a.m. PT he will convene other leaders from his best-selling "Tribe of Hackers" book for a session on the latest tech trends. Later in the day, at 1:30p.m PT, he will present "Hack to the Future: The Past, Present, and Future of Attack Simulation," and break down how continuous attack simulations integrated with security controls and platform can help to strengthen your defenses and improve your confidence and resilience of your security program.

Sustaining Partners