5 ways to automate threat hunting - the new stack

5 ways to automate threat hunting – the new stack

Faith Kilonzi

Faith is a comprehensive software engineer, technical writer, and DevOps enthusiast with a passion for solving problems through the implementation of high-quality software products. He holds a bachelor’s degree in computer science from Ashesi University.

Proactively finding and eliminating advanced threats through threat hunting is a growing need for many organizations, but few have sufficient resources or skilled employees to do so effectively. For those with an active threat hunting program, the process is often manual and time-consuming.

With cloud security automation, however, you can implement rules that automatically adjust your security policies based on the latest threat data. As a result, you can get Automated Threat Hunting, which helps you perform expert-level automated threat hunting at machine speed.

When using security automation technologies, you eliminate two main obstacles to efficient threat hunting: the lack of in-house cybersecurity experience and the inability to apply threat intelligence reports from sources outside of your environment. . Other benefits of automating threat hunting include reducing the “window of exposure” of a potential threat, managing multiple threat hunting sessions simultaneously, and implementing uniformly effective threat hunting procedures.

Threat hunting automation can also help cloud and cloud-native companies accelerate network security processes, reduce operational costs, and improve their ability to respond quickly to advanced cybersecurity threats. This article delves into the threat hunting use cases discussed in the Torq blog post Threat Hunting Like a Pro – With Automation.

Automate EDR, XDR, SIEM and other queries

To initiate security automation in threat hunting, the first steps should include investing in automation tools such as extended detection and response (XDR), security information and event management (SIEM), detection and endpoint response (EDR) and anomaly detection platforms. These tools are traditionally manual, but with automation tools like Torq, they can be configured with threat detection rules and alerts to initiate distributed research activities and reach conclusions whenever a new exploit technique is discovered. This integration brings all cybersecurity platforms together into a single pane of glass, which could help you streamline the process of responding to these alerts.

SIEM, EDR, XDR and other threat research tools are used for real-time security event analysis to facilitate investigation, early threat detection and incident response. They also provide comprehensive alert information, allowing you to monitor, detect and respond to potential Threat Hunting Portal attacks from endpoints, cloud workloads, networks, email, and identity management systems. For example, Torq workflows can be triggered by existing security system events, such as SIEM alert rules, EDR / XDR detection alerts, and anomaly detection alerts. The information and anomalies of each system can be correlated and analyzed to identify potentially malicious activity and instances of compromise.

Share threat hunting patterns with your team members

Each SOC team uses custom templates, shared with team members to ensure the most efficient threat hunting workflows. These threat hunting models serve as a playbook for automating the investigations received from the SIEM / EDR / XDR queries discussed above. All generated signals and alerts are grouped by detection types and listed with their associated denotation scores and associated context. Once the alerts are in context, team members identify groups for in-depth analysis based on workflow templates.

When using Torq, all threat alert queries with suspicious files are detonated in a sandbox for investigation. Once the detonation is complete, the results are examined to determine if the files are malicious.

Enable search processes with workflows

Streams can trigger research processes across various systems to identify further events and evidence. This helps reduce the amount of manual investigation and decision making during times of tension. Examples of such searches include EDR / MDM searches, SIEM / logs store searches, and email / storage searches. You can also perform additional investigations, enrich case management systems, and initiate remedies for each outcome.

Use the automatic incident response playbooks

Once a potential alarm is detected, one of the most important tasks in researching threats is incident response. Playbooks serve as manuals for procedures and threat analysis when automatically responding to threats. During ad hoc investigations, threat hunting playbooks are launched on demand to show teams the next steps to block, contain or remediate threats.

Activate the repair

Upon discovering a threat, a remediation trigger is promoted to the SOC team for remediation workflows. At this stage, the team is assumed to have a thorough understanding of the hazard and possible consequences of the threat based on the signs of compromise detected. Threat resolution aims to accurately remove risks by reducing organizational damage and maximizing security effectiveness.

The threat hunter’s remedy technique is determined by the hunter’s refinement and attack. Basic remediation procedures can be helpful in removing the threat in some circumstances. Advanced attackers, on the other hand, can detect and bypass these actions, making more in-depth countermeasures necessary. Interrupting processes, force restarting a computer, and restoring from a backup are all examples of basic repair tactics.

The cyber threat landscape is evolving and new threats (such as fileless malware) are being developed with the explicit intention of evading existing threat-hunting tactics. Among the most sophisticated strategies for remedying threats, there are multi-stage methods to subtly investigate the initial threat vector, monitor the status of affected systems, and surgically eliminate malicious code within the system.

Torq, for example, corrects threats by first quarantining the damaged file with EDR and then securely deleting the file from the cloud storage, quarantining it in the mailbox, and adding it to the EDR engines for future detection.

Give security professionals a head start

Without automation, threat hunting is impractical for most organizations. That’s because automated threat research gives security professionals the edge and tools they need to keep up with the growing number of sophisticated security threats and protect their network from cyber attacks.

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Torq.

Featured image via Pixabay.

Leave a Comment

Your email address will not be published.