Meet Nate Guagenti
Over a decade, Nate has both deployed and engineered network and endpoint SIEMs that have scaled to multiple-TB/day of ingest, while simultaneously using and training others on the deployed solution. As Nate has worked in all facets of IT, he adds the unique experience of someone who has performed both endpoint and network security monitoring. His work on threat hunting and insider threat detection have been displayed at various conferences. Nate is a contributor to the open source HELK project (https://github.com/Cyb3rWard0g/HELK), which focuses on threat hunting through endpoint data using the Elastic Stack, as well as the SIGMA framework, which is an open source project that standardizes signatures and detection methods.
Nate, tell us about your experience in cybersecurity and why have you decided to focus on open-source solutions like Elastic?
I started my career in cybersecurity in 2012 where I worked as a Government customer. From there I moved from a SOC analyst to malware analysis. Over time this expanded into threat hunting and roles that included engineering 10Gbps+ NSM Zeek (Bro) sensor deployments and Elastic clusters.
As a defender, we are met with a mountain of challenges many of which are out of our control. However, there are things we can control and fix and we can’t wait until the next quarter for a fix or feature from a vendor. Deploying open source software, such as Elastic, allowed me to fix critical defensive gaps the next day. Additionally, having the financial barrier removed to use and learn the product allowed me to accelerate my understanding from home.
In your opinion, what are the most important threat-hunting trends in the industry now?
The industry has already shown that the problem with collection (telemetry) and big data can be solved. This has allowed many trends and processes to evolve, mature, and come into existence. One of these trends is data documentation (shown in OSSEM by @Cyb3rWard0g), data normalization, and standardized query languages (SIGMA). Additionally, built-in telemetry is being explored to replace or supplement enterprise solutions and openly shared. In return people can now validate, explore, and use this shared data to build detections and models without the necessity of costly enterprise solutions or a large lab environment. Also, the community is building broader detections around tactics and techniques. Something such as the Mitre ATT&CK framework is a perfect example. The existing SIGMA rules for environment discovery or Microsoft office spawning processes show this in practice.
Lastly, we will see continued focus on graphing, pivoting, and joins of data as enhancements to hunting. Both of which I believe the HELK platform has done a great job at displaying and implementing through Jupyter Notebooks.
As a solution architect, do you think that Sigma can change the way how organizations build their cyber defense?
For well over 20 years with snort rules and over 10 years for yara rules the industry has not had a universal advancement like SIGMA. Not only that, but the industry has never had a universal format for logs and telemetry. Which is what cyber security is fundamentally built upon! Additionally important, as an enterprise you never want to be married to a single technology. Your analysts/operator should be focusing on implementing detections not learning your logging solution. Whether today you’re using Elastic, Splunk, or QRadar and a new solution comes along tomorrow you can rest assured SIGMA will support it.
Regardless of my opinion though, the community has already shown SIGMA will continue to change the way we detect threats. Two of the best open source hunting solutions, HELK and SecurityOnion, have implemented SIGMA and there are tutorials and blogs about SIGMA from enterprise vendors.
How do you make a decision on what rules or other types of threat-detection content should be deployed first of all?
I think this is best explained with the industry’s foundational truths, a) you can’t protect every asset and b) figure out what is important to your business. Defend what is the most plausible and impacting threat. For example, my experience defending a management network put this truth right into my face. Domain admin was not the most worrisome threat nor was traditional malware. I was facing already privileged users. Was that configuration change or spawn of an abnormal process troubleshooting or the start of malicious intent? With hundreds of these users I had to narrow the scope of what I was defending. Something like the destructiveness or network degradation, environment discovery, reading need to know documents, or malicious configuration changes. Perhaps a more practical example could be if you have any exchange/mail servers to deploy the SIGMA rules that cover process creation or file modifications on these servers.
Which types of cyber threats do you think will pose the greatest risks to organizations in the upcoming year? Any suggestions on how to improve the detection capabilities against such threats?
Web Server attacks, abuse of APIs, and cloud solution credential theft/abuse. Regarding web and API attacks this will continue to mature in SIGMA. It has the ability to share WAF like rules, process/endpoint rules, coupled with more advanced rules for example: a single IP causing ten 400/404 web server errors followed by a 500 error from your webserver. This could be indicative of an attacker transitioning from exploring to now successfully attacking that server.
Also, ICS (industrial control systems) will be a continued risk. Despite ICS not being my area of expertise, I already see the possibilities of detection for this industry with the support of Zeek logs in SIGMA. Zeek has analyzers for many of the ICS protocols. As companies deploy Zeek logging and the community writes SIGMA rules for ICS I think the result is self explanatory.
Which problems do organizations usually face when they try to transition from reactive to proactive cyber defense?
I think what to prioritize and even where to start becomes a challenge for all. Many things I mentioned in question 4 hold very true to this question too. After you figure out your critical assets there can be a huge hurdle of validating log/telemetry collection and any corresponding analytics/detections. However, combinations of atomic red team testing frameworks, open source datasets (Mordor), and community rules greatly reduce this hurdle.
Nate, what would be your recommendation to young cybersecurity specialists who are just deciding which path to choose?
First, keep track of some of your goals and when you accomplish them. Take as many notes (online) as you can. You will learn so much so fast and will be faced with many difficult things along the way. Therefore, it’s important to remind yourself how far you have come. The notes you will reference your entire career.
From a learning perspective, get on twitter and follow as many researchers and tech companies as you can. From there follow and read their blogs and tutorials using an RSS reader. There are a lot of giants in this industry, you can easily be one just by standing on their shoulders. Just make sure to always give credit and don’t forget your humble beginnings.
What do you think, can the SOC Prime’s Threat Bounty Program help organizations detect threats more efficiently?
The Threat Bounty Program provides similar benefits as to how IDS rulesets are already used in thousands of organizations (ie: Emerging Threat or Sourcefire rulesets). However, there is a unique benefit of having the ability to use detections from researchers working in various industries around the world. Additionally, researchers writing the content are essentially their own entity/business within SOC Prime’s program. Similar to how Etsy works, the consumers benefit from motivated shops which would be the researchers in this case.
The previous interview with Thomas Patzkke is here: https://socprime.com/en/blog/interview-with-developer-thomas-patzke/