A threat hunting pioneer discusses evolution of cyber security

Back in the 1990s, cyber threats were really just beginning to emerge as a problem for companies, and an intrepid group set out to track down and understand the nuance behind these threats. In those days it was more likely the proverbial pimply-faced kid in his parents’ basement leading the attack. Today, it’s much more likely to be nation states and organized crime groups, but the skills learned in those early days around tracking vulnerabilities still apply, even as the threat landscape has grown increasingly sophisticated. 

Charles Henderson, executive vice president of cyber security services at Coalfire, a security advisory based in Austin,Texas, has seen the industry transform over his long career. He began as a white hat hacker/threat hunter back in those early days, and he has spent his entire career working to help companies, governments, law enforcement and others see their weaknesses and build more secure environments.

Finding vulnerabilities before they can be exploited is a big part of keeping a company safe (to the extent that’s possible) and threat hunters spend their days trying to find holes before the bad guys do. Henderson says in those early days, there wasn’t a lot of information out there and they had to find exploits on their own.

“You would almost do vulnerability research as independent study because back then there wasn't really an industry, per se. We were doing vulnerability research because it was fun, and it was kind of cool to find vulnerabilities” he told FastForward.

Even today, Henderson sees himself as a hacker. “I self-identify as a hacker, and that doesn't mean I'm a criminal. That means that I'm thinking in a different way than a lot of people [about how to keep a company secure]” Henderson said on an August appearance on DisruptTV.

If you look at the group of people he was doing that research with back in those early days, many of those folks have become cornerstones of the cyber security and penetration testing profession. “If you look at the alumni roster of those early participants or those early groups, they're really the movers and shakers of our industry today,” he said. A lot of those same people went on to become company founders and executives. “We certainly didn't see it that way at the time. It was curiosity before it was a career,” Henderson said.

It’s much more complicated now

In the early days, it was a lot simpler to write an exploit than it is today, and the adversaries weren’t nearly as sophisticated. “Back in the day, it was kind of the Stone Age. Back then, the bad guys would find a vulnerability, write an exploit, use the exploit, and they were in,” Henderson said. “You know, not only are environments far more complex than they once were, but attack techniques are way more complex, vulnerabilities are way more complex, threat actors are way more complex. I mean, in 1996, your average threat actor was a disgruntled teenager.”

Over time those exploits evolved into a criminal enterprise, and that’s why it became increasingly essential for companies to understand their security posture. “First, you had individual threat actors that were operating in a business model, and then organized crime got involved. And that's where over time, you started to see TTPs (tactics, techniques and procedures) move towards what organized crime does best: extortion,” he said.

He said that once criminals learned they could get money by locking a company out of their own computer systems, and requiring payment to unlock them, they didn’t look back. This was in stark contrast to the early days when the idea was to find a valuable data store like credit card numbers or bank account numbers. 

Ransomware also widened the attack surface, making it easier to get paid, and criminals flocked to it. Not only that, companies that hadn’t been targets for previous attacks, and therefore hadn’t built up strict cyber security protocols because they hadn’t needed to, were softer targets for hackers to exploit, at least at first.

Who will win the AI battle?

Today, we are adding AI to the equation, making it easier for bad actors to find vulnerabilities, but also making it easier for the CISO and the threat hunting team to react more quickly. So who wins in this ongoing battle? Henderson thinks it’s ultimately going to be a wash actually.

AI will help cyber security teams sift through the mountains of unstructured data faster to find vulnerabilities and to detect breaches, but at the same time, the cyber criminals also have lots of data, and it will help them understand the loads of unstructured data that they’re sitting on.

“Imagine if you can get AI to go through all that [ill-gotten] data, and either reset credentials, do credential stuffing, or do better credential extrapolation,” he said. That’s where it gets trickier for cyber security teams, and it doesn’t stop there. AI could also help design more sophisticated attacks.

“I think the arms race of AI is how are we going to do using AI for detection versus how are we going to do using AI for correlation of attacks,” and as this plays out, each side will continue to fight for the advantage.

But it always comes back to finding the vulnerabilities before your adversaries do just like back in the day. Henderson says his company is working to bring that same hacker mindset he had when was starting out to every company because, as he says: “It is so much better when your faults are found by somebody on the payroll.”

Photo by Ecole polytechnique. Used under CC BY-SA 2.0 license.