Threat hunting is the practice of iteratively and proactively hunting for threats or Advanced Persistent Threats (APT) that are launched by adversaries. Unlike traditional security systems such as antivirus program, firewalls, or SIEM, who use a reactive approach to threats, threat hunting utilizes a proactive approach to pursuing threats even before they compromise organization’s network or IT infrastructure.
Threat hunting can be performed in two ways: either manually or automatically. Manual threat hunting is conducted through the use of vendor’s toolkits such as Cuckoo Sandbox, Automater, or CrowdFMS. Unfortunately, manual threat hunting approach is slow and inefficient due to a poor scanning of endpoints’ Indicators of Compromise (IoC) and searching databases capabilities. According to Alert Logic’s Threat Hunting Report 2018, among various IoC, hunt teams mostly investigate behaviour anomalies (67%), IP addresses (58%), and flagged/denied connections (46%). On the other hand, automated threat hunting is more effective, fast, and reliable and it can be performed through Security Orchestration. The following sections gain an in-depth insight into describing how security orchestration helps to automate threat hunting.
How Does Security Orchestration help in Automating Threat Hunting?
Security orchestration helps in automating threat hunting campaign by using orchestration playbook. The playbook supports both reactive and proactive threat hunting. Unlike a proactive approach that prevents the happening of an incident, the reactive approach applies after the incident. Supporting a reactive approach, the playbook automates an incident response process. However, the human factor is still involved as it is a core of threat hunting. Machines are not always a substitution for human beings. Threat hunting campaign is mostly done in the Security Operation Center (SOC) where a team of security analysts works. The analysts go hand in hand with the playbook to perform proactive threat hunting. In addition, a playbook can be scheduled to run both approaches periodically to better respond to threats or IoCs. The working of the playbook can be seen in Figure 1 below.
First and foremost, the playbook absorbs all potential IoCs from systems or network devices. After that, it investigates and extracts an actual IoCs from all collected IoCs. Afterwards, the analysts employ Threat Intelligence tools to make sure whether the IoCs are malicious or not. In the event of suspicious IoCs’ detection, the analysts mark them in the blacklist for future reference. In this way, the automated process will become faster as the playbook skips the previously detected IoCs, which have already been quarantined during the previous search. After this complete process, the playbook is closed for this current session.