Active Countermeasures: Threat Hunting: Delivered Right Out of the Box

Chris Brenton, COO, Active CountermeasuresChris Brenton, COO
One of the major limitations of many security attestations is that they do not verify if a network being evaluated contains compromised systems. For example, a number of companies receive their PCI DSS security attestation for processing credit cards, while their network is currently in a compromised state. Today’s security tools are incapable of distinguishing between normal network traffic and traffic from a risk-prone system. This is mainly because modern security tools are based on analytics that scrutinizes the network for a brief period of time. They eventually inspect only a single packet or a single session, which is inadequate for distinguishing command and control (C&C) traffic versus normal traffic flow. “Such shortcomings cannot continue, and we are looking forward to addressing it by incorporating threat hunting as a standard requirement,” asserts Chris Brenton, the COO of Active Countermeasures—a company that provides a security tool that is effective, simple, and capable of protecting various systems by implementing effective security measures.

Active Countermeasures offers AI-Hunter, which is an all-around network threat hunting solution that monitors all traffic going in and out of the internet to detect compromised hosts on the network. The solution analyzes connection requests and identifies which systems or IoT devices have been compromised regardless of the platform, operating system, or the network speed. “We collect a day’s worth of data, and parse through it, separating traffic into source and destination IP address pairs. We then leverage patented processes to look for telltale signs of command and control traffic, such as beaconing or exceptionally long connections,” says Brenton.
The company’s solution can monitor all platforms, including network hardware, SCADA devices, IoT devices, and even unregistered BYOD hardware. In one instance, Active Countermeasures assisted one of their customers thatonly had two individuals managing their network security. Often occupied with work, the personnel seldom found time to check their network for compromised systems. By implementing AI-Hunter, they were able to outsource the first pass at threat hunting to the help desk team. Every day a person did the initial threat hunt and presented a report to the security team. The team then followed up only when a threat was identified.

Brenton highlights another instance where a customer with a law enforcement agency was called into a site because of a compromise and their remedial actions were strictly limited. Also, it is difficult for an organization to install agent software on all suspect systems. Instead of asking the organization to install agent software, they requested the company to capture a few days worth of network traffic data. The packet captures were then sent to a central location where the law enforcement agency used AI-Hunter to identify points of compromise.

Active Countermeasures is planning on major interface changes over the next few months. They are looking forward to shifting the focus from having to threat hunt the network every day, to only threat hunting when a suspicious system has been identified. This can dramatically lower the bar on the security skills needed to identify threats on a network so that a much wider audience can identify compromised systems effectively.

The company’s founders John Strand, Paul Asadoorian, and Chris Brenton hold significant experience in providing tools and training focused on information security. They have been SANS instructors, involved with defining security standards, provided numerous free webcasts and blog entries, and supported many open source security projects. “By providing security tools that are easy to use and capable of protecting all types of systems, we want to assist our customers to implement effective security measures,” concludes Brenton.