root9B Goes HUNTing for Hackers
Eric Hipkins is a bit of a contrarian.
In an industry hot to automate every aspect of information security, the CEO of root9B is promoting a solution with flesh and blood at its core.
Current thinking about securing networks embraces the idea of “defense in depth.” That calls for defenses to be layered. A firewall, for example, would be a layer. Network monitoring would be another, as would be endpoint protection software.
That approach is good, but it doesn’t go far enough to protect a network from the kind of threat actors marauding the Internet today.
“Defense in depth continues to place automated solutions in the network and hopes they can outthink the adversary,” Hipkins says. “It’s a failed strategy.”
Turning Defenders into Hunters
An indicator that it’s a failed strategy is that dwell times — the time between compromise of an organization’s network and discovery of that breach — remain high. In a report released last year by FireEye, it calculated the global mean dwell time to be 146 days.
That contrasts starkly with the results of root9B’s approach. “We’ve been able to close that down to minutes, hours or single-digit days because we live on the network and have a full understanding of it.”
Hipkins emphasizes that automation is important to network defense. “You absolutely need those capabilities, but it cannot be the final layer of security,” he says.
HUNT GRAM: 47% of all manufacturing sector data breaches involve an advanced adversary. HUNT provides increased ROI for insufficient passive and automated security systems. –root9B
“We use that automation to inform our hunters and then go live on the system to remediate any issues that they do have,” he adds.
Those hunters use an approach pioneered by root9B called HUNT. “HUNT is a defensive strategy that incorporates an active cyber defender to proactively hunt for and engage an adversary within an organization’s network,” Hipkins explains.
“It’s all about arming a human defender with an advanced detection, proactive response technology and relying less on automated capability to outthink the adversary,” he adds.
Rooting Out Net Rats
Hipkins founded root9B in 2011 along with four other employees, all with military and intelligence backgrounds. The company’s name is a compound of two ideas. “Root” refers to “rooting” a system. When attackers root a system, they own it and can do whatever they want with it. root9B aims to prevent that. “9B” is a hexadecimal number that when converted to decimal form is 911, a reference to an infamous date in American history. Hex is a base 16 number system commonly used in electronics and programming.
“I felt that the community had already conceded their network to the adversary and were focused on post exploitation versus pre-exploitation,” he explains. “I felt that given the right group of talent and building the right capabilities, we could stop that.”
HUNT GRAM: Over 90% of malware hashes are seen in the wild for less than a minute. Active HUNT can detect adversaries subverting automated and passive security systems. – root9B
Initially, root9B focused on cybersecurity training. After establishing a top-notch reputation in that field, the company was able to diversify into cybersecurity software tools and services. It was purchased in 2013 by the Premier Alliance Group for $1.75 million in cash and stock. When Premier later repositioned itself as a provider of cybersecurity and regulatory risk mitigation services, it changed its name to root9B Technologies.
Hipkins’ root9B is headquartered in Colorado Springs, Colo. where it employs 40 people and employs 40 more at three other offices. The company also has its $2 million Adversary Pursuit Center in Colorado Springs, which provides cloud security services and training to its customers.
Training remains an important part of root9B’s product mix. It recently formed a partnership with Science Applications International Corp. (SAIC) to offer simulation and training to U.S. government.
Companies Want Military-Grade Solutions
root9B has two software offerings: ORKOS and ORION.
Orkos is a credential assessment program. Credential compromise is often used by attackers to enter a system and set up shop. Orkos can help identify exposed credentials and prevent a threat actor from moving laterally in a system.
Orion is a software platform that ingests automation information from across an organization’s network and allow a root9B operator to perform live reconnaissance on that net, as well as remediate any adversary activity found there. Hipkins adds, “Built into the Orion platform is the ability to interrogate live memory, where a lot of these adversaries operate.”
Tools, while important, take a back seat to humans in root9B’s cybersecurity approach. However, the standards for those human defenders is very high. In a report authored by Hipkins, COO John Harbaugh, CTO Michael Morris and Chief Scientist David Aucsmith, it’s noted that the implicit assumption in root9B’s defensive approach is that network defenders will know how to look for and recognize the adversary, deal with them when found, and leverage actionable threat intelligence to prevent the breach in the first place.
HUNT GRAM: Less than 1% of system drivers are unique. HUNT will identify end of life systems which provide additional attack surfaces for your adversary. – root9B
“The defender must understand the adversary’s mindset, motives, tactics, tendencies, and exploitation techniques,” the authors continue. “They must be well-trained, intimately familiar with both their adversaries, as well as the tactics and techniques employed by these threat actors.”
“They must understand not only their adversary, but also the vulnerabilities and potential targets within the organization they are defending,” they add. “All of this must be backed by business context driven, specific, and actionable threat intelligence.”
If all that has a military sound to it, it’s not accidental. As threat actors become more sophisticated, companies have begun looking for military-grade solutions for their cybersecurity needs. “They understand,” Hipkins says, “that the adversary that they’re facing, in many cases, has military or intelligence ties.”
– John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.