Originally posted on https://www.bestructured.com/threat-hunting-methodology-part-3/
As it has been described in Threat Hunting Part 2, conducting a Threat Hunting exercise is largely dependent upon the Security requirements of the organization. In order to have a structured and proactive approach, some sort of methodology should be followed. An example of this is what is known as the “SOAR” Model. Essentially, it is an acronym that stands for the following:
- Security Orchestration
With Security Orchestration, you and your IT Security staff are bringing together all of the available Threat Hunting tools that you currently have and make them all work together as one cohesive unit. Some of the features of Security Orchestration include the following:
- Having a standard set of Threat Hunting processes.
- Providing a single platform in which the Threat Hunting can compile and retrieve information and data as they are collected in real time.
- Providing a unified dashboard from which all alerts and warnings can be further examined.
A specific definition of Automaton is as follows:
“Automatic systems [allows you] to detect and prevent cyber threats, while contributing to the overall threat intelligence of an organization in order to plan and defend against future attacks.”
Automation helps alleviate some of these obstacles that are faced in Proactive Threat Hunting:
- Given the plethora of usage of multiple platforms such as Smartphones, Cloud based Infrastructures, File Sharing Systems, and even the Internet of Things (IoT), the attack surface for the Cyber attacker is constantly growing.
- Many businesses and corporations come into contact with at least 150,000 Security based alerts on a daily basis (SOURCE: 2).
- A lack of highly skilled and knowledgeable individuals on the Threat Hunting team.
- The Triaging methods that are used today have become quickly outdated.
Some of the key advantages of using the SOAR methodology include the following:
- Inspect for any potential threat on a 24 X 7 X 365 basis;
- Providing a centralized platform in which to further probe into hidden data trends as well as other investigative findings.
- IT resiliency is greatly enhanced by giving the IT Security staff the ability to make split second decisions if a risk is found and determine how it can be mitigated. The result of this a much-lowered Mean Time to Resolution (MTTR) metric.
- It can automate any time-consuming process that the Threat Hunting team experiences.
Conclusions – The Use of Automation in Proactive Threat Hunting
It should be noted that the activities of Proactive Threat Hunting can be very tedious, time consuming, and often laborious in nature. As a result, this can take a toll on the mental psyche of the members of the Threat Hunting team, whom have to remain in a sharp mindset at all times. Because of this, many businesses and corporations are now opting to automate the repetitive part of their Threat Hunting activities.
There are many Security tools out there that can accomplish this task. Determining which one will work the best for your Threat Hunting exercise once again largely depends upon your organization’s requirements. In general terms, the following areas are typically automated:
1) Data collection:
During a Threat Hunting exercise, you and your IT Security staff will be collecting many types of information and datasets from various different sources. It can take a very long time to sift through all of this, and to determine which data is good and which are incomplete, incorrect, or even insufficient. If this were to be done manually, it could take hours or even days. But with automation, this can be accomplished in just few minutes, thus freeing up the valuable time of the Threat Hunting to examine other intelligence data.
2) The Investigation Process:
The IT Security staff of any business entity is constantly being bombarded by alerts and warnings. In this aspect, implementing an automated system that categorizes which threats are high risk, medium risk, and low risk will allow for the Threat Hunting team to quickly investigate those that need immediate attention. Also, by incorporating the use of “Intelligent Clustering”, those alerts and warnings which are deemed to be high risk can be further sub categorized as to which ones need attention right here and right now. Obviously, not every alert or warning with a high priority tag can be given attention at that very instance.
3) The Prevention Process:
Obviously, it takes human intervention to mitigate the risks of a sophisticated Cyberattack. But on a daily basis, there are more routine mitigation tasks that can be totally automated such as terminating inactive and open network sessions, isolating any malicious or suspicious files and preventing them from executing, etc.
4) The Response Process:
Although it takes an entire Incident Response Team in order counter the effects of a large scale Cyberattack, many of the smaller, much more routine responses can be automated as well. Examples of this include the creation and the implementation of customized scripts to isolate an endpoint that may have been compromised, deleting any malicious files (after they have been isolated), or even using a backup image to restore any sensitive information and data that may have been compromised in a Cyberattack.
1) “4 Keys to Automating Threat Detection, Threat Hunting and Response.” Fidelis Cybersecurity, www.fidelissecurity.com/resources/whitepaper/automating-threat-detection.