Hunting alone does NOT protect the network

Threat hunting is sexy, but actually protecting the action network? Not so much. Humans are enamored with the ability to click through those shiny interfaces as if it they were in manipulating augmented reality in Minority Report. In fact, it wouldn't surprise me if someone(s) cited that exact movie in their design discussion. Our industry missed the point of those shiny interfaces, which are to help understand, predict and deploy appropriate PREVENTIONS for an actual crime, not just for understanding history. Therein lies the irony, in Minority Report they were predicting the future, not the past.

The problem is, APIs and CLIs are hard to sell. Ask any sales team who's ever tried to sell something without a solid user experience. Most humans grok meaning from visual aides, not data flow diagrams. Those who don't have a solid understanding of tight, non human based integration end up with something they can touch and feel, not necessarily automate. So we follow the [mainstream] money, which enforces the idea that in order to turn a profit, you need to get AND HOLD people's attention.

Value over Features.

Terminal windows and APIs don't really sell. They don't keep the end user in your environment every day, javascript does. If your customers aren't seeing (visually) your daily value in their workflow, they have a hard time articulating it's value. If they have a hard time articulating it's value, you can't up-sell, and if you can't up-sell, you can't make more money. Tools like CIF and SMRT do a TERRIBLE job at reminding you of their value because they lack in things like UIs and metrics. They do their job and get out of the way, which is both good and bad. Their value is articulated in other ways, like decreases in incident counts, which rarely gets its due attention.

In the early days of our open-source threat intel platform we ran into this exact problem. We had  hard time capturing higher level attention and articulating the actual value of the platform. At the time (~2008?) we were simply aggregating, normalizing and pushing out threat feeds to the network. Simple things that didn't change that often; Snort, Bro and various firewalls that would take a CSV file. No matter how many presentations or how much doc we wrote we just couldn't move the the needle when it came to upper management.

It wasn't that they didn't understand the value of federated intelligence sharing, they simply just didn't understand the value of this specific paradigm. They considered themselves somewhat technical [network] folks and tended to make resource priority decisions based on what they understood about a system. They understood networks, and enterprise computing fairly well, but in the mid to late 2000's "threat intel feeds" and the implication of "using those to block threats at the network level" in realtime was a relatively new concept. With that, measuring and articulating those relatively unknown risks was still difficult.

Blocking things wasn't new, but detecting and blocking things in near-realtime was. Most sites required a director-level sign off on any kind of block (these were typically universities with large swaths of v4 and v6 space, students coming and going from various countries around the world). Pitching this type of paradigm shift to sites with a low risk appetite, or sites that simply did not have the resources to implement it proved to be tough with just technical doc, slides and a command line.

Hating Javascript.

From our perspective, we didn't need javascript, we were moving data from feeds into network patterns our gear could use. Javascript would have almost ZERO ROI for us on our shoestring budget, .. or so we thought. After a few years of nerd-frustration, I sat down for all of about 20 minutes and hammered out one of the STUPIDEST pieces of javascript i've ever written. It came in the form of a Firefox plugin and it performed one simple task, it queried our API and rendered the results in a simple ascii based table. IT WASN'T EVEN A SEXY JQUERY TABLE, JUST STRAIGHT UP ASCII.

Less than 20 minutes after I released it, I received a note from a good friend of mine, who happened to also be a CISO: "Hey, so I just installed this and tested it, after 2 years of listening to you talk about CIF, I think I finally get it. Thank you for this!". I was, beside myself. I had been literally running around the world giving technical talks about the technology we were building. Maybe all I needed to do was write a Firefox plugin? To normal humans, this is probably pretty obvious, to most of us backend nerds, it's not. We have a tendency to look at the shiny things in life and think "how is that useful?". The answer: it helps tell YOUR story.

Fast forward 8 years. The industry seems to have taken that lesson and focused on the the part that sells, not the part that protects the network. Just about every single "TIPS" platform I come across solves one problem; getting users into their ecosystem where they can hunt for things in the past. These platforms are designed to FIND breaches, thwarting them seems to be an afterthought, if at-all. I can bring vulnerability data and passive dns data into my view to see that i've been owned, if I figured that out- why can't that logic just go into my network and keep me from getting owned in the first place?

Human-Learned Predictions.

The user experience tells a great story about your product, but those will always change and evolve over time, and for that reason they shouldn't always be the focus. A great man once said; Focus on the things that won't change. Tell a great story, you have to pay the bills, but the focus of your development should be closing the feedback loop with their network environment. It shouldn't  necessarily be on the daily user interactions. Amazon's user experience isn't the greatest, but they put the focus on integrating with my life and then getting out of the way. That's why I pay them stupid amounts of money every year.

If I had to predict what the #threatintel landscape looks like in 10 years, it probably has less to do with humans. It probably has more to do with signals from your customers ecosystem, machine learning and almost nothing to do with a day to day user experience. Also, as the amount of threat intelligence grows, as a means of compression, we will probably start trading #machinelearning models rather than traditional indicators themselves. These models will feed the network infrastructure rather than the humans.

The cost of an FTE's daily attention is always a relatively scarce commodity, which means it's expensive and will continue to be. Over time, the more closely integrated ecosystems will likely survive, those that help me protect MY network, not the ones where I have to hire more humans to link the two. The paradigm will shift much as it did when we first started real-time blocking with threat intel. The majority of FTEs will re-focus to the harder problems as the costs of hunting are commoditized.


Did you learn something new?