Yes, many of us have read the cult classic book Zen and the Art of Motorcycle Cycle Maintenance….but what does that have to do with Cybersecurity? I won’t bore you with the details of Robert Pirsig’s theory, MOQ (Metaphysics of quality), but let’s just say it is very closely connected to the Greek notion of Arete or excellence/quality.
According to Pirsig in order to cultivate the virtue of excellence we need to confront two aspects of life;
- The objective impasse– incorrect or blunt tools when attempting some complex task
- The subjective hangup– doubts about one’s own ability and resistance to search or ask for the right tool
Once these two aspects are integrated– the right tools with the right mindset — then a clear of sense of quality and excellence arises. Many people in IT have had that feeling of frustration with no clear end in sight when suddenly, in the blink of an eye, you discover the error that had previously evaded you. Either the tool was incorrect, or the mindset, and with enough persistence and patience the intractable became soluble. This sense of the key finally fitting the hole is that ineffable quality Pirsig was trying to get at in his book.
After watching the recent webinar Mitigating Threats with Microsoft Defender with speakers Joe Stocker, Matt Soseman, and CTO of Nextron Systems, Florian Roth, I was very impressed to learn about the compromise assessment product Thor 10, and more specifically its integration with Microsoft Defender ATP. Thor 10 has a signature database with more than 10,000 hand crafted and high quality rules and a primary focus on APTs (advanced persistent threats)- their tool sets, scripts and malware. After listening closely to the discussion I reached out to Nextron and ran a system scan with all modules (which in full scan mode can take up to seven hours to run). After the completion, the first thing that sprung to mind when reviewing the reports was the sheer depth, quality, and potential of the product. They curate rules for hack tools, their output, config backdoors, RATs, web shells, suspicious system file replacements and traces of other malicious activity. If a bad actor is or has been in the system, then Thor 10 will know about it!
Along with Thor, the other major influence for writing this post came from the series written by Mark Simos et al, ‘Lessons learned from the Microsoft SOC’. Being a huge fan of the amalgam formation of certain German words such as tischgesellschaft (affable dinner company) or waldeinsamkeit (spiritual connection with nature), I was pleasantly surprised to learn a new one courtesy of their latest post ‘Zen and the art of threat hunting’. Their article paints a vivid picture of what it means to be a good threat hunter and what it means to aim for excellence and come into contact with that sense of quality.
In Siddhartha Mukherjee’s book ‘The Laws of Medicine’ he outlines three essential laws he discovered during his long career in medicine. These laws could equally be applied to the world of cybersecurity.
Law One: A strong intuition is much more powerful than a weak test. If you have a hunch based on your ‘prior experience’ listen to that voice and don’t always trust the data.
Law Two: “Normals” teach us rules; “outliers” teach us laws. Pay attention to uncanny results in cybersecurity, what is abnormal, or an exception, can further your knowledge.
Law Three: For every perfect medical experiment, there is a perfect human bias. Remember that we all suffer from cognitive bias so make every effort to replicate results and look at your data with a beginners mind.
I urge you to read the whole series but here is an extract containing some very wise words as well as that magical German phrase Fingerspitzengefühl….
What makes a good threat hunter?
While any high performing analyst has good technical skills, a threat hunter must be able to see passed technical data and tools to attackers’ actions, motivations, and ideas. They need to have a “fingertip feel” (sometimes referred to as Fingerspitzengefühl), which is a natural sense of what is normal and abnormal in security data and the environment. Threat hunters can recognize when an alert (or cluster of alerts/logs) seem different or out of place.
One way to think about the qualities that make up a good threat hunter is to look at the Three F’s.
Functionality
This is technical knowledge and competency of investigating and remediating incidents. Security analysts (including threat hunters) should be proficient with the security tools, general flow of investigation and remediation, and the types technologies commonly deployed in enterprise environments.
Familiarity
This is “know thyself” and “know thy enemy” and includes familiarity with your organization’s specific environment and familiarity with attacker tactics, techniques, and procedures (TTPs). Attacker familiarity starts with understanding common adversary behaviors and then grows into a deeper sense of specific adversaries (including technologies, processes, playbooks, business priorities and mission, industry, and typical threat patterns). Familiarity also includes the relationships threat hunters develop with the people in your organization, and their roles/responsibilities. Familiarity with your organization is highly valued for analysts on investigation teams, and critical for effective threat hunting.
Flexibility
Flexibility is a highly valued attribute of any analyst role, but it is absolutely required for a threat hunter. Flexibility is a mindset of being adaptable in what you may do every day and how you do it. This manifests in how you understand problems, process information, and pursue solutions. This mindset comes from within each person and is reflected in almost everything they do.
Where any threat analyst (or threat hunter) can take a particular alert or event and run it into the ground, a good threat hunter will take a step back and look at a collection of data, alerts or events. Threat hunters must be inquisitive and unrelentingly curious about things—to the point that it bugs them if they don’t have a clear understanding of something. Instead of just answering a question, threat hunters are constantly trying to ask better questions of the data, coming up with creative new angles to answer them, and seeing what new questions they raise. Threat hunting also requires humility, to be able to quickly admit your mistakes so you can rapidly re-enter learning mode.