Scale Up Threat Hunting to Skill Up Analysts


Security operation centers need to move beyond the simplicity of good and bad software to having levels of “badness,” as well as better defining what is good. Here’s why.

Findings of a recent SANS Institute survey “Closing the Critical Skills Gap for Modern and Effective Security Operations Centers (SOC)” addressed hiring plans for 2020, including an assessment of what skills security managers believe are needed. Security operational skills were noted by respondents as the most needed, and for those responsible for threat hunting and malware analysis, the challenge for security managers is not only how to recruit talent, but how to continue up skilling for improved retention and career growth.

As noted in recent research from Cybersecurity Insiders, organizations are increasing their operational maturity and investments in threat hunting. Although threat hunting is still an emerging discipline, 93% of organizations agree that threat hunting should be a top security initiative to provide early detection and reduce risk. The challenge is that most threat hunting initiatives are manual, and with at least one million never-before-seen threats being released into the wild on a daily basis, it becomes an unscalable and cost prohibitive exercise.

Malware analysis is central to many modern threat-hunting initiatives. Many organizations already do some form of threat hunting with most focused on searching for indicators of compromise in the hopes they will find something missed by traditional tools. But hope isn’t a strategy. Security can’t be a binary system of good and bad, and to be fair it never was. When the focus was simply on detection, anything that was not specifically bad, or malware, was assumed to be good. However, with the volume of threats seen each day increasing, that assumption has contributed to many breaches over the years. In order to improve the effectiveness of our security stacks, and begin to effectively automate a trustworthy response, we need to move beyond the simplicity of good and bad software to having levels of “badness,” as well as better defining what is good. Only with the right context can we determine what threats to investigate and to understand if a threat will have a crippling impact or will simply be a nuisance.

Consider that by chasing irrelevant malware, threat hunters may miss the “big one.” The key to knowing what malware to chase down is to quickly be able to understand how it’s affecting you so you can better equip the security stack to address the problem. Improving our knowledge through automated threat-hunting tools helps get us to a place where this is possible. At the same time, in order to mature the skills of the security team, we must go beyond the binary good or bad of malware detection and give clear explanations why a behavior is malicious.

In order to achieve this context faster we need to move away from the manual process of reverse engineering, which can take hours or days to whittle down and reveal malware’s essence, and move to automating the decryption and deobfuscation of files with explanations to speed the threat hunters’ ability to detect, identify, and respond to threats. Simply put, automated analysis with context provides an understanding of what you’re looking at, as well as the ability to explain the risks to less technical staff.

The technical benefits are obvious and include scaling up the SOC’s productivity, reducing dwell time of malware, and speeding the remediation of zero-day threats. But the benefits of automated, context-aware threat hunting go further, enabling the SOC to expand visibility into file types and operating systems that were not previously being monitored due to lack of time or skills. Additionally, it allows the security team to reduce efforts spent on threats that have limited impact, and refocus on addressing new attack techniques and filling in gaps in the security architecture.

Automating malware analysis delivers productivity benefits and the ability to deliver faster responses, but just as importantly, can also provide insights for analyst education and up-skilling. The key to improved threat hunting and simultaneous up-skilling is having transparent and context-aware diagnoses that humans can understand, interpret, and act upon accordingly. Context-aware diagnoses enable organizations to “participate in their own rescue” by providing insights that are specific to how an attack relates to them. Understanding what the diagnosis means to the organization affects the response. And with finite resources, prioritization as to what to address and how to respond must also be taken into account. Not every organization needs to treat the exact same piece of malware alike. And with improved threat hunting, they won’t have to.

Chris Hoff is product marketing manager at ReversingLabs. As a long time “security guy” he is currently driving the technical product marketing effort at ReversingLabs.  Chris has over 15 years of security experience driving innovation in roles at Sophos, Imperva and … View Full Bio

 

Recommended Reading:

More Insights





Source link

Recent articles

Kubernetes basics for sysadmins | Enable Sysadmin

In this first of a two-part series, this article looks at similarities and differences in containers, virtual machines, and the pros and cons of each...

Change for the better? How travel might look after the pandemic

Mindfulness practice has helped keep me relatively sane throughout the pandemic so far, but no amount of living-in-the-moment can stop me from daydreaming...

Vietjet A321 suffers 4.27g hard landing at Dong Hoi | News

One of Vietjet Air’s Airbus A321s has apparently suffered structural damage after a hard landing at Dong Hoi airport in central Vietnam. FlightGlobal understands...

Monster Sanctuary Release Date on Consoles and PC Set for December

Monster Sanctuary from developer Moi Rai Games and publisher Team17 (Blasphemous) will soon leave Early Access. The colorful metroidvania is coming to the PlayStation...

Blender Animation ReTarget Addon Tutorial

NRK writes: This tutorial will show you how to use a new script I just finished writing that will take an armature with an...

SARS: Lagos under lockdown after protesters ‘shot’ | Nigeria

Heavy security presence in Nigeria’s biggest city; dozens taken to hospital after soldiers reportedly shot at protesters.Lagos was under lockdown on Wednesday as...

Leave a reply

Please enter your comment!
Please enter your name here