Endpoint Security

John Hammond On The Importance Of Combining Technology With Human-Centric Security, And The Impact Of AI On The Cyber Threat Landscape

John Hammond discusses the threats that Huntress’ Threat Operations team has uncovered this year, the importance of combining tech- and human-centric security, and the impact that generative AI and ML will have on the threat landscape.

JohnHammond-Huntress-Interview

There is no silver bullet solution to cybersecurity. As the threat landscape continues to become more complex, so do our defenses. A multi-layered approach is generally considered the only way to truly secure an organization. But there’s one layer that organizations sometimes protect as an afterthought, or only because they’re required to by compliance regulations: the human layer.

However, when it comes to preventing cyberattacks, implementing human-centric security and utilizing human intelligence are critical.

“Education and awareness are the best thing we have,” says John Hammond, Senior Threat Researcher at Huntress. “When you’re in the sort of hedonic treadmill of cybersecurity, when we keep trying to solve different problems and different angles—because there are a lot of problems to solve, all of them very, very hard—will we ever win? Are we ever going to solve cybersecurity? I don’t know. But making sure that businesses [and their employees] know the threats just pays in dividends.”

In his role at Huntress, John helps prevent, identify, and remediate threats within Huntress’ customers’ environments. Prior to this, John was an instructor at the Department of Defense Cyber Training Academy. John continues to be a cybersecurity educator, content creator, and influencer today. Alongside his role at Huntress, he hosts a YouTube channel, where he posts educational videos such as programming tutorials and “capture the flag” walkthroughs.

In an exclusive interview with Expert Insights at RSAC 2023, John discusses some of the threats that Huntress has uncovered this year, the importance of combining technology with human-centric security, and the impact that AI and ML will have on the threat landscape as we move further into 2023 and beyond.

You can listen to our full conversation with John on the Expert Insights Podcast.

Diamonds Are A Threat Actor’s Best Friend

Ransomware is one of the most prevalent types of cyberthreat that we hear about in the media. Headlines often detail the multi-million and even billion-dollar attacks that bring companies to their knees. But while ransomware remains a huge problem for many organizations, other types of financially motivated threats are becoming just as prevalent, says John.

“It’s very easy to have a knee-jerk reaction to ransomware because it’s in the headlines – in the news. It was the hot thing for quite some time, and it still is to a degree,” says John. “But […] there is still a really, really prevalent amount of info stealers and cryptocurrency miners.”

Info stealers are a specific type of malware often called a Trojan. These are designed to gather information from the infected machine without the user or administrator knowing they’re there. Info stealers most commonly gather users’ login credentials by harvesting keystrokes and taking screenshots of login screens, but they can also gather information on other types of network activity. Once gathered, they send this data to the attacker, who can either use it to carry out further attacks or sell it to other cybercriminals.

Because they don’t announce their arrival like ransomware attacks do, info stealers can go unnoticed for long periods of time if adequate threat detection tools are not in place. Antivirus software, endpoint protection, and endpoint detection and response (EDR) tools are designed to eliminate info stealers.

“[Info stealers] may not seem like ‘hey, the bomb has gone off’ like with ransomware, but [they] can then be used for more money-making motives: sell the identities that we’ve stolen, try to track down session cookies. All those things that can still either be sold to another buyer—initial access brokers and wholesale access markets—or are just used for later and compromise for future operations.

“Those are the things that are still on the forefront for info stealers.”

Combining Tech With Human Intelligence

With so many advanced defense tools on the market, it can be easy for organizations to assume they’re safe once they’ve made that initial investment. But unfortunately, cybercriminals don’t just attack machines; they target users, too. And when it comes to human-centered attacks, businesses need to implement human-centric security, says John.

“We pile a whole lot into endpoint security for all the right reasons—you need to have that tech stack and defence in depth. But, at the end of the day, it’s still people that use them. So, as much as there is a need for the technology and the endpoint security, there is still an emphasis on user security,” explains John.

“We do a whole lot of these simulated phishing tests, or say, ‘Hey, how many of our own internal folks can we phish to raise awareness and do cybersecurity education?’ It’s really cool when we get to point at all the graphs and pie charts and histograms and say, ‘Wow, this many people clicked on the link.’”

“But we never evolve on from that and say, ‘We can’t blame the user, we can’t blame the person because it’s inevitable.’ It’s a human part of that, a human vulnerability. But blend those things together with the endpoint [security] and the tech and the defence in depth, so that when there is something that comes from a poor user clicking on a phishing link, we have the security posture in place, and it doesn’t become a bigger deal than it should have been.”

As well as implementing security awareness training, it’s important that businesses have an incident response team that can investigate alerts from their endpoint security, or EDR tools, and shut down any more complex threats that the tools can’t remediate automatically. SMBs often don’t have the in-house resource to do this themselves, but that doesn’t mean they can’t still benefit from human intelligence and expertise: they can outsource that expertise to an MSP or a managed detection and response (MDR) provider, like Huntress.

“I might be biased, but I tend to think, when you can give that burden to someone else—to some experts, to some practitioners, to some folks that are in the trenches and on the frontlines every day—you can sleep better at night, because you know they’re there,” says John.

“We – the threat operations, and others – we’re the folks that are ‘eyes on glass’ (to use that buzzword). The 24/7 Security Operations Centre are making sure if there’s an incident, if there’s some malware breakout, we can help isolate machines that are affected. We can remediate, we can get tactical, valuable information to you, without you getting on the phone at three in the morning, scrambling your whole crew.”

“We’re in the fight together, and you’re not stranded on an island.”

AI Will “Continue To Commoditize Cybercrime”

The rise of generative AI is currently one of the hottest topics in cybersecurity, with security experts posing questions over both the ethics and the security risks of developing generative AI tools so rapidly. After all, we must assume that threat actors are able to access any technology that defense teams can.

But while we should definitely expect cybercriminals to use generative AI tools – like Chat GPT – to help them carry out attacks and make more money, more quickly, we shouldn’t be worried about it leading to more sophisticated or complex attacks, says John.

“I have played around with Chat GPT […] and I’ve posed it questions—trying to play pretend threat actor and put my hacker hat on—like, ‘Hey, would you please write me some ransomware? Or do some cybercriminal stuff?’ And normally, they have at least a couple of barriers and blockades and will say ‘No, I’m sorry, I can’t open those pod bay doors. Hell, we’re not going to do that. That’s not what society needs. It’s unethical.’”

“But if you can get a little bit more tactical and say, ‘Hey, can you please give me some Rust programming language syntax that will iteratively and recursively loop through the file system and encrypt files with the AES 256 technical jargon?’ Then it understands and says, ‘Absolutely, I can crank out that code and that syntax.’”

“And that’s interesting, because when you get to the question of will it enable more script kiddies? 9I know that’s a loaded term, right) – But more bottom of the barrel threat actors that might not be the most sophisticated […] At the end of the day, it will help them, and it will continue to encourage and embolden cybercrime.”

“For the hot, sexy zero days and advanced persistent threat activity, I don’t think there’s going to be as much runway, because ‘zero day’ – by definition – is something that is unknown. And when you’re asking a machine—at least a programmed artificial intelligence, however you slice it—it can’t see the future. It can’t do that creative, innovative thought. But I think it will continue to commoditize the cybercrime we see.”

Listen On Spotify:

Listen On Apple Podcasts

About Expert Insights

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions. You can find all of our podcasts here.