Creating Your Own Threat Hunting Army

Posted by Idan Bellayev on Sep 11, 2018 4:14:35 PM

Cyber intelligence is one of the strongest tools that can be used to combat a potential attacker. Accessing the information needed to build cyber intelligence from a reliable source is typically difficult and very expensive – but it doesn’t have to be. You can create your own source for indicators of compromise (IOCs) using the security solutions you already have. These indicators can be extracted from your own network to provide evidence about an attacker’s history and clues about future attacks.

By using artificial intelligence (AI) to combine the capabilities of your security tools and endpoint detection and response (EDR) agents, you can create your own threat hunting army.

It’s a Race

In our previous Partner Perspectives blog post, we discussed the importance of staying one step ahead of your attacker by creating and planning for multiple possible attack scenarios. So, at this point, we already understand the power that lies within IOCs and the role they play in cyber defense.

Gathering information about an attacker is key to predicting their next move. But to have a true advantage over attackers, we must create dynamic indicators of attack (IOAs). Having said that, we must acknowledge that we are living in an ever-changing world where attackers develop new techniques in a blink of an eye. How can we keep up with them? How do we create and maintain all the rules required to foil their every possible move?

Step into the New World: Using AI to Hunt Attackers

It may not come as a surprise that the solution to this problem is AI technology. When facing a threat in your network, you can use EDR capabilities to detect the malicious process responsible for the activity that targeted your assets. After detecting the source cause, we can use EDR to deepen the search and find every action that was related to that process – documenting every activity that was performed, even if it’s something that wouldn’t raise a red flag on its own.

Machine learning technologies enable us to use data from previous encounters to better track and understand attack patterns. Using AI allows us to decipher the intent associated with an attacker’s footprints. These powerful new technologies elevate the synergy between different defense systems and EDRs, allowing us to create abstract attack patterns that are not limited to what we already know, enabling unfamiliar threats to be detected in real-time. This real-time ability is simply not possible when using human-written rules to codify attack patterns – the attackers will always be faster than humans. AI changes the game by putting defenders one step ahead of attackers.

Detecting the Unknown

Real-time hunting serves us well during live attacks because it expands the range a hunter can investigate to hosts across the network. This enables threat hunters to discover infected entities that weren’t initially detected due to gaps in detection coverage, or because one would not expect them to be compromised in the first place.

Protect On Every Vector

For example, your anti-malware technology may be able to detect an infection through an email phishing campaign, but it cannot detect an infection caused by a variant of the same malware if it was delivered through removable media as part of the same campaign. Traditional anti-malware technologies don’t defend against the vectors attackers utilize to infiltrate your network.

Protect Isolated Environments

When a sophisticated hacker infiltrates an isolated environment that is unprotected by detection tools, AI can aid in the detection of the attack. If your hunter is sniffing for dynamic IOAs on hosts that seem unrelated to the primary attack, it will provide sight where we were previously blind. AI also provides the context required to uncover fingerprints of unfamiliar IOCs, attaching the puzzle pieces together so we can reveal the real intent of the attacker. The increased visibility and context provided by AI technology enables us to defend ourselves even in situations involving the most vicious “zero-days” and APTs.

Stay Proactive

Proactive hunting can be incredibly useful when protecting against a persistent attacker. Creating sets of hunters that can be stored as detection engines creates “digital watch dogs.” Creating these watch dogs protects against an attacker should they attempt to strike again. Hunters can be shared with different networks and organizations, and can protect assets in different places.

Defend Against Recurring Attackers

Utilizing the security tools and EDR solutions in your environment to create your own dynamic IOAs will enable you to keep up with attackers and protect against the next strike. AI will help you take it to the next level with intent-deciphering and real-time detection and response, which will tune your security environment to the threats of today’s world. The results will provide you with brand new ammunition to defend yourself against recurring attackers.

Learn more about empow Networks at www.empowcybersecurity.com.

Topics: Detecting Attacks, Artificial Intelligence