Threat Detection Bounty Programs

Written By Illuminate Security

What is a Threat Detection Bounty Program (TDBP)?

In its simplest form it is the meeting of an organisation, with their goals of identifying threats in the most effective and efficient manner possible, and threat detection experts capable of delivering on these goals.

It is a complete rethink of the way to deliver cyber threat detection for organisations given the limitations of implementation as well as being able to implement a long running Scalable and Reliable security outcome.

This is what a Threat Detection Bounty Program aims to address.

Enabling organisations to focus on the security threat detection outcomes themselves versus the challenges of implementing the necessary supporting elements.

Imagine getting the same business outcome for threat detection as you have been able to for Bug Bounty Programs? That is the goal of Threat Detection Bounty Programs (TDBP’s)

How is this different/similar to a traditional Bug Bounty Program?

Bug Bounty Programs need an internet connection, a CRM and method of validating submissions and paying submitters of the vulnerability findings.

Threat Detection Bounty Programs need telemetry log data, a CRM and method of paying submitters of the findings.

As you can imagine, building a platform that can scale from 1Gb a day to multiple Petabytes per day , and also performs the critical log anonymisation functionality, is a rather complex and large undertaking.

What about SIEM or MXDR/MSSPs?

They all suffer the same challenges outlined in the “What is a Threat Detection Bounty Program” section.

Many an organisation over the years has built amazing security teams, implemented technology in unique ways only for the fullness of time to erode that functionality, detection capability and outcomes due to a multitude of people and business factors (people change jobs, vendors get acquired etc etc.)

Imagine being able to still have access to those key folks in the past you worked with but on a more fractional, specific basis, where they still maintain their current employment, but are able to be rewarded for their passion of threat detection & hunting in your organisation. Sounds compelling doesn’t it.

TDBP’s aim to address the zero-sum game of talent in the industry in much the same way that traditional bug bounty programs have.

Benefits of a Threat Detection Bounty Program?

To put it simply company’s can benefit in the following ways

Save money through paying for when threats are identified.

In much the same way that bug bounty programs reward findings, a TDBP rewards threat coverage and the findings that result from them.

Expand coverage through access to an army of experts.

Gain access to experts of their given area of focus.

Instead of maintaining a LARGE ruleset and all the associated false positives that come with it. Successful Bluehatters focus on specific threats, build highly targeted rulesets and have these run across an ecosystem of companies. (getting paid for when issues are identified)

Maintain control over your data and security outcomes.

Using explicit control criteria on WHO can participate in your threat detection campaigns as well as knowing WHO the participants are (as opposed to any normal MSSP/outsourcer).

Also through the definition of your threat detection coverage goals and the rewards you set.

Reduce complexity of your threat detection capability.

Now the barrier to entry is telemetry forwarding.

Not

  • Buying/building/maintaining a SIEM

  • Staffing an engineering team to run and maintain it

  • Staffing a threat detection/intel/hunting team to USE it.

Evolution of Threat Detection Bounty Programs — Value of a finding?

Once upon a time nobody knew the value to associate with a SQL Injection (SQLI) or a Remote Code Execution (RCE)

This is a very exciting prospect, at the time of writing we are 9 months live and with several clients and hundreds of analysts, the current range for a threat finding start from $100 and have an upper range of $1,500.

We see over time that these will change much the same as what occured over the past decade for bug bounty programs.

Once upon a time an RCE in a popular video conferencing product would have gotten you a t-shirt and a thank you note. Recently one was rewarded $250k. I look forward to a future where similar payments are made for detecting APT in critical infrastructure environments!

What types of threats have been found to date?

At the time of publication Threat Detection Bounty Programs, through the Bluehat Platform, have been serving a handful of customers with a rather illuminating (pun intended) set of results.

We have had everything ranging from innocuous (yet horribly suspicious looking) admin activity on one end of the spectrum, through to malware & phishing communications to some very nasty “Hands of Keyboard” adversary activity identified where existing EDR tooling failed.

Alert Bombs? False Positives? Spray and Pray submissions?

Each Participant is rated on their activity and submissions they provide. It is quite simple, provide quality well documented security finding submissions and your score increases. Submit poor quality findings and or false positives the score goes down.

The score is directly associated with the ability to be scoped in for more advanced/restricted campaigns and thus is one of the mechanisms that helps prioritise accuracy.

Threat Detection participants that attempt to “Find all the Things” will not be as successful as the ones that specialise as they will

a) be faster to submit a finding;

b) be more accurate in their submission; and

c) be more complete in the story (finding) they tell.

Who are the participants in these bounty programs?

To date we we have had several hundred folks join up to the community.

The skillsets and experiences have ranged from people starting their careers through to principle leads & directors at some of the largest companies & MXDR/MSSP providers in the market today.

Their goals and motivations are the same that led them to the jobs they do today and much the same as bug bounty participants are bringing their expertise to others through the programs of Bucrowd & Hackerone

The same is now possible for the members that participate in the Bluehat Platform and the Threat Detection Bounty Programs that it supports.

What are the rewards for Bluehatters?

Today we break this down into two key areas:

  1. Financial

  2. Reputational

While the financial is obvious, the reputational aspects here and the impacts it will have on the wider blue team industry are very interesting.

If you are a SOC manager looking to staff a team today, you have to check what courses and certifications the applicants hold. If you are a pen-test/red-team manager you simply ask for their hacker rank. This demonstrates actual outcomes.

SOC Managers can now ask for their Bluehat Rank and or score to demonstrate their actual experience and expertise in identifying threats in log data. (Pretty cool if you ask me :))

Tips for a successful Threat Detection Bounty Program

Use the Bluehat Platform from www.illuminatesecurity.com :)

It is the most mature, capable and thought through approach to this new way of solving an old problem.

For more information check out https://www.illuminatesecurity.com/bluehat-platform

Thank you for reading!


Illuminate Security https://www.illuminatesecurity.com
Next

Revolutionising Cyber Threat Detection with the power of the crowd