Monthly Archives

November 2018

Threat Hunting, TTPs, Indicators, and MITRE ATT&CK – Bingo

November 25, 2018

This blog is a continuation of a fantastic discussion with Richard Bejtlich. He responded to a question online, I blogged about it here and then he responded here and in response to another question I posed here. In this blog I’ll reply to his replies. The main point of this blog to me though is not to debate but to document my own experiences and look briefly at the evolution of terms and schools of thought as it applies to our cybersecurity field (the term cybersecurity vs. infosec is actually a great example of a term that has evolved yet to many still have two very different meanings and to some are interchangeable).

TL;DR Version: Richard and I seem to disagree on what an indicator is (reasonably so as his definition of one is perfectly supportable I just have a different view based on different experiences) which I didn’t previously realize was impacting how both of us viewed threat hunting. In doing so it seems that we’ve both come up under different “schools of thought” and therefore “hunting” can be leveraged in many different ways but you should strive to document and put structure to it if possible to really get the most value out of it.

Historical Context Matters But We Shouldn’t be Bound To It

In Richard’s blog he masterfully brings in some historical context of hunting’s origins (which few people really bring in history in a way Richard does but more should), or at least what was first documented (much which was done by him), in reference to the U.S. Air Force and National Security Agency. He also masterfully gives credit (another thing we should all strive more to do) to folks like Tony Sager and where his journey took him from the Air Force CERT to GE-CIRT where his use of the term was solidified even more with the wonderful analysts he cites.

What hunting was in the U.S. Air Force in the mid 2000’s and what it was at GE-CIRT shortly after doesn’t have to define the term for the rest of the field. It’s an amazing contribution, but not definitive. I think that’s, on face value, a frustrating topic. If I was at the GE-CIRT as an example and I really fleshed out a term my natural reaction would be to push against people using it differently (Richard is not doing that, I’m making a different point) but in reality terms, use-cases, and our field’s knowledge in general is constantly growing. There’s actually a logical fallacy called Appeal to Tradition which essentially states that something is what it is because it’s always been that way. But what’s interesting here is “hunting” was something numerous groups did. None documented or arguably had as much impact as the folks like Tony Sager, Richard, NSA VAO, AF-CERT, and the GE-CIRT but the experience is not less valid.

As an example, in my own experience in the National Security Agency one of my jobs was the Discovery Lead for one of the NSA Threat Operations Centers (NTOC) (would have been close proximity to Tony’s group but operating independently). Prior to this I had no knowledge of the term “hunting” and was not exposed to the schools of thought that were being developed at GE-CIRT or, interestingly enough, the use of the term and practice that Tony Sager and VAO were pursuing. I was part of a small team that established a new NTOC office at a field site and we were tasked with finding the “unknown unknowns”. This was admittedly very vague guidance but it was explained to us that the role of our NTOC office was explicitly finding the cyber threats that weren’t already documented and being tracked. Find what’s evading our insight to reveal collection gaps. We called this “Discovery” which, on a day-to-day basis, became known as “hunting.” The line between hunting and cyber threat intelligence though were very blurred for us because of our requirements; I would note that hunting was one way we went about satisfying our cyber threat intelligence requirements by identifying previously unknown intrusions (hunting) that we would then analyze (CTI). What we effectively were doing was taking an intelligence requirement, collecting against it through hunting, analyzing the intrusions we observed, producing insights, and distributing it to others as blogs, defensive mitigations and new detections, and reports. We used models such as the newly developed Diamond Model (previous to the paper’s publication) under the tutelage of Sergio Caltagirone and if I remember correctly we were the first team or one of the first to do so outside of his where he, Andrew Pendergast, and Chris Betz created the model. The interesting thing to the discussion here is that “hunting” was something that developed for my team without, to my knowledge, external prompt although I imagine there was cross-pollination from Sergio, Andrew, and Chris with the various teams they interacted with. For us, Discovery and our use of the term “hunting” was always about “finding new threats” but the main value in doing that was in identifying new defensive recommendations and gaps in collection even though we also found plenty of new threats to track. (For anyone curious I ended up choosing industrial control systems as the focus for my Discovery team since the collection would be so different and thus maybe the threats would be to; it turns out they were. This was a defining moment for me in ICS cyber security and a lot of what I had to develop in knowledge there at the NTOC helped in my journey and greatly inspired my work today at Dragos). Interestingly though one of the ways we found new threats was in the application of adversary tactics, techniques, and procedures as analytics/patterns instead of specific indicators. This aspect seems to distance Richard and I further which I’ll cover in the next section. But to close out the topic on the value you get out of hunting…

Richard acknowledges that you can identify visibility and resistance gaps as part of hunting, but it’s not the reason to go hunting.

 

In response to that I would say it may not be the reason that he and others hunt but it was always the reason my team hunted early in my career and it shaped how I view hunting now. His school of thought is simply different. I would also wonder aloud if a term needs to change when the actions are the exact same but the value propositions you’re aiming for are numbered differently. If you do exactly the same things and use exactly the same approach but you hope to find threats instead of collection gaps should you rename your effort? I’m not sure on that yet but my initial thoughts would say no. The “school of thought” for hunting and how to achieve it was very specific for Richard and me; I assume there are others in other organizations and parts of the world who have similar experiences that make their schools of thought much different. Richard and I are obviously both heavily influenced by a U.S. Department of Defense flavoring. I’d be interested if anyone else had their own journeys to document around the same time period.

We Were Bound To Disagree

It is clear that Richard and I disagree on the term hunting and how it’s used but the important part is why we disagree. I actually have no issues whatsoever with how Richard is defining the term and its background for his uses; his experiences are unique and many including myself have benefited from them. I don’t think there is a right or wrong to this discussion, just a friendly exploration to flesh out the topic for ourselves (or at least mine) and others. If we go back to the original points though it was clear Richard and I were bound to disagree and I didn’t see it initially.

I referenced but then moved past a point early in my other blog that Richard referred to all threat detection falling into two categories of either “matching” or “hunting”. I thought it was an interesting discussion which I slightly disagreed with but hurried past to get to the core debate. I noted that everything is “Matching” or “Unknowns” but not that hunting is contained in one or the other; it can be across both. If you are matching indicators you are not hunting in my opinion which I think Richard would agree with. If you are matching adversary behaviors though you might be depending on how you’re doing it (if the behavior is already a defined detection then no, but if it’s a pattern you’re searching out to find new activity that isn’t defined, then yes). When in fact, that was my error and in reality the disagreement is rooted there. A subtle but important point because I didn’t realize (although to his credit he’s definitely written on it before) that Richard considers adversary TTPs to be a sub-class of indicators of compromise (IOCs). I asked him that question after his first blog and he was kind enough to answer it here.

Again, Richard is great to identify and credit influential folks such as David Bianco and Chris Sanders, both who I consider friends and have written things that have definitely helped me further my thoughts too. He references David’s Pyramid of Pain (an extremely useful model by the way) where it very clearly calls out TTPs as a type of Indicator. I’m going to disagree again, surprise surprise, but this is where everything “came together” for me in that the disagreement is in the evolution of terms and schools of thought and nothing more. David’s use of the term indicator is mostly in keeping with another foundational work by Eric Hutchins, Mike Cloppert, and Rohan Amin titled Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill ChainsYes the kill chain paper. Here they define out indicators to be atomic, computer, or behavioral. Behavioral indicators here are defined as those indicators that are made up of atomic and computer indicators to describe adversary activity, the example given in the paper is “the intruder would initially used a backdoor which generated network traffic matching [regular expression] at the rate of [some frequency] to [some IP address] and then replace it with one matching the MD5 hash [value] once access was established.” Where David’s use of the term seems to be in disagreement is “behavioral” which on its face would speak to TTPs but in reality TTPs can be described and leveraged now without any atomic or computed indicators to accompany them. My second point in the next paragraph will dive deeper into that.

Why is this such an important point to this discussion? For two main reasons.

  • First, terms and schools of thought evolve. “Indicator” today is almost exclusively associated with indicator feeds and the atomic and computed form of indicators. Some still use behavioral indicators and talk about them quite a bit to great value. But for the majority of the industry if you say “indicator” they’ve come to learn about them, use them, and see value propositions defined by atomic and computed values. Security professionals using indicator that way or not wrong. We even see another “school of thought” coming up which is based around MITRE’s ATT&CK; quite a few of their use-cases would fit nicely into mine by using ATT&CK as one framework for guiding threat hunts. In one of their papers they specifically note the focus on tactics and techniques (TT in the TTP) for them is important to go beyond “traditional indicators of compromise.” Here it would seem they are not using TTPs as a form of IOC either.
  • Second, what you can to do today for detection was not necessarily possible for most teams as little as a decade ago. The cybersecurity community has evolved quickly made many more advancements than we often credit ourselves. One such advancement is in the form of analytics. Analytics are effectively questions you ask of the data. Analytics have been around a long time in many forms but with the advancement of the community and of computing power we can now use analytics in more large scale ways and in a distributed fashion at scale (run the analytics at the edge where the data exists instead of pulling all the data back and then running analytics across it). One type of analytic, that I wrote about and referenced in the last blog when I mentioned the four types of detection paper, are threat analytics. Threat analytics effectively are adversary behaviors, i.e. TTPs or tradecraft (different things by the way). But they are not behavioral indicators in the way Hutchins, Cloppert, and Amin identified them. They don’t include any atomic or computed indicators; post detection there will be indicators but you don’t define the indicators ahead of the detection. The entire analytic might say “alert any time a file is dropped to a system, opens up a network port, generates network traffic to an external IP address, and then downloads an additional file once communications are established”. This analytic would get to the example given in the kill chain paper but without knowing the hash or IP address of the backdoor or anything about the adversary leveraging the behavior. This is done through an analytics engine now which have been around for awhile but are more common and accessible than ever before. When the analytic is defined it is “matching” to Richard’s point. But when I’m leveraging the TTP or tradecraft outside of the analytic to go search for and find new threats (numerous threats can leverage identical TTPs, so you’re searching for “unknown” threats using “known” tradecraft) I’m not matching any indicators and instead am using an intelligence-driven hypothesis to identify new threats. That’s EXACTLY what we did at the NTOC site I was at and we called that hunting.

As an aside, I think my second point is even how Richard is doing  his hunting to some degree because in his blog he gives an example that you could tell an analyst to go look go HTTP user agents as they are being leveraged by the adversary for malicious network communications but not tell them what user agents to look for, that at a high level is a tactic of the adversary which would classify as a component of a TTP and not be an indicator. It is not some anomaly that is occurring to filter through but a hypothesis generated from some insight the defender had such as seeing adversaries do it before (intelligence-driven) or based on their own expertise in how the protocol should work (domain expertise). I don’t want to argue points for Richard though so maybe I’m not interpreting it correctly but I think if we spent more time (preferably over beer) on this we’d probably root out more commonalities in approaches.

All of that long winded way of saying: Richard and I fundamentally seem to disagree on what an indicator is which is having a flow down effect I didn’t previously realize to how we view and define threat hunting. We would still end up debating back and forth on the ordering of the value propositions but both agree that the value propositions all exist (find threats, identify gaps, develop new detections, etc.) which is another reason everyone should be hunting regardless of how you order the value you get out of it.

This has been fantastic. I have thoroughly enjoyed this back and forth, and thank you again Richard for being such a gracious person to explore it all with me while challenging me to document my experiences in this blog.

Hunting vs. Incident Response vs. Just Doing Your Job

November 22, 2018

One of the things that motivates me to write is either being really pissed off or finding someone I really respect and having a different opinion. This blog is about the latter. Richard Bejtlich tweeted (oh the horror) that to him, hunting is just another form of detection. Now his real argument is of course more nuanced and well thought out but for the purpose of my blog and putting forth my view I’ll try to make his as simplistic as possible.

 

Now in reality, debating with Richard about topics related to detection, network security monitoring, and consequently threat hunting is probably similar to debating Plato about societies in the Republic. But I’ve always found myself learning more from debating smart people about small disagreements than debating the ones I outright disagree with. So enough compliments, let’s get into it.

The Argument

The heart of the argument, as I’m positioning it, is about what hunting is and is not and thus how folks use it. The initial prompt was from Twitter user @hellor00t about where “hunt teams” should be placed in the CIRT and whether or not hunt is just a new term for IR analyst. The comment was “seems like title semantics to me.” Which is totally fair. Richard, as previously stated, noted that hunt is just a form of detection. That incident response teams detect intruders using two major modes: matching and hunting. There’s a lot to unravel here but I’ll bypass the modes of detection argument slightly to say I actually agree but wouldn’t call one mode hunting. You’re either matching knowns (behaviors of adversaries, indicators, behaviors of users, etc.) or exploring unknowns (anomalies). You should cover your knowns first and then explore the unknowns but your strategy for detection should be more well thought out. I covered that topic with Sergio Caltagirone in a paper on the four types of threat detection which actually lines up nicely with Richard’s point (except the term hunting) here.

My Position

Honestly you can do whatever you want that gets you excited about security and proves to be an efficient and effective way to do your job for the organization. But I do think hunting goes beyond Richard’s point. I’ve written about threat hunting (not nearly as much as Richard) previously a few times before but here are two papers that help phrase my “school of thought” a bit that I wrote with David Bianco on generating hypotheses and another about what hunting is and isn’t with the “other” Rob Lee at SANS. My main thought process is that threat hunting is a proactive and iterative approach to detecting threats. It seems to align directly with what Richard wrote but I’d add that it really isn’t, to me, about detecting threats. I know that’s super confusing so I’ll go into depth a bit more.

Hunting is a hypothesis-led approach to testing your environment for threats. The purpose, to me, is not in finding threats but in determining what gaps you have in your ability to detect and respond to them. As an example, how do you know whether or not your organization would ever be able to detect and respond to the latest tradecraft observed by $ActivityGroup? You should generate a hypothesis about how that tradecraft would look in your environment played out against what you have to protect. You could determine the “route” the intrusion might take based on what you’ve observed previously and see if you have the people, process, and technology required at each point to successfully detect the tactics and procedures of the threat as well as the ability to respond to them. That’s only one way to generate hypotheses but hopefully serves as a tangible example. You’re looking to achieve a layered defense while figuring out your gaps. As an output of hunting, you should have gaps to address as well as detections you can now create as a result of your hunting (i.e. threat hunting cannot be fully automated but the output of your hunting should be more automation in your environment against the threats you hunted for). You could also create playbooks, or step-by-step guidance, on what an analyst should do to validate malicious activity and how to respond based on what you learned. Additionally, you could update your collection management framework (a topic I’ve talked about before and will have a paper out later this month on) to discuss what collection and data sources you do and don’t have in your own environment.

In short, hunting, to me, is a way to assess your security (people, process, and technology) against threats while extending your automation footprint to better be prepared in the future. Or simply stated, it’s incident response without the incident that’s done with a purpose and contributes something. Ad-hoc hunting to me isn’t hunting, it’s just proactively searching for threats in your environment (although admittedly saying you’re “hunting for threats” rolls off the tongue a lot better than “log correlating and searching”). Responding to alerts isn’t hunting either, it’s just triaging and investigating alerts. However, there are many “schools of thought” and you’re welcome to do whatever works for you in your environments.

Threat hunting is also an extremely useful way to measure the effectiveness and breadth of your threat intelligence efforts. Dan Gunter wrote an excellent Masters paper at SANS here on the topic.

Back to the original question of “where do you put your hunt team?” I really wouldn’t have a dedicated threat hunting team. I’d treat threat hunting as a multiple times a year or at least once a year assessment against the scenarios that are most concerning to you and your organization. Bringing together people from across the security organization and even outside that organization can be really useful to thinking outside the box about your hypotheses generation efforts. Having a dedicated team can make the process stale and cause too much group think. I’d rather see people “take turns” in that role if there’s a need to have a dedicated function.

In Conclusion

In conclusion (for now I assume) I will note I probably don’t disagree with Richard much but it was a useful prompt to have me think about threat hunting and put some thoughts in a blog to hopefully help others flesh out their views. My view is that hunting is not a form of detection, or isn’t just a form of detection. If you’re measuring the value of threat hunting on how many threats you find you’re likely not to be able to justify it at all compared to just doing proactive security work. Threat hunting, in my opinion, should be a much more structured test against hypotheses that is pushing your organization forward and ensuring you’re prepared against “styles” of threats. I do completely agree with Richard’s view though that Response is too narrowly defined as just incident response and after the fact to folks. I talk about “detection and response” largely because the terms can be useful in communication and when defining skill sets of folks. However, I do agree that detection and response both should be tightly coupled in people, process, and technology and that response is, in its best form, proactive.

 

What It’s Like to Raise Venture Capital (Just My Experience)

November 22, 2018

Last week it was announced that Dragos, Inc. raised $37M in our Series B financing event. That brings the total amount of money raised for the company to $48.2M since the company was founded in 2016 and marks my third time raising (Seed Round of $1.2M, A Round of $10M, and now the B Round). There’s a lot written explaining venture capital so I won’t attempt to explain it here in a short blog; but the purpose of this blog is to share some insights into things I’ve learned as a security practitioner that were new and surprising to me or just general observations that were interesting enough to document. Over the past two years I’ve taken more than 300 calls with more than 150 venture capitalists, officially “pitched” to more than 50, and had term sheets from about a dozen. I’ll start off with a comment about the team and company before diving into some of the observations I’ve had across those experiences.

“If you want to go fast, go alone; but if you want to go far, go together”

The proverb/quote above has some controversy around it regarding its origins but I like the quote nevertheless. It explains a lot about startups (to be fair so does the TV show Silicon Valley). When Jon Lavender, Justin Cavinee, and I started Dragos as co-founders we had previously built CyberLens together back in 2012/2013 time frame under the name “Dragos Security.” The tool was simply an assessment tool to process out packet captures and draw a map including some deep packet inspection of industrial control system (ICS) protocols. Getting it together as three people was really easy. It was a good year into the life of Dragos, Inc. when we were still adding things into the Dragos Platform that were already accomplished in CyberLens. The difference of course was the scale and stability of the Dragos Platform, our technology at Dragos, was significantly more vast than CyberLens. As we started adding a “feature” into the product it would break into numerous features and requirements. In theory what our technology does is simple: passively map out industrial environments, utilize threat analytics to identify the M.O./behavior/pattern of adversaries instead of just indicator or anomaly based detection, and offer up playbooks in an analyst workbench that act as step-by-step guidance to validate the alerts and scope the investigation. Not too bad right? Over the last two years we’ve seen the need to scale to 10 network appliances back to a server, to 40, to 300, and beyond. All on-prem without being able to take advantage of the cloud (in most cases) because of the sensitivity of industrial environments. At Dragos we’re about to be 100 people strong. You move so quickly you don’t really stop to think about the numbers and scale and all the things you’re doing. But one of the reasons startups tend to outpace larger companies is the ability to move those folks in a single direction and throw the entire organization behind it without as much communication challenges as large companies; flexibility is key. It’s amazing to see that occur and yet moving forward always seems like it takes place at a snail’s pace. You look back over 1 quarter and you realize that’s not true; but going far definitely requires the team and creating a scalable, deployable, stable, and usable technology often requires more than just a few people. I’m proud of the team we have today and the growth we’re achieving. Every now and then I sit back, pour a stiff drink, and just have to feel the exhaustion overcome me all at once. But then you sit forward and keep going again. You see the difference you’re making for your customers, the lives of the people on your team changing and growing, and you just feel so fortunate. Luckily, my eight month old son and wonderful wife provide more centering for me than exhaustion making the journey a bit more doable.

Venture Capital is Neither Good nor Bad

As a security practitioner I often found myself opining about venture capital. Bankers, private equity folks, finance majors, and “business people” were what I always assumed made up all the ranks of Venture Capital and to be honest I couldn’t stand the idea of them. I didn’t despise anyone, everyone takes their own path in life. But non-security practitioners trying to fund and decide “market winners” without an appreciation of the technology always bothered me. For anyone that’s seen my writings before it’s probably pretty apparent that I don’t think too highly of “management” positions leading security teams or technology teams without an understanding of security or technology. So it extended beyond venture capital. I also saw venture capitalists as just interested in making a buck (that is their job but the amount of “let’s make the world a better place” I’ve seen even in the hard times has been stunning coming from them) and largely figured it was better to bootstrap a business than take capital. While a lot of bad venture capitalists exist I learned that the bad apples were really giving a bad name to a much larger and more diverse field. Here’s some areas that I have evolved my own thinking:

Watch the Burn, Spend the Money, Watch the Burn

One of the reasons I hated the idea of venture capital is that I figured and had heard they would try to get you to spend so much money that you would have to raise more money later. They’d “get you over a barrel” and you’d be too deep in debt to do anything but go forward and raise more. That impression I had was entirely wrong, maybe I’ve just seen a different group of venture capitalists but there’s a whole science and art to throttling the business correctly. I’ve heard “watch the burn” from my board members (made up of our investors) to the point that it’s annoying not because it’s not accurate but because it’s been stated so much it couldn’t possibly have left my mind. The burn is how fast you’re burning through capital. Venture capitalists don’t want you to spend too much money, they want you to spend the right amount of money to invest in the business’ future. The logic is actually pretty simple when you think about it. In an enterprise software styled company where you are investing heavily in R&D you’re going to need to raise venture money to support it (sales can’t support the R&D costs especially before you have a product). But once you have the product (though it’s never done) you still have to invest heavily in sales and marketing. If I put $1 into sales and marketing today I likely won’t see any return on that for 9+ months. It takes time to generate the lead, make the contact, get the meeting, make the pitch, fit into this or next year’s budget, etc. The sales cycle can easily be 9-18 months long. But if I can invest $1 into sales and marketing today and get a return of $2 in 12 months that’s a 100% growth. Throttling the business to be “profitable” especially early on is robbing the future of the business. If I can lose $5M this year and make $10M in sales next year, that’s a great thing for the business. Thus venture capital is needed so that you can spend what you need to, but you don’t just want to spend money you want to understand what the return on investment is and monitor your burn as closely as possible to make sure you’re not over investing or under investing. This can cause a “foot on the gas foot off the gas foot on the gas” back and forth in the company on an almost weekly basis. There’s risk into taking this approach and it’s not the only one but previous-me would have stated “well just grow as you can support it and don’t try to lose money in hopes of earning more business next year.” Today I understand that the speed of the market, demand from the customers, growth of competitors, marketing from incumbents, and more all goes into deciding that spending large sums of money to grow the business is hyper critical especially in a software company where deal sizes and sales cycles are both large.

Lots of Different Types of Venture Capitalists 

There are a lot of different types of venture capitalists, and I’m talking about the people not the firms yet, I’ll approach those next. Some venture capitalists are the bankers, private equity folks, business grads, and financial analysts that I had previously thought about. But many are also “operators” that have built and led companies before. In reality there are good and bad in both forms. I’ve found that as a founder I really resonate with operators. Having a few of them on my board early on gave me good guidance and made a collaborative environment. They were also more empathetic to the needs of the business instead of spreadsheets and trying to math the company to death. As we grew it was also important to add those who had more experience as the “typical” type of finance people who helped provide a bit of devil’s advocacy to the board on various decisions and help make sure that the “emotion” of running the business and the “experience” of having done it before wasn’t completely out of touch with what the numbers could support. It’s obvious of course that it takes all types, but to me seeing the different value propositions of people and their experience and how they influenced the company was interesting. As a gaming nerd there’s so much that role playing games have taught me about business, more so than any of the free online classes I’ve taken on business (seriously you should watch those free videos like the free MIT and Harvard classes and you should throw in some good RPGs as homework). Class skills and development of different professions while understanding people’s skill tree maximums and strengths/weaknesses is much easier when you just imagine everyone you meet has a playing card or a stats page that you can see when you hover over them.

Lots of Different Types of Venture Capital Firms

There are many different types of VC firms. Some have experience in your field, some do not. VC Firms vs. Corporate VCs are a major difference in how they view the world as well. There is even the informal ranking system of “Tiers” that is very loosely made but can help you think about the VCs to determine which are right for you. From the very beginning the idea at Dragos was to IPO the company. Making it to the stock exchange with a public listing of your stock sounds like a good thing from a monetary perspective but it provides something more important to my team. We want to keep Dragos around and really make the world a more secure place for our most important and critical infrastructures. The industrial world is huge and deserves protection. Having an “exit” by getting bought by another company generally doesn’t allow that. Acquisitions of technology companies are not always bad but especially early in the company’s life when they are just really getting their culture and tech and value propositions right, getting adopted into another company can be a death sentence. It’s going to take years to put a real dent into industrial cybersecurity. When you raise venture capital though you have to be able to give your VC’s an exit. They need to be able to exit the company at some point and recoup their investment plus how much their investment has grown. As it turns out, the appetite for how this occurs differs from firm to firm. There is not simply 1 “persona” at any firm but their track record, size of fund, and “tier” can help inform what they’re looking for in how you exit.

As an example, if your VC firm has a small “fund” they’re investing out of ($100M-$200M) and they haven’t had a lot of IPOs before then it should be pretty obvious they are looking for an acquisition as an exit. If they invest $5M in your company early on and you can exit for $200-$300M they get enough return to put a real “dent” in their overall fund size to show returns to their investors (which surprisingly enough are not just rich people but more often college endowments, retirement funds, etc.). But if your investor has done IPOs before and is investing out of a large fund ($500M+ and often times $700M+) then the check sizes they write are going to be larger (they’re going to look to invest more like $15M instead of $5M so they can put their capital to work) and they’re going to need the exit to be larger (which is more likely to be an IPO than an acquisition) to get an exit that actually puts a dent in their overall fund. There’s way more to evaluating VC firms including their networks, who the board member is that will actually sit on your board, and how they enable their investments but figuring out what they need in terms of an exit is a really important part of the equation to make sure it aligns with the company you want to build. An IPO is an “exit” for many of the investors but it’s a growth stage for your company. The founding team and its members shouldn’t be thinking about an exit but should be aware that taking venture capital is more of an investment/loan than it is anything else.

Raise What You Need Not What You Can

If you’re outside of a company you rarely get deep insight into what’s going on in that company. One of the ways we measure companies though, at least when consider venture capital, is how much they raised and at what valuation. At one point I would have thought raising the maximum amount and then not raising again for a long time is a good strategy; turns out that’s very silly. The simple version is easy to understand, if I raise $10M at a $15M pre-money valuation you give up a lot of the company in terms of dilution. If you raise $5M at $15M and then raise another $5M in a year at a $30M valuation you’ve just raised money without giving up as much of your company. It’s never that simple though and you have to figure out how much you can raise and how much you can put to use to get you to the next milestone for your company. If the venture community is hot, then investments might come easy, if it’s not then no matter how good you do the money will “dry up” to some extent. Additionally, you always want to make sure you can hit the goals to get to the next milestone.

As an example, did you raise $30M at $100M pre-money valuation? Congrats that’s awesome. Did you raise $60M at $150M valuation? Looking a bit dicey by comparison. But why? Let’s assume those are C series numbers since they are really big amounts (although in the industrial community a lot of the Series B raises are more like Series C, our $37M raise at a B is more like a C round for comparable IT security companies). If you raise $30M on $100M pre-money valuation then your post money valuation is $130M. To raise a D round on this trajectory you really want to show investors that you can 2-3x their investment, this entices the new investors and shows good health for the company. I.e. at the D round you’d really want a $260-$390M pre-valuation. Ideally you could get there in a 2-3 year period showing rapid growth. But if you raise $60M at a $150M valuation for your D round now you have a $210M post money valuation. Which means you’d ideally want to hit $420M-630M pre-money valuation to show the same level of growth. But the larger the numbers the slower the growth might be and there is a limit in how much you can invest in your company each year to hit a return especially if you’re being compared to the growth of the company that took $30M. I.e. pouring $50M onto a company instead of $30M may not actually give you any extra value depending on market size, customer adoption, sales cycles, and more. So if you raise more than you need just because it’s available you are potentially taking more dilution in the company than you need, you are possibly not doing anything more for your growth rate, and you may make it incredibly difficult or even impossible to raise your next round which means you have to get acquired as you’ll be burning too much to go cash flow positive or raise more. There’s no perfect formula nor only one school of thought, but this was all interesting to me as I learned more about raising capital and watched our own experience. If you’re wondering, we raised the $37M specifically to get us to the next round which we have a target valuation and date for already (I found it useful to always be thinking about your next round and walking backwards into it for the current round).

Terms, Terms, Terms

It would also seem obvious that a company that raises $30M at $100M valuation is a better company than the one that raises $30M at $90M valuation (pre-money on both). However, what most people never get a chance to see are the terms of the investment. The term sheet is the “offer” that an investor makes a company for the terms of the investment that then get ironed out in a much larger package of closing documents. Those aren’t made public but in my opinion are far more important than the valuation of the round. A seemingly bigger and better investment may have horrible terms. As an example, one term that could included in the investment is “participating preferred” or even have a multiple on it. A multiple is idiocy in my opinion and would only make sense to a company in distress and participating preferred in general is a term I refused to ever accept. There are numerous terms you have to watch out for that can flavor the entire trajectory of the company but let’s dive into participating preferred which I think of as one of the worst terms.

Let’s imagine an investor puts in $10M into your company and you add equity for them which gives them 10% of the company. And then your company eventually exits for $200M. In a simple world where that was all the investment you had then the $200M would be split between all the preferred stock holders (the investor) and the common stock (the founders and employees). So $100M would be split according to how much equity everyone has. The investor’s $10M turns into $20M and that’s what they leave with. The rest of the $180 is split between the founders and employees depending on how much they own each. But if the investment was participating preferred at a 1x then the investor would get back their $10M and then get to participate in 10% of the remaining $190M. That means they’d walk away with $29M and the company would split $171M. In reality the investors would actually get more because of interest accrued on the initial $10M. This is very simplistic but even in the simplistic view you can see why this would be problematic. Even if your goal isn’t everyone splitting money and instead is just growing the company, you could potentially have lots of extra money flowing out of the company at an IPO. Simply put, no matter the situation you really don’t want money leaving your company that you could be investing in your company or splitting between the people who were putting in the day-to-day work. In my experience, my goal was a simple term sheet. An adviser of mine told me to demand that the terms of the deal be so simple that they could be written on a napkin. We aimed for that and succeeded in doing it but it is way harder than it sounds.

Boards Are Equally Important and Not Important

This is a weird statement to write because I get a lot of value out of my board as advisers and a sounding board. But previously I would have thought a board had a lot of control over a company. I don’t know why but I just always assumed a lot of decisions get made at the board level. Turns out that’s not the case. The person running the company day-to-day is the CEO. The CEO knows so much more about the company than the board members could possibly know. In relation to venture capital the board wants to know that the company is growing, monitor their investment, and provide input and connections that could benefit the company to help it grow. As an example, one of the ways I used my board is to help me with interviewing key hires especially VP’s because they’ve seen many people and have experience I don’t have on to act as a sounding board. They provide good connections throughout the various industries we work in and also provide some guidance to make sure that I’m growing the business in the right way at the right speed and am building a company that others will want to invest in which will help our team build the type of company that can really impact the industry. But they don’t make a lot of decisions. I assume a lot of people think they do because I even have people outside my company that want to do business with us or want something from us hit up my board members directly assuming they have some significant influence over me; very little makes me more likely to ignore someone.

It turns out my view of how involved boards were was entirely off. They provide help that I ask for, but they don’t make a lot of choices. Salary and compensation packages get approved at the board level (which I find to be useful actually), the annual budget gets approved there, and the rest is just providing them updates and getting advice. You could get bad terms that dictate a board has more say but I’d be concerned about that for a lot of reasons. Opening a new office, choices around the product, hiring and firing, strategy for the company, go-to-market, etc. that’s all on my team internal to the company. The board is interested and active but entirely disconnected from the “decisions” that get made around that. The approval of an annual budget has a high level of impact but it’s something my team and I put together and put in front of them, their input is “that looks normal” “that looks like it’ll get you what you want” “have you considered upping the investment in X?” “I think you’ve over invested in Y”. It’s useful, it’s their approval, but it’s still the work from inside the company and whatever I put in front of them is going to be within the range of what gets approved.

I imagine this is all super obvious to most other people but I was surprised to find how little boards actually do and yet how they remain vitally important. One of the things I’ve really found value in my board is simply having a well experienced team of folks as a sounding board. It really can’t be overstated. As the CEO whether or not its true you constantly feel you’re the person who’s suppose to have all the answers and lead the ship. Sure everyone else actually does all the work, and the decisions are super collaborative in the company, but that feeling remains. At the board level though it feels far more like a discussion with less stress. I’ve found my board to be my “safe space” to just think about stuff out loud without repercussion and have folks more experienced than myself in areas that are different but important provide thoughts or validation. At the end of the day it’s not lost on me that so many in the community, so many customers, and all the families of all my employees have a very vested interest in me not screwing up my part. The act of “yea Rob that makes total sense” or “I really think you should dig into that more” provides far more comfort than I can put into words.

Every Company is Different and Your Journey Will Be Filled with Friends and at Times Lonely

These are my thoughts. These are some of my observations. Yours are bound to be different but I hope it’s useful to see one person’s thoughts on all this. I’ve never felt more excited and more proud than leading this team at Dragos and I’ve also never felt so very alone in my career. That sounds weird but let me clarify. Being the CEO and founder of an industrial cybersecurity company that has received venture capital, now above $48M, and is forging into a market that’s largely been undefined…is a lonely and exciting endeavor. Industry analysts and financial folks have tons of opinions, but none of them have actually been down this journey. I’m empathetic to the various industry analysts trying to define the market or provide hot takes on where the market will or won’t go; and it’s useful to the community because buyers and community members cannot just listen to the obviously biased companies leading the way, but those same industry analysts and financial folks have far less experience in this topic. The number of peers I have for the very specific thing I’m doing is tiny. And to be honest it’s not like the founders of competitive companies really get together and have open discussions other than “hey thanks for helping also build the market, good luck to you, I hope I utterly destroy you on the battlefield, but I respect you” lol. I often look at the industrial cybersecurity community and industry practitioners that I respect pontificating on the market, who will be winners, what that means, what products will be needed, etc. and I struggle not to roll my eyes a bit as they have never built companies or products in that space. I have to force myself to realize that what they’re doing is still an important part of the equation and very useful to folks. But I do also understand that they are also extremely biased, operating with completely different experience, and sometimes are advising on things that they have far less experience in than people realize especially compared to the companies that live it day to day and are on that unique journey. I’ve had heated arguments with people I respect and call friends simply because their experience guides them to view things so differently than the experience I have. And yet, that’s ok. Actually it’s really useful for everyone. And taking a step back to just keep that in mind is vital to not becoming arrogant or being misguided yourself. To solve a problem as complex as any that guides you down such a unique path is going to require thought process and input from everyone, welcoming it is important especially when it seems counter to your own experiences.

Why say all this? To stress the point that in this community, this industry, this time, etc. things are so specific that any lessons learned I have may not really apply to you in your journey. And it’s so different that even the founders that have built a company before may not have experiences that help or relate to you; I found the “entrepreneur” networks to be largely disappointing with experiences that didn’t translate to the challenges my team is facing. I found the folks in my company and their insights as well as the experiences and insights of our customers to be far more useful to me. But maybe those networks work for you. I don’t think I’m special, but I think this journey is unique. Yours is too. Hopefully my thoughts are useful but don’t take them as the only thoughts nor any of my takes as the only way to view those topics (hell maybe I’m wrong on plenty and will have different views in a few years). Instead, I’d focus more on how my opinions have changed and be open minded to have yours change as well.