Navigating the Cloud Journey

Episode 13: Meet Jeremy Brown, a Threat Hunter

August 17, 2022 Jim Mandelbaum Episode 13
Episode 13: Meet Jeremy Brown, a Threat Hunter
Navigating the Cloud Journey
More Info
Navigating the Cloud Journey
Episode 13: Meet Jeremy Brown, a Threat Hunter
Aug 17, 2022 Episode 13
Jim Mandelbaum

Jeremy is a real White Hat who has lived in the weeds of the cyber security industry for over a decade. In this episode he shares his experiences, best practices, and industry recommendations for all  the threat hunters and defenders who are on the front lines of protecting  networks.

Listen to other Navigating the Cloud Journey episodes here.

Show Notes Transcript Chapter Markers

Jeremy is a real White Hat who has lived in the weeds of the cyber security industry for over a decade. In this episode he shares his experiences, best practices, and industry recommendations for all  the threat hunters and defenders who are on the front lines of protecting  networks.

Listen to other Navigating the Cloud Journey episodes here.

Jim: Hey everybody, Jim Mandelbaum here again with another Navigating the Cloud Journey podcast. We've got a really fun one today. I've got Jeremy Brown and I got to get your title, VP of Threat Analysis at Trinity Cyber. He's what we call folks a real White Hat. And first Jeremy, thank you for using your intelligence for good and not evil.

Jeremy: Oh, absolutely. Yeah. Honored to be here. Thanks for inviting me. 

Jim: So, your, what we call this purple teams guy and I love this because you hear about people talking about red team and blue team. What in the world is purple team? 

Jeremy: Yeah, to me and the team that I've built, we're not pen testers and purple team per se, but we have to incorporate elements of blue team, so defensive, and many of us understand and have been red teamers and offensive people in previous parts of our careers. So purple team is really combining both of those and learning how to further your strategy with that. So, whatever that means for you.

[00:01:05] Important threat hunting acronyms and technologies: IOC, IDA, IPS

Jim: Okay. I want to start out playing acronym bingo. And everybody that follows this podcast knows how much I love acronyms. So, I want to level that because I want to make sure that we understand, you know, we have some folks on here making this cloud journey. They're not security folks, right? So, they don't know when you talk about an IOC, and even the difference between IDs and IPS. So maybe you can kind of help some people in that space. 

Jeremy: Yeah, absolutely. I'll start with IOCs. I go back and forth on these some days they're the bane of my existence and other days, you know, they help with hunting and other things like that. And IOC stands for an Indicator of Compromise. You can think of these as three simple categories of things. These are domains, their IP addresses, and their malware hashes. And so, what they really mean are sort of post-compromise activity or things that you can see after the fact. And what they've really turned into is a way to sort of automate some parts of defense. So that's what they are, they're lists of, of good and bad things, if you will.

Jim: So, ways to know that you're in bad shape.

The one thing I want to do, because I want to get kind of into it is the difference between IDS and IPS.

Jeremy: Oh yeah. An awesome one. So, I, I never know what people's level of understanding of these two concepts are, but there's, there's nuance that's actually really fundamental. So, IDS stands for Intrusion Detection System. And this is what you think of when you think of passively monitoring a network and capturing traffic and then understanding things about it. So, these are your Snort and your Suricata and your open-source IDs, Bro and Zeek. These are the types of things you start to think when IDS comes up.

IPS is simply when you switch that over to prevention mode and prevention can mean a lot of things, but it's actually doing something about it when an initial signature hits. That may be blocking an IP that may be blocking some Indicator of Compromise, or that gets all the way down into understanding the content of what's inside network sessions and files. So IPS is the prevention and IDS is really just the protection. 

Jim: And I am going to circle back on that IPS piece because you know, what you specialize in. I want to come back to that. What you guys do is really cool. And I want to hold that till later, 'cause I think it's really cool. 

[00:03:24] In the Cloud, going "Beyond the Packet" and network session level visibility

Jim: But one of the things that I've heard you say is, is that as a defender and people go, what, how does this relate to cloud? Well, it's still, there's still packets moving, and the hybrid and bad guys are trying to leverage that to get from the cloud to on-prem or vice versa. But you've always said that you need to go "beyond the packet". What does that mean? 

Jeremy: Yes. I like to use a, an analogy. It starts sort of simple. If we think about reading a book and you're really trying to understand the story that's in front of you. You, you really won't do that if you're reading word by word until you get to the end of the book. Well, a session versus a packet. So, packet is the word in the book. And a session is like, if you understood the entire story at the end, it's a lot more powerful if you're trying to get the context of what that story is about. So, if we take that analogy and we move it to the network, whether you're on-prem or whether you're in the cloud, you are going to get a lot more context and fidelity out of being at a session level. So that means you take all of those packets and you put them together and you understand what happened in the network session. So that could mean something like understanding the whole content of a web request with a webpage in it that maybe had malware on it. That could mean the difference between missing an exploit and catching it.

And a lot of times when I think about packet-based intrusion detection systems or IPS systems, I am thinking about a system that's from 10 or 15 years ago. And so, the industry at whole is evolving towards a session based. And I would say in your journey to the cloud in terms of network defense, you really have to insist on being session-based and having technologies that support that. 

[00:05:04] "Complete" Security & Network defense

Jim: I like that idea, and I'm going to throw another thing that I've heard you say. And that is the need for, and, and I love how you said real security and network defense. When you say real and I'm sitting there and I'm a security guy, I'm like, well, aren't I real, what does that mean? 

Jeremy: Yeah, real maybe I like it because it gets people's attention, but maybe the better way to categorize it "complete". You want complete security. And when you talk about network defense, the real or the complete is having the entire picture in front of you. So, it goes all the way from visibility to prevention. If I know exactly what that network session that came in on, you know, last Tuesday had inside of it. And I can find that there was malware or prevent malware or an exploit or something like that, I am as a defender, a lot more capable than if I missed it or something like that. So, the real security piece is combining not only full session, but actually being able to prevent it. 

Unfortunately, it doesn't always mean what defenders and CISOs and security teams think. It means quite often the people will use that word synonymously with, I found something after the fact, and I alerted you about it. Which I really think we need to get out of that habit. If you prevent something, you prevented it from reaching somebody.

Jim: Yeah, I agree with you. I think that most security teams are about I recognize, I found it therefore I'm giving you something that you can now go remediate it. Versus I found it and I stopped it. And I think that's a really hard concept, but I think that. Well, I'm going to put it this way. I love the concept of saying I stopped it, but we all know that you know, based on statistics, how many millions of head count short are we in the security industry right? And we have not only a staffing shortage, but we have burnout. We have people with, you know, with alert, fatigue. It's just not enough people to staff cyber. 

[00:07:04] Managed Service, Guided Service, Guided SaaS can help your security posture in the Cloud

Jim: So, what do you say for people that are saying, look, I need to move to the cloud. And one of my whole points is I have a security problem. I have staffing, so I need to kind of move it to the cloud so I can offload some of that. What, what are your thoughts there? 

Jeremy: Yeah, I think that's exactly what moving to the cloud is for in its purest intent. Is that you are starting to move towards a managed service or a guided service type of platform.

And that makes sense for a lot of people. I mean, whether you're a security company or whether you're a bank or whether you're somebody who's making that journey, we're all struggling to find qualified candidates. And quite often what happens is those candidates will go work for the company where they can have the most impact, which means managed security companies, guided security companies. They tend to be able to have impact and prevention and work their magic on a lot of people at once rather than just one. So, you're going to struggle to hire people. I would say that it's really not over for you. It's just thinking about moving in your cloud journey towards trusting professionals on the gaps that you have.

And that doesn't mean that you have to have everything become a managed service. It just means you really need to carefully think about what you want to evolve into a managed service. 

Jim: Yeah. I think you also touched on something else that I'm a fan of, which is the guided SaaS. And I think that there's value there because what that means is I'm not just saying, here you go handle it. Instead, what I'm saying is, is that I still want to run my security, but I want to have resources available that are going to be able to help me when I need it and educate my team. It's like, you know, teaching a man to fish versus saying, here's your fish. And I think that, to me, I'm a fan of guided SaaS. But one of the things when we talk about this whole concept of, of SaaS services, we're really talking and you brought up with Zeek and Bro, we're really talking about looking at the packets and the sessions. Let's go back two yours, I want to look at the sessions and I want to look at the sessions data in motion, which is again, ultimate source of truth. 

[00:09:08] NDR on-prem and in the Cloud, the future

Jim: But when I start looking at the concept of on prem traffic and I start looking at cloud traffic and so network detection and response is what we're talking about here. What's really the difference between on-prem and cloud? 

Jeremy: Yeah. So, I think it depends on how do you define in NDR and so the market is sort of defined NDR as an offering where you expect talented professionals to take a look at the logs of your security devices. And so, what that means today is that we are constantly after the fact, right? It's a detection and response loop. What NDR needs to be in the future is blending in a sort of a managed prevention. And that can happen from a lot of companies, but you can have that, whether you're on-prem or in the cloud by allowing somebody to have access or a talented team to have access in secure ways to certain devices.

And we've seen many vendors that offer this solution because what it really does is helps you make your journey to the cloud not all at once. You can get comfortable with a team that helps you. You can get comfortable with the expertise level. And it becomes less about you learning, how to configure that next device and more about you learning how to collaborate with something like a really talented operational team or a talented analyst team.

And I think that collaboration is really more important. Let's have a conversation about what we want done. Let's have the conversation about the things that we're scared about at night, and let's have a conversation about how we can make those things go away together. 

Jim: Yeah. And, and that really does kind of correlate to what we were talking about with that guided versus a straight managed SaaS. And I agree with that completely. You did say the word logs though, and I want to make sure we set the straight that we are actually talking about the packets and the full sessions and not log data, because we know that logs are simply going to be well, number one, you know, first thing I'm going to do as a bad guy, as I'm going to go turn down the logging level, and then I'm going to erace the tracks that I was never there. You can't do that with packets because packets are packets. They're going to be there and we're getting them in real time. 

So, one of the things that is kind of a futuristic thought. So, a lot of companies that are making this journey is they're really in preventative mode, right? They're trying to stop it from happening. But as they evolve. And I always say, even companies that are still in that, that mode preventative, needs to set aside time to hunt. Even if it's an hour a day or a few hours a week, I want to go data mine and I want to hunt. And I know a lot of people say, I can barely keep up. Well, if you want to keep your analysts happy, let them hunt.

[00:11:56] Hunting for Threats - Best Practices

Jim: What are some techniques for people that are starting to hunt?

Jeremy: Yeah, and I teach this to my team too. The best thing you can do when you're starting out hunting is understanding the tools that are infront of you. So that's number one. And it sounds really common sense, but I have, I can't tell you the amount of times I've walked into a security operations team, and there are people who know about certain tools and use certain tools and other people who use others. That really brings up a point that analysts who hunt successfully need a federated point where all their tools like a single pane of glass where all their tools are. They need training on what they are and what functions they cover.

And then once you sort of set that, that baseline, it's really important to know how to take a piece of data and pivot. And so that can mean different things for different people. Sometimes you can take one of those Indicators of Compromise, like I spoke before, and you can take and go pivot through a system that might capture network traffic or pcap files.

And you can say, I want to know where on the internet was this IP address talking to. And start digging in through there. Sometimes it gets more technical. This is where context comes in. I may have a system that allows me to let's say pull files out of network traffic and send them to places to do certain things. I'm going to want to start asking and tasking my analysts to hunt inside of files and start finding interesting things, exploits, metadata, stuff like that. So, I'd say it really starts with the tools and federating them into one place. It starts with teaching people the mindset of being able to pivot off of pretty much arbitrary data. And then really making those analyst connections. We've heard this analogy before that sort of defenders think in and attackers think in graphs. And I do really, really think that that is quite true. When you think about putting connections together, you kind of need to think about putting them together in a graph. Well, you really need to connect the data points.

So, if you saw this IP talking to two something here, and then a month later, you saw it talking to another thing at the exact same time. Well, you should start to sort of put that together in a mental graph.

Jim: I like that. I talked about the concept that we really need to let people hunt, but I also think something that's missing is we get people that are smart enough to know how to start hunting or smart enough to hunt. We need to make sure that we start training the next hunters and we need to make sure that our level one analyst gets that time to hunt. Whether they really know what they're doing or not, that's okay. Teach them. You know, teach a man to fish kind of concept. And, if you're using a guided SaaS, let the guided SaaS company guide you and get you to that point and that's value in guided SaaS. I think people neglect to understand that the partnership there and you guys obviously do that in your place. So, I think that's a typical thing and a guided SaaS. 

[00:14:46] SASE - Secure access service edge

Jim: Now I'm just going to leave this for you to kind of talk about and we hear a lot about secure edge. I'm going to let you go with that. 'Cause I know that's something you talked a lot about. 

Jeremy: Yeah. I mean the secure edge is, you know, in my opinion, it's a, it's a market that's learning where it's going to be in the next two to five years. We see a lot of different capabilities being wrapped up. We see an evolution from perhaps the SASE market into whatever secure edge is going to turn into. I like to think of it quite simply .... 

Jim: You used an acronym. You used an acronym. It can throw an acronym without explaining it. 

Jeremy: Sure. Yeah. SASE. SASE is a conglomeration of a lot of different technology. There are policies like CASB (Cloud Access Security Broker), there's policies around what things in the cloud can talk to each other. There are secure firewalls, there's web application firewalls that protect your public facing websites. There's secure web gateways that do roughly the same thing. There are policy-based controls on these firewalls that let certain people get to certain places at certain times of day. And so, SASE really represents the conglomeration of all of those things, but then also tied back to somebody who is installing an end point agent on their computer quite typically that links their identity to that that sort of secure edge or wherever their traffic is going. 

Jim: Yeah. It's a lot more than just straight DLP, which I think a lot of people... 

Jeremy: It's a lot more. 

Jim: And again, I threw an acronym, Data Loss Prevention.

[00:16:18] Putting defenders "in the middle"

Jim: So, another thing that, that this is where I'm going to give you a chance to do a little selfish plug. And you talk about putting defenders in the middle. 

Jeremy: Yes! Yeah. Yeah, one of my favorite things. I like to think like this, because it's what my company does, but it really, really is a mindset. Let's think about putting our best foot forward and our best technology between anybody on the internet. So, a corporate network and the internet or remote worker and the internet. What would you do if you had the ability to pull apart a full network session, like to its, you know, it's DNA basicly? And to understand that inside of that may be a one-to-many files and to parse those files out very quickly. Like, what would you do if you had this entire story in front of you and how would that change how you think about network defense today?

That defensive mindset in the middle. It doesn't really matter what tech you use or what vendor you use. It actually matters that you insist that all of your traffic, whether you're connecting to a SASE or SOC solution, whether you're sitting in a corporate office, you insist that all of your traffic is treated in such a way where there are human eyes and defenders in the loop and where those defenders are enabled to see the most possible context they can from that traffic.

I think the EDR industry a little bit here, because they really like, sort of, pioneered that extreme forensic look into things that I think network defenders really needed the past 10 to 15 years. 

Jim: Endpoint detection and response continue.

Jeremy: Yup. EDR simply just the monitoring of processes and software executions on an actual computer. 

Jim: Yep. They pioneered it, continue. 

Jeremy: They pioneered it, they did a fantastic job. And I think that that sort of mindset about not really stopping until you find where the thread is, is where the network defense industry needs to head, and it is where, you know, a lot of technologies are evolving. And that's what excites me at the end of the day. My team are defenders in the middle. And we do really, really interesting things when we find malicious techniques and now we're in exploits and stuff like that. And because we insisted that we're there.

Jim: Yeah. And that's really important. I think people don't understand. It doesn't matter whether we're talking on prem or we're talking cloud. And I think it's something that, you know, as you start making that journey, whether we're talking private cloud, where we're inspecting traffic for east-west within that private cloud virtual environment. Or we're dealing with public cloud, which means I'm going to look not only for, ingress/egress, but also east-west. We need to be able to see that traffic as you put it, not only as traffic, but it's being able to sessionize it. And giving the defenders the ability to see it in real time. Getting the ability to see it as it's happening so that even if it is that I need to mitigate it, but I need to be able to understand what happened, how it happened, so that the next time it won't happen.

I mean, ultimately, there's the rule that, and we've all heard this, " I have to be right every time, but the bad guys only have to be right once". Right? And so that rule, we've heard a million times. And to your point, you've gotta be a defender in the middle. I mean your entire design needs to talk about giving your people a chance.

So, we're almost out of time. Is there anything that you wanted to bring up that I haven't asked you on this? Is there any things you want to throw out there? 

[00:19:50] Final Thoughts: Digging deep into traffic

Jeremy: Yeah, parting shots is sort of a call to action for the technology and the network defense industry. We can do a lot better.

 I think we really have to insist on thinking about faster performance at higher network rates. Being able to actually parse files in line and then being able to do something about it. I'm always going to take that stance because it works. I think a lot of people gave up on that a while ago because it was hard or because they didn't have the technology to do it, or because they didn't have the innovation. 

We are all a smart group of folks. Everybody knows that this is an attainable goal. And if we can put a little bit more preventative balance in the mix and not just rely on Indicators of Compromise and blocking and alerting, I think we're going to be in a much, much better place. So that's the final shot across the bow from me. Let's do a bit better with our tech. 

Jim: Absolutely agree a hundred percent. 

Well, I want to thank you for being my guest today. Folks, if you have any questions, we welcome you to reach out to myself or to Jeremy directly. And I want to thank you all and please remember to click subscribe and join us for the next one. 

Thank you everybody. And have a great day.

Jim's LinkedIn
Jeremy's LinkedIn
Jeremey's Twitter
Security Group in the Gigamon Community
Hybrid/Public Cloud Group in the Gigamon Community

Important threat hunting acronyms and technologies: IOC, IDA, IPS
In the Cloud, going "Beyond the Packet", and network session level visibility
"Complete" Security & Network defense
Managed Service, Guided Service, and Guided SaaS can help your security posture in the Cloud
The future of NDR: On-prem and in the Cloud
Hunting for Threats - Best Practices
SASE - Secure access service edge
Putting defenders "in the middle"
Final Thoughts: Digging deep into traffic