Threat hunting has been primarily a playground for security experts to surface unknown threats. It is a proactive security approach where the hunt starts with a hypothesis about a hidden threat that may be already in the enterprise network. According to 2017 survey on threat hunting by the SANS Institute, nearly 45% of organizations hunt on an ad hoc basis. The ad hoc approach is ineffective and does not yield sufficient results to cover the cost of threat hunting. Considering a limited number of security analysts, the ad hoc threat hunting becomes a costly and expensive process. Also, threat hunting is typically performed by doing outlier detection of the data. For example, analysts typically do outlier detection to find suspicious processes out of Windows process logs. The outlier detection can be done using simple box plots, control charts or using more sophisticated unsupervised machine learning techniques. However, the output of all the outlier detection techniques is outliers/anomalies that still need to be audited/investigated by the security analysts. This adds more workload to the already overwhelmed security analyst.
Also, the security analysts are already overwhelmed with the alert deluge and they are able to investigate only 4-5% of the daily alerts. Hence, we need to find another approach that can bring more automation and eases the alert deluge load from the security analysts.
The fusion of data science and deceive security provides an opportunity to automatically validate many alerts and therefore provides an automated approach from threat hunting. Deceptive defense system provides a way to confirm an adversary presence with nearly 0% false alarms when the adversary bumps onto one of the deceptions. The modern set of deceptions is the reincarnation of honeypots, honeytokens, honeynets, and honeyfiles that blends well within the network and can dynamically change their configurations. When an adversary access a deception, it raises a positive affirmation of a threat. In this approach, one needs to use alerts and contextual security events along with deceptive security to rank the existing alerts. It takes away a lot of manual verification of various security alerts.
In our approach, threat hunting is performed in three steps: (1) Use an intelligence engine (Threat hunting intelligence engine) to identify a group of alerts that are typically not getting investigated by security analysts due to alerts deluge. The intelligence engine uses notable events along with contextual events to determine the deception type and configuration. (2) Use deception center to deploy and monitor the deceptions in the enterprise over/around the hosts that had alerts. Whenever an intruder bumps onto one of the deceptions then deception center generates an alert. (3) The deception alerts are high fidelity signals that indicate the presence of a threat. These deception alerts are correlated with notable events to update the ranking of alerts in SIEM for further investigation by the security analyst. This unique fusion of data science and deception provides an automated approach to significantly reduce the alert deluge load off the security analyst.
We will be providing more technical details of our approach in our talk at Splunk .conf 2017. If you are attending .conf’17 then stop by the community theatre on Sept. 27 at 12:45 pm. More details of the talk are provided at .conf’17 website.