Human Centric Threat Hunting

they walk out right before I even start speaking at least give me a chance to offend you come on guys all right so my name is Russ Seyfert and work at micron and information security where I run the incident response and the threat intelligence and I'm gonna talk to you a little bit today about human centric threat hunting so what that means and a little bit about how to do it a couple disclaimers before we get started so everything I'm going to share with you today is not classified you can go out there and find it on Wikipedia you can sit through the internet and find a lot of stuff so I come from a classified

background so I'm gonna share some stories but none of its secret or anything like that so don't tweet anything like a this guy's given all the really cool stuff out there that's not gonna happen this talk originated from more of a discussion type panel with the iti sack so I tailored that a little bit it is mostly geared towards large enterprises that have intellectual property to protect how many of you out there are working in an enterprise information security show hands okay how many of you are consulting to enterprise is that okay okay good good students can you see show hands of students a couple okay right on we're excited that you're getting into that career field if the

recent security it takes a special kind of person right let me tell you a little about myself so I come from a military background I started off doing signals intelligence so analysis of the way people will communicate with each other from there I got into the cyber realm and then I don't know this is a good thing or a bad thing but the army said hey you have a personality maybe an excess of personality we can do something with that so then I got on the human-sized I've really done full-spectrum operations for intelligence collection and analysis I got injured so the army said rust you're getting kind of old time - time to go and so they separated me for medical

reasons I got into the contracting world and then ended up at micron and I've been there for about a year one of the best companies that you could ever work for and I'm not just saying that because my boss is in the audience right it really is a great company so I'm gonna try and hook to you guys in the story and then it's a story with a principle so it's not just a funny anecdote so I want you to pay attention to this and see if maybe you'd experience the same thing so I'm working for this guy we'll call him John and he and I are off doing our thing and we're sitting in a car and

we're driving around and he said pee out of the blue it's like hey did I ever tell you about this guy I worked with Dave least maybe these aren't their real names obviously right so I said I don't think so now John he's he was in the Army - served in the Ranger Regiment regiments one of them and Rangers are a little different they're even more different than like Regular Army soldiers are kind of different - so I said no I never heard of this guy Dave so he says ok so check this out and this is how all the army story started right is hey check this out and if they're really really good that they start with if I haven't

seen it I wouldn't have believed right you with some profanity in there so he says okay check this out this is John talking right I'm working on duty right now I'm sitting at the desk and you always have to have a soldier on duty and he's like I said to the desk and incomes of Lieutenant and he is just worked up he's upset and he says to me you know what's going on my soldiers are getting hit with grapefruits and so I look at it and I'm like I have no idea and let me let me check it out sir you know go take five so let's hit it goes away John gets up and he heads upstairs he's in the

barracks Rex was wearing these soldiers stay and he heads upstairs to the barracks and he starts to notice junior soldiers so privates right and we're taught when we were made leaders to keep privates busy because if you don't they all get into trouble right and I know you see parallels to users so don't pretend like you don't so he sees these practicing he's like what's going on and he gets upstairs onto the third floor and he sees his buddy Dave poke his head out with the door and they quickly get back there so he's like okay what's going on so he gets down to the end of the hall and he goes into the room and

he sees Dave in there he's like he sees a couple other privates he says Dave dude what's going on and Dave's like I don't know what you're saying nothing and just then a radio crackles right and there's a voice on this radio and says hey man what's going on we're a just in the next one so my friend Tom's like damn what is going on and he's like so Dave finally gives in he says check this out he's the coolest thing ever and so they've got one of these slingshots right and these two privates are standing next to a window that they've taken the screen out of and they've got a boxing fruits and they're taking these

grapefruits and they're putting them in the slingshot and they're they're pulling this thing back and they're just letting go now at the same time that this engineering company is forming up in a field adjacent to this barracks right and so remember when I told you that Regas are a little different right they've gone full tilt on this so they've got a guy on the roof with binoculars the communicating with the radio and he's telling him where the grapefruits are landing so they could have just aim to hit soldiers right so my friend John's he seems like I can't believe this is really happening it goes over the window he looks out the window and sure enough there are these

engineers and they've got guys on the ground that have been hit by his grapefruits and so he's like you guys get this crap out of here and he's trying to trying to control her so I'm laughing I'm controlling because of course this would happen right you couldn't like to make it up and and he looks at me anything's like do you know what Russ I would have never imagined that something like this could happen but if I had it would have been Dave that would think of it and do it right now think to yourself how many times have I seen something happened right and when I see who the user was that did it

I go I never would have thought this could happen but if it was it would have been him right he would have thought of this now I tell you the story because I want to illustrate a point the point is this every every one of you has this ability to kind of size people on right everyone else does and we tend to meet people number like okay that's kind of who this person is and we get to know a little bit more like kids whose person is and maybe keep an eye on them because they might do something crazy or whatever but we don't know how to articulate that very well so it's really what the point is today is to

help you sort of articulate what those things are help you kind of narrow down those really high-risk users right but you want to keep an eye on so this remember grapefruits slingshots soldiers down if had to be addicted right so most of the time has thread cultures we tend to focus on ones and zeros right we look at systems we look at machines for problems and we look at them for solutions right so we're looking for the latest and greatest tool an algorithm whatever to try and solve our problem of insider threats and the thing is that behind every one of those threats is a you know a Dennis Nedry from Jurassic Park and if you don't know that

reference you're at a very young or I'm very old so so if we take that approach we say okay it's a human that's interface to you with the system it's a human that's setting up a system or configuring a system let me just sort of think about humans more in terms of risk rather than systems right and I just want you to kind of start making that shift we're going to talk today about Pam now when we're talking about humans that's a three-hour discussion I was told a couple things by my friends on the B side staff and that was you've got a much shorter amount of time and be entertaining right and keep things

concise so we're only going to focus on this one little piece if you want to talk more about some of those other pieces I'm happy to point you in the right direction but we're going to talk today about Pam and no none of those Pam's this is an acronym because that's what we love in the military we love acronyms and so about policeman access to motivation right thanks

so when we are looking at users individuals as a potential risk we want to evaluate these three things in order to effectively gauge what the risk is of that person right whether that is just a careless user or an admin or if it's actually someone trying to conduct industrial espionage or try to steal stuff or if it's someone who's potentially going to sabotage the system so when we talk about placements we're talking about where people sit in an organizational hierarchy right so do they have the ability to make changes or to influence things because of their position right so that's something we're gonna have to take into account and then or do they have influence that they can

wield because of that placement that's kind of what we're looking at as far as access goes this is kind of your typical your sis admins right they may not be very high up in the organizational chart but they have a lot of access and they could do a lot on a on a network or on a system and so that's something that we have to take into account if we start evaluating them as a risk the third thing and probably the most interesting is the motivation of the individual you know we're kind of looking at all of the standard so in the military right you get these briefs all the time about how to tap spot someone

who's you know an espionage agent right or who's been compromised and flipped and is giving information to the enemy right then they talk a lot about these things right are they simply a fluid are they spouting off you know about their ideology all the time very vocal about it you know do they have girlfriends all over the place right or boyfriends or whatever that looks like and so those are the typical motivating factors that cause people to commit espionage right and it's those same motivating factors that can cause them to become a threat on the inside right instead it's the same thing across the board even though they might be very different activities right so someone

who let's say with with steal secrets and sell them to a foreign country while serving they need a clear capacity for the United States government or any government for that matter something's going to trigger them in their life that's going to cause them to be sufficiently motivated to take that risk and to conduct that type of behavior activity conversely what is the trigger for someone inside of our networks that would cause them to be willing to commit an act of sabotage right to take down a network work or to put in malicious code or to enable some piece of malware there's going to be something that happens and so if we have a good baseline of you know who these people

are and you know for the ones that are the higher risk what makes them tick then that's going to enable us then to more effectively prepare for a triggering event right and when that event happens when they get triggered we can then respond in a way that's appropriate in order to either protect our local property or to protect our systems or to protect people okay just making sense can they get a north-south or a rest you're way off base okay right on thank you so finally once we've identified these people we have to decide what to do next right and this is going to be dependent on you your organization your your teams whatever the appetite is or what you

decide that you want to do next and that could be anything from simple monitoring - you know gathering evidence to turn over to law enforcement that's a decision that you'll have to make with your respective leadership and in your organization's and I you know there isn't a one right answer for that it's what is right for that situation or what is right for that individual and it's really important that you but you gotta have to start thinking about these things at the time that you begin the assessments right know one of the steps that we're going to take in order to prepare for these eventualities this make sense okay wow I really blazed through that one okay that's it in a

nutshell Pam place um an access motivation take a look what you're really looking for is that sweet spot right where all three of those things converge there'll be a berry if you look at like a Venn diagram there'll be a very small interchange and that's the people that you want to keep the eye on the most okay so we've got about 15 minutes let's open up for questions I love discussion and telling stories so fire away yes sir

so social engineering so the question is could we use similar techniques to identify individuals who are at risk to be susceptible to social engineering or sort of external phishing type attacks and the answer is absolutely for social engineering right because what really is social engineering that's what spies do to convince people to spy right and so when we start talking about from criminality perspective that's really people taking those same skills but applying them for a different outcome right so yes you could do that that might even lead to a discussion on you know maybe we produce as an organization we produce some trainings help bolster up with defenses maybe right so something along those lines or we can

maybe put a closer watch on those individuals because they are susceptible you got to understand that terminals are thinking all the time about people right systems might be vulnerable but really they're looking at what's my game what do I get out of this right and so if I can compromise a person and that person can get me on to that network faster to get the data that I want packing these resistance right or I should think so yes great question yes sir

okay so the question is I'm very sick so I make sure I got bike so the question is how much of that do we get from

that's the question so question is how much of this is from learn activity breaks of pattern analysis and then we figure it out versus hiring someone to come and you actually has better is that right that's a great question and the answer is 50/50 there are a lot of people who have talked about this kind of stuff maybe not applying it to the cyber domain mostly looking at it in terms of like a physical security issue however the principles are the same really okay so all I'm doing here is extracting these principles that human handlers would you this is been saying how can we then take the same principles and apply them over here in the cyber

domain right so do they carry over I think we could all agree if I can see some nods right that they do because users are kind of their people too and they make the same decisions those same motivations it will really help if you bring in people who have done it before you could say you know well okay how we do a good example from my life right where [Music] we wanted to use to obtain some very specific type of data we come up online and every picture we saw all the staff kept stepping out to the front and he would always be in front of everyone I can even a big huge groups he would do

something to draw search through self Mexico here so if I were to a person's person my approach might be you're obviously an expert in your field can you help us figure this out because you're an expert we've recognized sort of the superiority of your intellect you know those kinds of thinking and laughs but it works all the time so I would say if you can find someone if you're into enterprising looking to start carving your users and would probably believe you to find someone that's done that testing maybe this question that's a good one

yeah so that very large chip manufacturer the you mentioned

maybe some of these processes probably not in this video it was on the news that's the only reason I am right right now that's it was in the news but those those are ongoing cases that I'm always going to kind of come back to your users regardless of what the problem are is people are going to be at the center of those kinds of issues right because people will also make decisions people are the ones that click on a link from fish right people are the ones that will sit down in the bar and start complaining about work so when they don't even know or the my favorites on a plane right they sit down on a plane and

you asked a seemingly benign question and they will tell you their whole life story all about their work everyone they have an issue with how those bad decisions are screwing everything up they'll do it all you know just listen it's really like so yeah and that's why I tend to look at it from that perspective right is people will go there and left almost every time unless they've been trained right okay good question I appreciate it next question you guys talking it over here yeah shoot

I was probably not something when you're talking about this form especially not with my boss right there we are so that might probably take the intellectual property and the security of that mr. Popkin very seriously and we take steps to safeguard it and you've been very fortunate to have a lot of support from very senior leadership there that are very cognizant and aware of the risk that suppose so you know we're always looking for the very best talents we're always looking for the very best solutions technical solutions and we're always open to new ideas so you know that's really you know I just answered question

so as far as specific tools Solutions Manning I'm not going to comment on any of those types of things like I said we're always open to new ideas and to we're always looking for the very best time maybe put it in a more generic sense how much of being aware of have to take the culture into account right because I mean we're very here's a better way to look at it so academia versus industry right academia is really built on the free exchange of flow of information right sort of you know the environment are going to expect a lot more freedom and ability to interchange with their peers the types of things are working on we're as an industry where

they're looking at specific manufacturing specific processes and techniques and materials that you would use to build a product well that's very much the secret sauce as it were right or the recipe for code their whole brand is built on the protection of that intellectual property and so when we as security professionals start looking at that and how best can we address some of those issues we have to take those things into account right so if you know if it's a person that comes from academia maybe it's some additional training that needs to occur if it's someone from a more open you know region of the world where they don't particularly think of like privacy is a good example right so

if you're right you're having to look at the practice regulations there we have to take very specific steps as part of your program and pay very close attention to those things and I think that when we make those priorities were more effective at protecting our information other question is yes sir it back

I appreciate the making that baby okay so question is what do we do if we identify someone from a predictive analysis perspective right so we've predicted that this person is susceptible to committing one of these acts and the answer is so so I spend most of my time around NSA in the military right and the NSA you're gonna always hear well it depends well we say well can you know do we want to go after this well it depends and the answer is it depends you need to have a discussion with Bob's manager and you know leadership and kind of decide if the risk is worth it because sometimes it is and then it's up to you as a security

guy to figure out how to mitigate the risk or how to put the tools in place to prevent through you know the eventualities of that encounter and that's you know it's going to be situational dependent does that answer your question I know it's not a clear-cut you know one zero answer and that's what we love for every like one or zero which one is it but it isn't a one zero solution it's going to have to be what works right for you or worse right for the company what's right for Bob because he hasn't done anything wrong yet and you know we believe that you punish people after the crime not before right

so the question is at what part of the hiring process does the security team become involved so from a generic standpoint that's going to be a question that your security team needs to discuss with HR I think that as we're talking here as we're looking at Pam as a concern there's definitely an argument to be made to bring the security team in that conversation pretty early again that's going to it depends on what the appetite is with Human Resources to involve you in that discussion certainly it would be prudent to look at very sensitive positions and maybe have that discussion earlier in the recruiting process rather than after the fact but with each company is just going to sort

of depend okay is that an answer question my counsel is you know really especially if you're an enterprise work at building up good relationships and partnerships across the enterprise right you want security to be everyone's friend not the person who's always getting in the way right so how well you're able to manage those relationships is going to determine just what kind of an impact that your organization is going to be able to make on that business right I seen Walmart shaking his head yes appreciate that yes sir

Thanks okay we're about out of time you've got there one more question no this doesn't affect your chances to win the raffle although I wish it did because then we'd probably get a plethora of questions alright guys thanks so much for your time your attention really appreciate it especially thanks for the questions I'm much more of a discussion type person than a lecture so thanks for coming out today and be a part of the security community voicing right now thanks guys [Applause]