Threat Hunting and Defensive Tools Government Could Use

Like every other industry, government is under constant attack. This has spawned a dire need for more cybersecurity personnel and a serious alert fatigue for those already enlisted to help. Unfortunately, government can’t throw money at trained cybersecurity professionals, putting it at a disadvantage when competing for a limited pool of talent.

Over the past few months, I have been studying innovative new technologies aimed at leveling the playing field and getting hands-on with some of them for review. There are two that I would like to highlight that may be promising for agencies desperate to strengthen their defenses. The first is a way that agencies could employ trained threat hunters as a service. The second would allow them to utilize machines and task them to protect themselves.

Mantix4, which I reviewed for CSO Magazine, comes from Canada, where the government there was running into the exact same problem. Originally designed for the Canadian government’s Department of Public Safety, which is the equivalent of the Department of Homeland Security in the United States, it enables threat hunting without the need for locally trained staff in that highly specialized field. In Canada, Mantix4 helps defend networks sitting in 10 sectors considered critical infrastructure, rooting out threats that bypass more traditional protection. Threat hunting is a specialized cybersecurity skill where highly trained and experienced analysts follow hunches and clues to try and find advanced threats that have already breached a network but remain hidden.

The Mantix4 platform, named as an homage to the apex predator of the insect kingdom, the Praying Mantis, is deployed as two components. The first part is comprised of observer sensors that sit at critical points within a protected network, either alongside routers or at network gateways. The sensors can be set to work inline or to passively sniff network traffic.

The brains of the system, that the observer sensors report to, is the analytics server. That is hosted in a secure data center run by Mantix4 so that it can be kept constantly updated with the latest features and patches, and to ensure that it has enough power to process whatever data the sensors are sending it. Government agencies can instead opt to host the analytics server themselves but would need to give Mantix4 access to it to take advantage of threat hunting as a service.

Internal government threat hunters can make use of the Mantix4 interface to aid in their hunts, as it is extremely visual and allows for deep drilling into any data point to help chase leads and follow hunches. However, I don’t think there are too many government threat hunters, and certainly not enough. The government here might want to follow Canada’s lead and employ Mantix4 threat hunters as a service. Typically, Mantix4 clients get an hour of dedicated threat hunting every day, along with detailed reports of any threats that are found. However, special arrangements can be made to get more hunting time from them if needed.

The BluVector program is also designed to help outsource security functions, but directly to machines instead of to other humans. Given free reign, it can use machine learning and artificial intelligence to find and react to threats at machine speeds without human intervention.

Installed as either a hardware appliance or virtual machines, when I reviewed BluVector I could see how it was comprised of a series of detection engines that in turn feed into a probability engine, which determines what actions to take.

The BluVector detection engines tap into supervised machine learning, speculative code execution, behavioral heuristics, signatures, threat intelligence rules, a file extractor and a portable executable scanner, each with its own engine. They all feed their data into the probability engine, which assigns a score to each flagged file or piece of code. BluVector can find code inside of scripts or within traffic streams, and pull it out to be reassembled and run through the detection engines. It works with IPv4 and IPv6 traffic, and can even be set to protect other machines, such as those in a supervisory control and data acquisition—better known as SCADA—environment, or ones that are part of the internet of things.

Tied together with machine learning, the engines inside the BluVector box are basically also performing threat hunting using artificial intelligence, very much like a human analyst would if they were given enough time, training and resources. I really put BluVector to the test, and it was able to uncover several stealthy threats on a test network that easily bypassed more traditional defenses like antivirus and endpoint scanners.

Government agencies may be a little wary of turning over high-level security functions to machines, but the open API nature of BluVector means that it can easily integrate into an existing SIEM, or whatever defenses an agency already has installed. Our test installation worked with Splunk, but the program also integrates with IBM’s QRadar, Carbon Black, CrowdStrike, ThreatConnect, STIX and TAXII, ThreatGrid and many others. If nothing else, allowing BluVector to independently search for hidden threats could supplement the efforts of human IT workers protecting their agency.

I realize that both concepts, contracting outside experts to threat hunt inside a government network or enabling machines to police themselves, may be a bit outside the comfort level of some agencies. But the threat landscape is extremely dangerous these days, and there simply aren’t enough internal government cybersecurity professionals to cover the waterfront. Allowing either BluVector’s machines or Mantix4’s human experts to fill in the gaps may be just what agencies need to regain the upper hand in the constant struggle for security.

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys