Lawrence Munro, worldwide vice president of Trustwave SpiderLabs, on active threat hunting and what it takes to become a red teamer

Could you provide a brief history of Trustwave SpiderLabs and outline your role?

Lawrence Munro: SpiderLabs was founded as a division of Trustwave in 2005. Our operations can be split into three parts: the digital forensics and incident response team; penetration testing and red teaming; and the research team.

The piece that I oversee is the red teaming and pen testing side. This includes all the offensive stuff [such as] attack simulations and hacking.

We have, in SpiderLabs, around 250 people in total, based across 12 different countries. Our main hubs are in the US, UK, Poland, Israel, the Philippines, Australia, and Singapore.

What were the main drivers behind the creation of the division?

LM: There were two reasons. Firstly, there was a requirement in PCI for penetration testing. At the time, Trustwave was a largely PCI DSS-oriented [the payment card industry security standard] organization.

Secondly, much of the research we do at SpiderLabs helps power a lot of Trustwave’s products and services. Our internal threat database runs through everything we do. We look at what’s happening, we analyze malware, and do reverse engineering. This all feeds into the red teaming, the pen testing, the incident response forensics, and our managed security services.

Over recent months, SpiderLabs has produced research covering everything from ATM scams and healthcare data breaches to VPN client vulnerabilities. How do you go about prioritizing your research?

LM: It depends. Our research team covers a lot of areas, but there are some consistent themes that we’ll always deal with. Historically, we’ve always had a very large presence in financial services and retail, so we tend to have a bias slightly towards those areas. For example, back in 2013 we discovered the Ploutus malware, which was the first malware [that affected] ATMs.

Part of the research process also involves looking at our client base and the skill sets we have. We also look at our threat intelligence and any interesting new areas that are on the horizon. And to be honest, we also look at what our competitors are doing. If other [research units] are hyper-focused on a particular area – or if research in a particular area is saturated – then we may decide to investigate other areas.

The questions that drive our research are: ‘What’s happening? Should we be looking at that in more depth? What do our clients want? Where’s the industry going?’

Last year, Trustwave launched a proactive threat hunting service for governments. How important is it for public sector organizations to adopt an active security stance?

LM: I think it’s very important. Things like threat hunting and managed detection and response are critical for organizations to get ahead of the curve.

There’s a whole life cycle around this of being able to conduct assessments and actively finding where the risky areas are in your business.

Our 2018 Global Security Report has some useful statistics on this. We found that if organizations are notified of a breach by a third party, then threat actors tend to have been in [their systems] for at least 80 days.

If they discover it themselves it’s normally because they have good practices and have done good threat hunting in order to find it. By doing this, you can reduce the time – and therefore the impact – of hackers being in your organization.

Is it possible for smaller enterprises or start-ups to adopt a proactive security stance, or is this only something that larger organizations can implement?

LM: If you look at the [infosec] space now, I would say it is primarily enterprises that are focused on proactive threat hunting, rather than small organizations. I wouldn’t say that there were cost barriers, because although large organizations might have a lot more money, they have a much larger estate.

Smaller organizations, especially start-ups, put a lot in the cloud. They probably have hybrid architecture, newer kit, and fewer [web-facing] assets, so they actually know where they all are. Really large organizations might not know where all the laptops are, or all the websites that they built 10 years ago that are still online with interesting data.

For smaller organizations, the asset inventory that you need to do as a precursor to threat hunting is much smaller. Normally, however, start-ups don’t think about security.

What advice could you offer to anyone with aspirations to become a security researcher?

LM: I think the main thing is that attitude is more important than your current skill set. It’s important to be autodidactic and self-motivated in your learning, and to approach your work with a very open mindset.

When you do security research, or any kind of hacking, the mistake people make is they want to learn how to hack. They say: ‘Teach me how to hack’. We say: ‘What do you know about how these things work?’

You have to understand how enterprise security architecture works before you can hack it at a very low level. Learn the tech before you try and jump ahead and do all the hacking, because that’s how it works.