How to become an APT hunter with Carbon Black
In this episode of Infosec’s cybersecurity podcast series Cyber Work, host Chris Sienko talks with David Balcar, security strategist at Carbon Black. They discuss a wide range of topics, from how David got his start in security to many of the ins and outs of being an APT hunter — which is one of the hot subjects in information security today and a dream job for many.
Strap yourself in and get ready for a fast-paced, information-rich exploration of how to become an APT hunter!
How did you first get interested in computers and security?
David was first bitten by the computer “bug” (pardon the pun) when he was about ten, experimenting with Apple II and IIe. This led to programming and working with the Pascal assembly language.
After graduating from high school, David joined the Navy and later began working for his friend’s computer repair shop. This experience gave him a great foundation, which led him to begin networking with a focus on Novell networks. He worked for an engineering firm building large-scale Novell networks and later began a company called NDI. This company had two sides, one focusing on security and the other on traditional integration.
How has the cybersecurity landscape changed since you first got involved?
According to David, it has changed a lot. When he first started, cyberattacks were mainly boot-sector attacks and screen locks, and moved into cybertheft and stealing money. This followed the age-old wisdom: people go for the money.
What are some of the job titles and responsibilities that gave you the tools you needed to excel in cybersecurity?
David has held many titles leading up to his current one, that of security strategist at Carbon Black. He has been a programmer, which helped teach him processes and began his self-described life of living in the 1s and 0s. His subsequent titles include network architect and network security engineer.
All of these titles taught him the responsibility of knowing what things are supposed to look like and other foundational learning that he still uses to this day. One of the most important things to glean is that you need to know where the data is and how to access it.
What’s one step listeners can take today to get closer to a career in threat hunting?
The biggest thing you can do is get training. Some say you need certain certifications, but many organizations will hire you without one. David says you should start from the ground up because without a solid foundation, everything else is a moot point. For example, you can’t reverse-engineer malware without knowing basic programming.
Another tip David forwarded is to know your OSs, and this means more than just Windows. Otherwise, you won’t be doing yourself justice.
What are APTs and how does hunting them differ from standard threat hunting?
A big difference between APT and standard threat hunting is that APTs are performed by nation-states or highly sophisticated cybergangs. Those behind APTs want to be on networks for a long time without being discovered and they change their tactics constantly.
A key thing about threat hunting is knowing what is at your endpoints and what “normal” is supposed to look like. You also need to be able to look at raw data and understand what it is telling you. For instance, Notepad.exe should not be communicating to the outside internet.
Another difficult aspect of APTs is that they have been observed using LOLbins and can be difficult to detect.
What set of skills, certifications and training will best prepare professionals wanting to move into APT threat hunting and analysis?
David offered three pieces of advice:
- Know your OSs, as they all have their different challenges
- Take a look at GIAC
- Set up your own lab at home. This will allow you to get malware samples, detonate them at home and learn from them
He is a visual learner and follows the “wreck it to build it” principle.
Are there any downsides to the kind of work you do?
What keeps David up at night is how fast malware and malicious tools are evolving. Every day, he thinks of new ways to break into a system because if he can, others can too. He also thinks about defense — meaning how can he stop himself from imagined attacks. This all boils down to him potentially working 24/7.
Do you have examples of some of the biggest and scariest APTs out there right now?
David, halfway tongue-in-cheek, says that the biggest ones are not known about yet. One known APT that is of serious concern is the supply chain attack. A real-world example of this type of attack was the ASUS updates operation which affected millions of machines that downloaded some malicious updates. Another big one is financial attacks which are, of course, after the money.
Do you ever go on the offensive, or is that outside of your purview?
This is out of his purview, as there are laws against reverse hacking. The problem is if you hack a hacker back, by that point they have bounced to another targeted company.
David’s main concern here is to block all he can, detect everything else and remediate as fast as possible. Knowing where your intellectual property is, where your data is and what is encrypted will help you in dealing with hackers the right way.
What do financial institutions have to do to fight off these cybercriminals?
Isolate! He says these institutions need to segment their environments and watch lateral movements, as attacks rely on them. Also, financial institutions should display a measure of proactivity by making themselves a harder target.
What are organizations looking for when hiring people with APT-hunting experience?
Those looking for APT hunters are all the three-letter organizations, penetration testing firms, incident response firms and MSSPs. David added that you should not rely on the job description requirements — they are often unrealistic.
What aspects of a security program should organizations improve if they’ve worried about APTs?
Go after the low-hanging fruit! Before you speak to your organization’s C-suite about APTs, you need to make it relevant to them. For example, conduct a survey about how much it will cost your organization to be shut down for 24 hours, or even one week. This will pique their attention and get them moving proactively.
Where can you find David?
David can be found on Twitter at @Network232 and at carbonblack.com. Additionally, he speaks at 50+ security conferences every year.
The biggest take-away, according to him, is to get involved in the security community and start networking. You will meet a lot of helpful security professionals and learn a lot in the process.
In this episode of Infosec’s Cyber Work Podcast, Chris Sienko chatted with David Balcar, security strategist at Carbon Black. They explored questions about one of the security dream jobs that many may have.
You can watch the full conversation with David Balcar on the Cyber Work YouTube page.