Automated Threat Hunting: A Closer Look

This post was previously published on The New Stack

Proactively finding and eliminating advanced threats through threat hunting is a growing necessity for many organizations, yet few have enough resources or skilled employees to do it effectively. For those who do have an active threat hunting program, the process is often manual and time consuming. 

With cloud security automation, however, you can implement rules that automatically adjust your security policies based on the latest threat data. As a result, you can achieve automated threat hunting, which helps you perform automated, expert-level threat hunting at machine speeds.

When you employ security automation technologies, you eliminate two major roadblocks to efficient threat hunting: a lack of in-house cybersecurity experience and the inability to apply threat intelligence reports from outside sources to your environment. Other advantages of automating threat hunting include decreasing a potential threat’s “exposure window,” handling multiple threat-hunting sessions simultaneously and implementing uniformly effective threat hunting procedures.

Automating threat hunting can also help cloud and cloud-native enterprises speed up their network security processes, lower operating costs and improve their ability to respond quickly to advanced cybersecurity threats. This article delves deeper into the threat hunting use cases discussed in a previous Torq blog post, Threat Hunting Like a Pro — With Automation.

Automate EDR, XDR, SIEM and Other Queries

To kick-start security automation in threat hunting, your first steps should include investing in automation tools such as extended detection and response (XDR), security information and event management (SIEM), endpoint detection and response (EDR) and anomaly detection platforms. These tools are traditionally manual, but with automation tools like Torq, they can be configured with threat detection rules and alerts to kick off distributed search efforts and reach conclusions whenever a new exploit technique is discovered. This integration brings all cybersecurity platforms into a single pane of glass, which could help you streamline the process of responding to these alerts.

SIEMs, EDRs, XDRs and other threat hunting tools are used for real-time security event analysis to help with investigation, early threat detection and incident response. They also provide you with comprehensive alert information, which helps you monitor, detect and respond to potential attacks on the threat hunting portal emanating from endpoints, cloud workloads, networks, emails and identity management systems. For instance, Torq workflows can be triggered by events from existing security systems, such as SIEM alert rules, EDR/XDR detection alerts and anomaly detection alerts. Information and anomalies from each system can be correlated and analyzed to identify potentially malicious activity and instances of compromise.

Share Threat Hunting Templates with Your Team Members

Every SOC team uses custom templates, which are shared with team members to ensure the most efficient threat hunting workflows. These threat hunting templates serve as playbooks for automating investigations received from the SIEM/EDR/XDR queries discussed above. All of the signals and alerts generated are grouped by detection types and listed with their relevant denotation scores and associated context. Once the alerts have been contextualized, team members single the groups out for in-depth investigation according to the workflow templates.

When you use Torq, all threat alert queries with suspicious files are detonated in a sandbox for investigation. Once the detonation is complete, the findings are investigated to determine if the files are malicious.

Trigger Search Processes With Workflows

The flows can activate search processes across various systems to identify further events and evidence. This helps reduce the amount of manual investigation and decision-making during tense periods. Examples of such searches include EDR/MDM searches, SIEM/logs store searches and email/storage searches. You can also perform additional investigations, enrich case management systems and initiate remedies for each finding.

Use Playbooks for Automated Incident Response

After a potential alarm has been found, one of the most important tasks in threat hunting is incident response. Playbooks serve as manuals for procedures and threat analysis when responding to threats automatically. During ad-hoc investigations, threat hunting playbooks are launched on-demand to show teams the next steps in blocking, containing or remediating threats.

Trigger Remediation

Upon discovering a threat, a remediation trigger is promoted to your SOC team for remediation workflows. At this stage, the team is assumed to have a thorough grasp of the danger and possible consequences of the threat based on the detected signs of compromise. Threat remediation aims to precisely remove risks while reducing organizational damage and optimizing security effectiveness.

The threat hunter’s remediation technique is determined by the sophistication of the hunter and the attack. Basic remediation procedures may be useful in removing the threat in some circumstances. Advanced attackers, on the other hand, can detect and bypass these actions, necessitating more thorough countermeasures. Killing processes, forcing a computer to reboot and restoring from a backup are all examples of basic remediation tactics.

The cyber threat landscape is evolving, and new threats (such as fileless malware) are being developed with the explicit intention of evading existing threat hunting tactics. Multi-stage methods of subtly investigating the initial threat vector, monitoring the state of the affected systems and surgically eliminating the malicious code within the system are some of the more sophisticated threat remediation strategies.

Torq, for example, remediates threats by first quarantining the corrupted file with EDR, then safely deleting the file from cloud storage, quarantining it in the mailbox and adding it to EDR engines in case of future detection.

Giving Security Professionals an Edge

Without automation, threat hunting is impractical for most organizations. This is because automated threat hunting gives security professionals the edge and the tools they need to stay ahead of the increasing number of sophisticated security threats and protect the network from cyberattacks.