Is human threat hunting a fool’s errand?
We all have witnessed automated advances creep into our modern threat hunting processes – and with good reason. As the rate of cyberattacks steadily increases, automated threat hunting processes are being integrated to help stem the tide by providing quicker security insights, more efficient operations, and human error reductions.
But are we really getting better, or are we just doing the wrong things faster? Which things can be automated so that many protections happen in real time? The real goal is to take humans out of some loops completely, allowing them to concentrate on doing things that only humans can do.
The state of threat hunting
Cybersecurity professionals are facing increasing challenges, thanks to a worsening threat landscape and limited resources to effectively protect their IT environment. 52% of cybersecurity professionals told us that they consider detection of advanced threats to be a top challenge facing their SOC. Lack of expert security staff to assist with threat mitigation is a close second (47%), followed by too much time wasted on false positive alerts (40%).
For starters, it’s important to note that threat hunting requires deep knowledge of one’s network, and each individual process is unique. Threat hunters need to know their organization’s weaknesses, but unfortunately, a lot of companies are starting to realize that truly qualified threat hunters are rare. Most current threat hunting processes are initiated by system-generated alerts that call for some sort of human action. Most of the threat hunters I’ve spoken with say that they try to dig into maybe 7-8% of these alerts, but realistically speaking, only 1-3% are addressed.
TSA would never open just 3% of bags that have been flagged for weapons – they would inspect every single one. Why should threat hunting be any different? Just as it only takes one bomb to bring an airplane down, it only takes one compromise to kill your company forever.
Humans are effectively slowing the threat hunting process down. We must safely get to a place where anything completely out of bounds is automatically detected and killed, giving actual threat hunters the bandwidth to do the in-depth cybersecurity tasks that require a human in the loop.
Should threat hunting be fully automated?
Automating the low-hanging fruit of your threat hunting processes will better equip your company to keep up with the ever-evolving attack landscape and empower your threat hunters to use their resources more efficiently.
What do I mean by “low-hanging fruit?” Let’s say, for instance, you are working for a small company that only sells to customers in the US and Canada – why would you be pushing massive bandwidth to Brazil? If you connect to a website that’s written in a language you don’t speak, that is curious and a potential indication of compromise. But in any case, you shouldn’t push data to it – you should pull data from it. The manual remedy would be to install or update your firewall rules, but the bad guys aren’t dumb, and they’re not slow. They automatically reroute when a node on their covert network is blocked, so by the time you’ve coded a rule, it’s a resource that the bad guys will never need to use again. They have automatic redundancy and automated resilience.
Other advantages you can expect when automating your threat hunting strategies include:
- Minimize the amount of time required for data collection
- Trim down threat noise by quickly sorting through levels of threats
- Easily fight off many attacks with automated responses
Don’t lose sight of the end goal
There’s no doubt that automation could be incredibly beneficial, but we must be careful not to use it to do the wrong thing faster. At the end of the day, threat hunting is all about really understanding every conversation, every connection, the role of each device and interaction, to make real-time automated protections a reality.
Further, the role of automated security controls is to offload the humans more and more over time. But critically, it is the system’s role to get better and better at knowing when to wake a human when things get out of hand. You don’t need to understand all the bad guys – you just need to prevent them from touching, controlling, monitoring, stealing or manipulating your data, or maintaining back doors to your systems.