Today marks the 1-year anniversary of Hunt & Hackett and what a year it has been! We started with a small team of eight security experts in the middle of the COVID-pandemic and a national lockdown. On the day we launched we were all sitting anxiously remotely behind our computers, as we announced ourselves to the world through (social) media and checking the online responses. We have to sometimes pinch ourselves that this was only a year ago.
We are living in the age of ransomware, where organizations are – on a daily basis – extorted for millions of euros at a time. Yet, as a society we fail to form an adequate response to the issue. Ransomware has become normalized. Organizations are, generally speaking, left to their own device to protect themselves against this constantly developing threat and have to deal with it themselves when it happens. As the ransomware attacks kept advancing in sophistication, the criminals have increasingly started to mimic the behaviors of APT-actors. This meant that our specific threat modelling approach, developed initially for (corporate) espionage type of threats, suddenly became well suited to build-up an effective and holistic defense against (targeted) ransomware attacks.
This context has accelerated the growth of our company. We started with a team of eight. Today, we are a team of 22 experts and have not only established the foundation of our company in less than a year, but also managed to innovate and demonstrate to our first group of customers that new and better approaches are possible in cybersecurity. With setting up the company we felt a different approach was needed. We wanted to build a security company and culture that set out to challenge the status quo and prove that better solutions are possible for the cybersecurity problems of our time. We decided to innovate on a threat modelling based approach to cybersecurity, almost as an antidote to the standardized and one-size-fits-all approach to security that is currently the norm. We set out to provide tailored solutions to organizations facing targeted and advanced attacks from Advanced Persistent Threat (APT’s) actors.
Fortunately, there turned out to be a market for this new data-driven approach, with enough early adopters willing to take a risk on us and our new ideas. Without such great customers we could not have made the progress that we did. We are forever grateful to have had the opportunity to work with them. This has enabled us to establish the foundation of our service offerings more quickly than anticipated. Today, we run a high-end 24x7 Security Operations Center as part of our Managed Detection & Response (MDR) service. MDR is at the core of our service portfolio and runs on modern cloud native technology. As cybersecurity has become more complex and expert resources are getting increasingly scarce, managed cybersecurity services are the most viable option for many organizations
The first thing we developed, since our launch, was our threat modeling framework, since we believe that a modern cybersecurity program requires a threat modeling based approach. This results in a data-driven strategy that helps to build up an organizations resilience based on facts, rather than gut feelings. Subsequently we ingested both public and internal threat intelligence into this threat diagnostic system, which helped us to quickly build tailored threat models for organizations, given their specific sector and operating countries. The outcome of this threat model approach gives not only directions with regards to what our specific MDR-solution should look like for a specific customer (see also blog about 'Applied Threat Diagnostics'), it also dictates the required security controls from a prevention, detection and response perspective.
In order to make our threat modelling approach more practical to apply for organizations, we doubled down with our own internal security program gap assessment framework and tooling to efficiently build an organization specific cybersecurity roadmap. This system can be used to determine the cyber resilience of an organization based on the security controls already implemented. Additionally, we determine with our threat modeling framework, the current threat landscape of the organization and translate this into the prevention, detection and response security controls. This provides a baseline of measures required to make the organization resilient against their specific threat landscape. Based on the current and required situation we determine the actual gap. Those controls that aren’t (sufficiently) implemented yet, will be grouped and projects will be defined around these groups to close the gap. More importantly, we also determine priorities, the required budget for these projects and the amount of time that is needed from the organization to implement them.
The threat modeling approach that forms he backbone of our security program gap assessments, was actually developed for our MDR-service, as we wanted to determine what data sources to monitor to gain visibility against specific sets attack methods. The threat modeling approach helped us to tailor the detection logic to the customer’s threat landscape.
In setting up our MDR service, we had the benefit that we could start from scratch, without any legacy, in a cloud native world and with a significant number of lessons learned in the past, we could build an innovative and effective Security Operations Center in a short amount of time. This resulted in a technology stack and proposition which is technology agnostic, where we can work with pretty much any security technology of our customers. We set up a detection engineering approach that covers the full MITRE-attack framework and applies detection logic to a variety of data sources.
From a service perspective, we decided that detection is not enough for our customers. If we really want to unburden our customers and prevent incident escalation, response should be an integral part of our proposition. Therefore, together with our customers we developed a active response approach, where we not only detect bad stuff, but also mitigate it instantly before the situation escalates. Wherever possible we do this as much as possible in an automated manner. This is particularly important with ransomware attacks where speed is of the essence.
During the year, our defense center has been audited by one of the ‘Big Four’ accounting firms. They concluded that we do not just have an innovative approach to MDR, but more importantly that our service is already mature in a benchmark comparison. For us this meant that we are not only on the right track, but also made the right decisions in an early stage, particularly as such an audit is done through a different lens than what we feel is the most important in a high-quality MDR-service.
Building a company during COVID is challenging in itself and luckily the majority of Hunt & Hackett team had already worked with each other in the past. However, the building process of these propositions was occasionally interrupted by a few large Incident Response (IR) assignments, both in the Netherlands and abroad. These incidents ranged from high-end espionage cases, a significant amount of target ransomware cases, and some business e-mail compromises. During the year we bumped into threat actor groups such as; Revil, SocGholish / Silverfish, Conti, Turla, Hades etc. It almost felt like meeting old acquaintances once again.
To support the investigations, we built a new Incident Response (IR) Cloud Lab. The same principles that apply to our modern Defense Center, applies to building our IR lab as well: we don’t have legacy, we live in a cloud (native) world and due to COVID, we are required to do everything remotely. Our IR lab now provides us with serious and adjustable amounts of storage, processing power and collaborative means to work more closely as a team on an IR case.
Just like we believe that response is an integral part of MDR, we also believe that remediation is an important and integral part of Incident Response. Meaning that we helped our customers not only to find the root cause and contain the incident, but also help guide our customers through the process of cleaning the infrastructure, rebuilding their infrastructure, and getting back stronger than before.
To help customers prepare for an incident and hopefully lower the probability of an incident occurring, we developed an Incident Readiness proposition. We experienced that many organizations aren’t properly prepared when an incident does occur. We often find that key investigative data is incomplete or missing altogether, processes aren’t aligned and roles & responsibilities need to be further defined. With our Incident Response readiness proposition we help organizations to prepare themselves from a technical, process and organizational perspective. When an incident does happen, they are prepared because the basics are in place and the crisis team knows what to do, hopefully limiting the impact of the incident.
Naturally, we are not fully up- and running to the level that we aspire, but we are scaling-up and further expanding our business by building new innovative solutions. Throughout next year we will continue our work on making security more manageable and more data-driven for our customers. We will do this by enhancing our threat modelling framework, and building an ecosystem of threat diagnostic-based tools at its core. These new tools give our customers the insights they require to balance their organization’s resiliency with their risk appetite and budget.
Some of these innovative solutions will be invisible as some of them are having impact under the hood, like developing machine learning algorithms for our MDR proposition, or detection logic developed based on extensive research. Other examples of tools we are working on are a detection coverage tracker, which visualizes the level of detection coverage for a customer’s specific threat landscape. Other selected innovations are a ‘tailored’ cyber security news service and tools that objectively measure the effectiveness of an organization’s cyber security resilience. Furthermore, we will continue to work on improving the elements published in the Hunt & Hackett MDR buyers’ guide.
Today, we are looking back at a successful first year. We also know there is an exciting new year ahead of us in which we will continue to protect our customers and society from advanced APTs. We would like to sincerely thank all our current customers for their early support and trust in us. The simple truth is that without them Hunt & Hackett wouldn’t be in the position we are today! We are therefore extremely grateful and will repay that trust, by working tirelessly throughout the next year to keep your organization secure and resilient.