Security Threats: Finding security threats is a human-led, machine-assisted task. To protect against cyber attacks, the goal is to stay one step ahead of the ever-evolving security threats. Sophos believes that the practice of “threat hunting” is becoming increasingly important for monitoring and treating network activity, discovering unknown threats, and responding to them appropriately.
A complex process with numerous misconceptions associated with it. As a result, misleading and misunderstandings leave people with a false sense of security and unprotected organization. There are three common misconceptions in the security threat search debate:
Security Threats: Misconception Number 1: Threat Hunting Can Be Automated
The idea that the search for security threats can be automated is one of the biggest misapprehensions. Because while parts of the process can be automated, the human component is essential for any successful search for danger. The entire process cannot be automated (at least at this point) – from identifying hostile activities to reacting to them.
Even so, automation plays an important role in threat hunting, both in gathering data and discovering what is known. In an automated search, an activity can be flagged as suspicious by an automated rule. However, as soon as that happens, another instance is required to look at this notice and carry out a strategic analysis. A machine can indicate deviations, but it cannot make an intelligent decision about whether a movement is malignant or benign. There is a large gray area in which it is difficult for a well-trained model to come to a correct judgment. Human expertise is necessary.
Security Threats: Correct Classification Of An Action
If, for example, PsExec is active in the network, i.e., a Telnet replacement to execute processes on other systems via LAN, it is not immediately clear whether this action is harmful or harmless. First of all, it’s an administrator role that is meant for legitimate purposes. However, the malware also often uses it, and attackers try to implement something malicious.
But how does the user know whether he is stumbling across something bad or benign? Human expertise can provide the context in this case. For example, a colleague has access in the background with which this process is authorized – situations the machine cannot be aware of. Only with this additional information can it be determined whether an action is justified or possibly defective.
Misconception Number 2: EDR Solutions Support Threat Searches
The hunt for security threats and Endpoint Detection and Response (EDR) are not the same. If the user uses an EDR product, he does not automatically engage in threat hunting with it. EDR is based on a large data set that is used to determine or query information. While EDR is an important tool in finding hazards, it is only part of the whole process. There are many other sources of information that are extremely valuable, such as network traffic.
Hazard hunters look beyond EDR data, for example, at network protocols, firewalls, and intrusion reports, as well as prevention protocols to get a holistic picture of the environment. Including data from third-party sources, such as Microsoft’s Active Directory, Office 365 data, or other applications can enrich the data set. The larger this is, the easier it is to identify more complex threats.
Misconception # 3: Feed The SIEM With Data For Threat Hunting
Security Information and Event Management (SIEM) offers a useful service because it represents an environment where a large amount of information can be accumulated and queried. But SIEM also has a big problem: it is hardly possible to keep the data consistent. And poor data quality rarely leads to good search results. The definition of quality data is often subjective. In essence, however, the point is that data from different systems are standardized and that data attributes (where possible) are standardized.
The quality of the data is crucial for the following reasons:
- It increases the productivity of a security threat search and makes it easier for the team to query large amounts of data and get consistent results.
- With standardized data attributes, it is avoided that different data records have to be merged during a search. At the same time, it provides a richer context for identifying more complex threats.
- A good understanding of the quality of the data enables the team to have clear objectives about what data they can analyze and what cannot be analyzed. This helps with the coordination and prioritization of projects.
High-quality data enables hunters to identify complex threats faster and more precisely and thus to react to them more effectively and efficiently.
The Key To A Successful Search For Danger
Data is just the beginning of a threat search. More important is how to use the data to identify the initial point of danger. Making data usable so that you can work with it cannot be automated by machines. Because if that were possible, MDR (Managed Detection and Response) would not even exist.
The following key components are part of a successful threat search: assessments of the threats, a suitable method, good data, and a critical look at suspicious activity. If suspicious activity appears in the gray area, threat hunters can decipher the intent with strategic analysis. Only then can a decision be made as to whether a reaction is necessary or not.