It's not every day you hear stories from a threat hunter about how he uncovered multiple nation-state attacks. Maybe that's what made our February 3rd virtual event so appealing. Nearly 300 viewers (and counting) tuned in to listen to Neil Wyler (a.k.a. "Grifter" in hacker circles) share real-world stories about how he uncovered nation-state attackers exfiltrating data from global companies.
Grifter is a seasoned presenter (he has led talks at the top cybersecurity conferences such as Black Hat and Def Con) with stories that may "wow" an audience. To set the stage, he started the webinar discussion with an explanation of threat hunting, emphasizing that it is a human-driven exercise, one that is proactive not reactive. Threat hunters look for evidence and artifacts. They focus on how attackers conduct business and the strategies they may use to hide inside an organization. The goal is to reduce attacker dwell time, and as such, minimize the impact of a compromise. One statistic that stood out during Grifter's presentation was that the longest he had spotted an attacker lurking in a client's environment was SEVEN YEARS.
Threat hunting can also help organizations gain a better understanding of their environment. Hunters can find process and control flaws such as legacy, outdated systems and misconfigurations -- all of which are enablers of a compromise. The first step for attackers is learning everything and anything about their target's environment, which is why security teams and hunters should do the same.
Grifter then transitioned into real-life stories. He talked about how he uncovered nation-state attackers exfiltrating high value financial data from a large bank, every morning at 1am for 6 months. The bank had detection controls like user behavior analytics in place, however they were deployed while the attacker was already inside. As a result, the attacker's activity became part of the "normal behavior" for the environment. Grifter discussed how he found attackers in China exfiltrating small amounts of data, subtly, from a government agency. The culprit was an overlooked web server that was vulnerable and sat in a corner. He even included a story about an engagement where he didn't find an attacker inside, although he did discover the company had next to zero internal security controls. The company assumed they could trust everyone on the inside, like one big, happy family; only those on the outside shouldn't be trusted. Once Grifter came in and explained the potential damage that could be done if an attacker were to get inside, the company clamped down on its internal security controls.
The stories don't disappoint. If you missed the event, you can watch the recording by visiting the registration link. Or, if you want a private one-on-one with Grifter where he can share stories and answer questions in an open discussion with just your team, we are happy to set it up. Please contact your IBM representative.
------------------------------
Abby Ross
------------------------------