Managed Detection And Response

Interview: How Businesses Can Harness The Human Element Of Threat Detection And Response

John Hammond, Senior Security Researcher at Huntress, discusses the shifting threat landscape, the importance of human intelligence in threat detection and response, and the benefits of being active in the security community.

Expert Insights Interview With John Hammond Of Huntress

John Hammond is a Senior Security Researcher at Huntress, as well as a security educator and content creator. In his role within the Threat Operations team at Huntress, Hammond actively helps prevent and identify threats to business’ environments. Prior to this, Hammond worked as a Department of Defense Cyber Training Academy instructor, where he educated learners on the adversarial mindset and offensive scripting languages.

Hammond also hosts a YouTube channel, where he posts educational videos including programming tutorials and capture the flag walkthroughs. He regularly speaks at security conferences, and is a top influencer in the cybersecurity space.

At RSAC 2022, we spoke to Hammond to discuss the shifting threat landscape and how MDR tools can help organizations navigate it, the importance of human intelligence in threat detection and response, and the benefits of being active within the cybersecurity community.  

Could you give us an introduction to Huntress, your key use cases, and what sets you apart from your competitors in the MDR space?

Sure thing. So, Huntress is a managed threat detection platform. It works on the endpoint, so we have an agent that takes a lay of the land and understands what each machine is and what that device looks like. It looks specifically at how threat actors and attackers will maintain access, as well as what the hooks, claws, and implants are that they have in place, so that once they’ve gained initial access and start to own the device, they don’t have to send the same phishing email or exploit the same vulnerability. The hackers want to have their backdoor.

Traditionally, Huntress has sought out and found those persistence mechanisms so we can get the intruders out and make them go away. But we’ve expanded that so much more now into the Huntress managed security platform. We’re looking for External Reconnaissance, and we’re looking for ransomware, using Ransomware Canaries as a sort of tripwire. So, traditionally, we have been in that detection category, but we have also moved into the prevention side of things. We have Managed Antivirus, where we take the Windows Defender antivirus solution that’s freely available for every Windows device, and we super tune it and make sure it’s tightened up to have the best configuration settings possible. With that, we can configure and handle alerts from the host-based antivirus across an entire organization, even in multi-tenant environments. We have a lot of other cool stuff on the roadmap that we can dive into, but that’s a general overview. 

In recent years, with the increased adoption of cloud technologies, hybrid working and BYOD, we’ve seen a huge expansion of the enterprise attack surface. Could you tell us about some of the most common threats that your customers are experiencing?

In the new modern world we’re living in now—obviously, the pandemic is a thing—we’ve taken away the walls. We used to say, “Hey, if you’re behind the castle walls for the corporate office environment, you’ve got the moat surrounding you, and between you and the firewall are further protections for the company.”

Now, there’s no perimeter. You’ve got to bring your own devices. You’ve got your own laptop, you’ve got your own cell phone that you might be doing your work from, and maybe you’re using a VPN for cloud services. Then hey, you might even have to hop back to the office. 

I think that has just spread out the security problem in a different way. We still have the same issues. We’re still working against access controls, password policies, configuration management, and now we’ve just now put all those problems in different places. So now we have more to manage, more to be aware of and more to be cognizant of. And I think that’s the new task and responsibility for us. We have to expand.

How can Huntress help organizations protect themselves against these types of threats?

I think what Huntress can offer is the ability to provide peace of mind. Without wanting to use too many marketing buzzwords, we have managed services so that you can get back to your business, you can get back to your job and get back to what you need to do to keep operations moving. Whether that’s in the cloud, across your endpoints and devices that you host externally, or even just understanding the attack surface between all the different devices that you manage. 

One thing that really sets Huntress apart is our emphasis on humans. Having people is part of the equation. It’s nice to have automation. It’s nice to trust the machine to detect things. But sometimes it misses. Real people like you and I, we have the context. We know what’s good, bad, and ugly. And that’s how we can further enrich and know more about the threats and the malware that’s targeting our partners. And we can find all the other hooks and implants that the automated solution might just not even notice.

I’d like to focus on that human element, because I’ve been hearing some discourse here at RSAC about whether organizations should be upskilling and cross-training their employees, or outsourcing that talent. You offer a managed service, so what are some of the benefits of that, and where does cross-training fit in that picture?

There’s a lot to unpack here. I come from a training background initially. Before Huntress, I was with the Department of Defense Cyber Training Academy, teaching and instructing. I also have a YouTube channel where I post educational cybersecurity videos. I’ve always been a proponent of, “Hey, you have to be self-reliant and upskill and learn and have internal training so that you can be a strong security professional.” 

With that said, I know there’s an extreme emphasis on talent shortage, retention, and all this—I gave a panel on that this week. It’s a hard reality for businesses, especially the small and mid-market businesses that don’t have the time, the personnel, the money or the resources, and that I think is where managed solutions can really come into play to ease that. I strongly advocate to rally the troops and learn as much as you can, because you need to be in this fight with us. But first and foremost, we’re here to help.

As well as offering automated threat detection, Huntress enables organizations to utilize a team of human threat hunters. Why is it important for organizations to combine human and artificial intelligence when it comes to stopping today’s advanced cyberthreats?

I think we can totally dance with that one. In the security industry and community, there’s a huge conversation around alert fatigue, false positives, and other mishaps with detection, configuration and tuning on top of that. Alert fatigue is real, without a doubt. It’s a huge problem. But with human input, we can say that out of 12 dozen alerts, we can compress this down into one or two that might be grouped in a proper way.

When we get to false positives—which is another reality—when we bring humans into the mix, we can have more of an understanding. I would go as far to say there’s no such thing as false positives; that is what your machine, your automated solution, was tuned to alert on. We just need to fix that; we need to configure it in the right way. And that’s again where human expertise comes in. 

The very last thing that I know is, we talk so much about false positives, but the much more sinister thing is a false negative. When there is a real threat, there is an adversary, and now they’re lurking in the environment. And you don’t know it because your crutch—the dashboard that you were just leaning your feet on, relaxing, and waiting for it to sound the alarms—it didn’t, and you’re oblivious to it. So, people need to be hunting and go beyond the dashboard.

Finally, what is your advice to organizations looking to improve their resilience against the emerging and zero-day threats they’re currently facing?

If I could give advice to pretty much anyone in the industry, it would be, “Be with it.” Know what the new threats are. Keep up to date with headlines, whether it’s some vulnerability or potential threat, or even just cool products hitting the market. I would encourage folks to just be in the know and be a part of the community, because it’s such an active thing.

I love coming to events like this—RSA, DEFCON, Black Hat—because it’s like a family reunion. This is the cybersecurity industry coming together to collaborate, brainstorm, and say, “Sure, this is what we were working with yesterday and today. But what are we gonna do about tomorrow?”

And I would just advocate for everyone to be part of that.


Thank you to John Hammond for taking part in this interview. You can find out more about Huntress’ MDR platform via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.