[TRANSCRIPT] Threat hunting in the age of work-from-home

Casey Ellis, the founder, chairman and CTO of Bugcrowd, told SC Media Senior Reporter Joe Uchill that there’s always going to be corporate infrastructure that provides information for a threat hunter, such as VPN, antivirus, and endpoint detection and response.

[TRANSCRIPT] Threat hunting in the age of work-from-home

Joe Uchill:
How do you run a program where you aren't anywhere near what you're looking at? I mean, how do you run a program where you don't even own the infrastructure you're-

Casey Ellis:
Yeah, no, for sure. Well, it really does come back to the infrastructure that you do own, from a technical standpoint. Like if you've got people working from home, at the very least you own the VPN connection into your organization. So that's a potential source of information, a potential source of logs that you can go back and kind of splunk through, from a threat hunting standpoint.

Casey Ellis:
If you've got standardized imaging and you've got different things that are reporting from a telemetry standpoint, like antivirus and [EDR 00:00:58], and all that kind of stuff on your end points, just thinking about that through the lens of it basically being in the equivalent of a hotel, or an airport, or a cafe the entire time, I think, in terms of like digital transformation was security triggered by the pandemic, we did a whole bunch of stuff really, really quickly because we had to, and speed as the natural enemy of security, because you end up just optimizing for availability, and not thinking about everything else. So starting at that point and thinking through what kind of assumptions in our risk model that we now have, did we miss through that process of just figuring out how to all work from home, and then what can we use that's already available, to your point? Because there is always going to be existing infrastructure, I think, to some degree, it's just a matter of being able to identify it and use it.

Casey Ellis:
And then beyond that, kind of what I was saying before about the threat model of a cafe or a hotel, I treat my home network... I don't trust my family, from a corporate IT standpoint in the home. And I think they're awesome, right? It's not about that, it's not a personal thing, but from a targeting perspective, the adversary can figure out who they are, and probably assume that their level of personal defense is lower than mine, and actually use that as a pivot point to try to get to me. And I think the same is true for basically everyone who's working from home is a target of interest at this point, and it's really an extension of the corporate network, so.