Cyber analysts are constantly flooded with a sea of data from a variety of sources—each with its own schema that must be aggregated and normalized before we can make sense of it at scale. As the volume and complexity of cyber threats continues to rise, organizations need to evolve their security operations and use this data to identify and respond to threats at incidents at scale.
There are typically two ways to “hunt the scale,” generalized as automated and manual:
Automated threat identification leverages tools to automate incident detection of potential threats.
Manual approaches, typically referred to as “threat hunting,” involve going beyond traditional detection technologies to search for patterns in data that might point to the behavior of a threat actor.
In both manual and automated threat detection, an analyst needs access to a lot of data, as well as an extensible data platform capable of running complex queries and analytics. Threat hunting data is commonly categorized as one of the following:
Indicators of compromise (IOCs): These are pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network.
Tactics, Techniques and Procedures (TTPs): These describe the behavior of an actor. A tactic is the highest-level description of this behavior, while techniques give a more detailed description of actions within the context of a tactic.
As the world continues to scale cyber defense efforts beyond a single organization or entity, standardized frameworks become increasingly necessary to ensure that enterprises and individuals continue to speak the same language. The MITRE ATT&CK Framework is a knowledge base of adversary tactics and techniques, which enables analysts to derive the data necessary to conduct effective threat hunting activities.
Data sources that deliver the most value for threat hunting include:
PROCESS
MONITORING
PROCESS COMMAND-LINE
PARAMETERS
FILE
MONITORING
Every cybersecurity team must use a combination of manual and automated threat detection methods, both of which require some degree of data normalization. The broader an organization scales, the more important normalization becomes to effectively analyze data.
While automated analysis and detection is efficient, it’s less effective at detecting more advanced or previously unknown threat actors. Behavior-based detection techniques are highly effective, but require highly specialized resources and are not easy to scale. A well-designed threat hunting program manages data effectively, balancing cost with risk and focusing resources to protect the most critical assets.
