05
Threat Defiance Report

A Bold Approach To Cyber Security

root9B, a Colorado based cybersecurity firm, has devised a novel and bold countermeasure to cyber attackers. Called the HUNT technique, it monitors a client’s system from the inside following any adversary that breaks in. It proceeds undetected and sees what the attacker sees and can identify what the adversary is looking for. Root9B CEO Eric Hipkins claims they can expel the attacker before anything is stolen. This may change cyber warfare giving the defender the advantage that has eluded him for some time.

According to a recent study by software security firm Symantec, more than 430 million new unique pieces of malware were discovered in 2015, up 36 percent from the year before. Perhaps what is most remarkable is that these numbers no longer surprise us. As real life and online become indistinguishable from each other, cybercrime has become a part of our daily lives. Attacks against businesses and nations hit the headlines with such regularity that we’ve become numb to the sheer volume and acceleration of cyber threats.

At the close of 2015, the world experienced the largest data breach ever publicly reported. An astounding 191 million records were exposed. It may have been the largest megabreach, but it wasn’t alone. In 2015, a record-setting total of nine mega-breaches were reported. (A mega-breach is defined as a breach of more than 10 million records.) The total reported number of exposed identities jumped 23 percent to 429 million. But this number hides a bigger story. In 2015, more and more companies chose not to reveal the full extent of the breaches they experienced. Companies choosing not to report the number of records lost increased by 85 percent. A conservative estimate by Symantec of those unreported breaches pushes the real number of records lost to more than half a billion. The fact that companies are increasingly choosing to hold back critical details after a breach is a disturbing trend. Transparency is critical to security. While numerous data sharing initiatives are underway in the security industry, helping all of us improve our security products and postures, some of this data is getting harder to collect.

U.S. companies are currently experiencing annual losses of more than $525 million due to cybercrime with the majority of these losses stemming from malicious code and denial of service attacks. And the extent of cyber-attacks is not confined to companies. The list of high profile CEOs whose accounts have been compromised this year is long. Mark Zuckerberg’s Twitter and Pinterest accounts have been hacked, apparently due to a LinkedIn password leak 5 years ago. Additionally, the Twitter accounts of Google’s CEO Sundar Pichai and Brendan Iribe, co-founder of Oculus VR, have been compromised. The latest addition to this list is Jack Dorsey, the CEO of Twitter himself. Most of those attacks were no straight forward brute force attacks, but were executed indirectly. In Pichai’s case, tweets were sent via an old Quora account that apparently had been linked to Twitter. It seems like in Dorsey’s case, tweets were sent via Vine.

According to root9B, a cyber security startup in Colorado Springs, CO, a hacker who infiltrated a computer network would typically operate unnoticed for 229 days on the inside, stealing data and spying. It is like a burglar breaking into your home and living there for over seven months before being detected.
The current conventional approach of building an automated digital wall to prevent attackers from breaching one’s system clearly is not working. This may explain the rise of firms like root9B that have come up with countermeasures. Staffed by former military and other intelligence experts at the National Security Agency (NSA), and CIA root9B identifies and shuts down adversaries in action, often within days of a breach.

Using a technique called HUNT, the firm uses agentless technology to patrol and monitor an adversary without the attacker being aware that he is being watched. This state-of-the-art defensive network method is bit like the submarine chase depicted in the film, Hunt for Red October where the Soviet nuclear submarine was closely tailed by an American nuclear sub without the Soviet sub being aware for the most part of being followed. The difference according to ROOT9B CEO Eric Hipkins, is that there is no physical presence of the tracker. “We use agentless detection capability, thus we are invisible to the attacker,” Hipkins says.

This is undoubtedly why root9B was named the No. 1 firm on Cyber Security 500’s annual ranking of innovators—ahead of IBM, Cisco, and other tech giants. The five-year-old company relies instead on “manned information security.” Its analysts engage in code-to-code combat with cyber attackers inside corporate and government.

As the organization that first introduced proactive HUNT operations to the commercial space in 2013, root9B has developed and refined its proprietary capabilities and methodologies to create the necessary shift from the current focus and dependence on automated passive technologies. This new active defense, Manned Information Security, is currently being adopted across the Department of Defense, finance, retail and industrial control markets. The model is focused on identifying the adversary and its tactics, implementing pragmatic, cost-effective mitigation strategies, and understanding the client’s business context (understanding what is most important to them) to pre-emptively defend against cyber-attacks. This is an operationally focused, human enabled model distinctly different from the often exploited, technology-driven passive defense protocols employed within most enterprise networks.