Threat Content, Not Automation, Fuels Effective Threat Hunting
Earlier this year, Gartner analyst Pete Shoard wrote an interesting piece on the nature of threat hunting. This article is well worth a read for any security operations center (SOC) analyst or security leader to understand what is involved in performing regular threat hunts in an enterprise environment. The synopsis of the thought process he laid out was that threat hunting isn’t a service or an automated technology, but instead “a process which guides your SOC to think outside of the box.”
One excerpt of interest was:
“Buying an intelligence-led security service? It’s pretty certain the vendor will be using threat hunting techniques. If they aren’t, then you have to ask yourself; what makes this service overly different from what the technology is providing without the provider? If they say their threat hunting is ‘automated‘ chuckle nervously and slowly back out of the room…”
That’s because any experienced threat hunter will tell you that the process of finding the most difficult and obfuscated threats is a decidedly manual process. There is little to no automation for it and anyone who tells you otherwise is likely too trusting in automation and missing malicious activity.
There are, however, ways to better support hunters as they undergo the manual process of digging for clues and piecing them together. This is the ultimate mission at Cyborg Security, where we believe the most important factor for efficient and effective threat hunters is better contextualized information about threats. Context is not optional, it’s a necessity. More context, presented in a clear and concise format, leads to a substantial decrease in time and effort needed to understand and identify adversaries in your environment. This, in turn, enables threat hunters to focus more on analysis and perform more hunts throughout the day.
Accompanying context, threat hunting should also be a process powered by well-researched and thought-out hypothesis. By having properly contextualized and investigated hypothesis, threat hunting becomes repeatable. By making a process and sticking to it, analysts can avoid repeating research and analysis that can slow the whole process. Additionally, following a process can ensure analysts take time to generate detections or custom signatures to aid in faster response times for the SOC.
EASING THE THREAT HUNTING BURDEN
Typically, each Hunt Package created by Cyborg Security, contains intelligence and context about attack tactics, techniques, and procedures (TTPs). The context and information is concise and informative, enabling analysts to react quickly and efficiently, every time. It can come in numerous different form factors, including:
They are all meant to encapsulate “to-the-point” data that’s relevant to the TTP. Armed with this data analysts can more easily triage, validate and respond to an event, through validation context, recommendations and threat meta data.
At Cyborg Security, our goal is to create, contextualize and curate threat hunting content in a convenient package that doesn’t require threat hunters to do all the extra work collecting everything they need to do once they start to piece together malicious behaviors. While the whole process can’t be automated away, our packages support and enable analysts to perform more well-informed and efficient hunts. Including, relieving the burden of research, aiding analysis, and saving resources and effort post hunt creating detections for the SOC.
To learn more about effective threat hunting, download the SANS 2020 Survey Report: Is Your Threat Hunting Effective?