Threat hunting: Automation & being proactive – Part 3
As described in previous blogs, conducting a threat hunting exercise is dependent upon the security requirements of the organization. In order to have a structured and proactive approach, it is highly recommended that some sort of methodology be followed. One example of a methodology is known as the “SOAR” Model. Essentially, it is an acronym that stands for the following:
- Security Orchestration
With security orchestration, you and your IT security staff bring together all of the available threat hunting tools you currently have and make them all work together as one cohesive unit. Some of the features of security orchestration include the following:
- Having a standard set of threat hunting processes;
- Providing a single platform where the threat hunting can compile and retrieve information and data as they are collected in real time;
- Providing a unified dashboard where all alerts and warnings can be further examined.
A specific definition of automation is as follows:
“Automatic systems [that allow you] to detect and prevent cyber threats, while contributing to the overall threat intelligence of an organization in order to plan and defend against future attacks.”
Automation helps alleviate some of the obstacles faced in proactive threat hunting:
- Given the amount of usage of multiple platforms such as Smartphones, Cloud-based infrastructures, file sharing systems, and even the Internet of Things (IoT), the attack surface for the cyber-attacker is constantly growing.
- Many businesses and corporations come into contact with at least 150,000 security-based alerts on a daily basis.
- A lack of highly skilled and knowledgeable individuals on the threat hunting team.
- The triaging methods that are used today have become quickly outdated.
Some of the key advantages of using the SOAR methodology include the following:
- Look for any potential threat on a 24/7 basis;
- Provide a centralized platform in which to further probe into hidden data trends as well as other investigative findings;
- IT resiliency is enhanced by giving the IT security staff the ability to make split second decisions if a risk is found and how it can be mitigated. The result is a lowered Mean Time to Resolution (MTTR) metric;
- It can automate any time-consuming process that the threat hunting team experiences
The Use of Automation in Proactive Threat Hunting
It should be noted that the activities of proactive threat hunting can be very tedious, time-consuming, and often laborious in nature. This can take a toll on the mental psyche of the members of the threat hunting team, who have to remain sharp at all times. Because of this, many businesses and corporations are now opting to automate the repetitive part of their threat hunting activities.
There are many security tools out there that can accomplish this task, but which one will work the best for your threat hunting exercise depends on your organization’s requirements. In general terms, the following areas are typically automated:
- Data collection:
During a threat hunting exercise, you and your IT security staff will be collecting many types of information and datasets from various sources. It can take a long time to sift through all of this and to determine which data are good and which are incomplete, incorrect, or even insufficient. If this were to be done manually, it could take hours or even days. With automation, this can be accomplished in just a few minutes, thus freeing up the valuable time of the threat hunting team to examine other intelligence data.
- The Investigation Process:
The IT security staff of any business entity is constantly bombarded by alerts and warnings. Implementing an automated system that categorizes which threats are high risk, medium risk, and low risk will allow the threat hunting team to quickly investigate those that need immediate attention. Also, by incorporating the use of “intelligent clustering”, those alerts and warnings which are deemed to be high risk can be further sub categorized as to which ones need attention right here and right now. Obviously, not every alert or warning with a high priority tag can be given attention at that very instance.
- The Prevention Process:
It takes human intervention to mitigate the risks of a sophisticated cyberattack. On a daily basis, there are more routine mitigation tasks that can be totally automated such as terminating inactive and open network sessions, isolating any malicious or suspicious files and preventing them from executing, etc.
- The Response Process:
Although it takes an entire incident response team to counter the effects of a large scale cyberattack, many of the smaller, more routine responses can be automated as well. Examples of this include the creation and the implementation of customized scripts to isolate an endpoint that may have been compromised, deleting any malicious files (after they have been isolated), or even using a backup image to restore any sensitive information and data that may have been compromised in a cyberattack.