The Role of Automation and Human Analysis in Threat Hunting

HumanvsAutomation.png

As new techniques used to evade network defenses continue to emerge, enterprise security teams are increasingly turning to threat hunting to reduce the duration and damage of successful attacks. Yet, what comprises the actual activity of threat hunting is a topic of hot debate among cyber security experts. 

One of the looming questions on many CISOs minds is: ‘Can threat hunting be automated?’

Hard liners exist on either side of this question, but who is correct?

Argument #1: Machines can never replace Humans

Many voices within the security community call for a human-focused threat hunting methodology. For those that subscribe to this line of thinking, automation tools should be used for the bare minimum activities, such as data collection and correlation, while actual analysis and conclusions should be left to a well-trained analyst. Some of these advocates have even argued for an extreme definition of threat hunting; one limited to only human activities done beyond or in-spite of the conclusions delivered by automated tools. 

There is some support for the human-focused methodology from within experts in the security community:

 The SANS Institute's Robert M. Lee and Rob Lee offered the following in the The Who, What, Where, When, Why and How of Effective Threat Hunting:

“Despite common misconceptions, threat hunting cannot be fully automated...what is powerful about threat hunting is that it pits human defenders against human adversaries.” 

Jake Williams, a well-known malware expert, backs up this white paper with the following tweet:

“You can’t automate hunting done right, period.”

Simon Crosby, the CTO of Bromium, stated the following in a Dark Reading article

“Cybersecurity is a domain where human expertise will always be needed to pick through the subtle differences between anomalies. Rather than waste money on the unproven promises of ML and AI-based security technologies, I recommend that you invest in your experts, and in tools that enhance their ability to quickly search for and identify components of a new attack.”

Argument #2: Threat Hunting is too big of a problem for humans – it needs AI

On the other end of the argument, many experts and certainly vendors, see automation as the next logical step in threat hunting. A simple search for “automated” AND “threat hunting” will give you the scope of organizations claiming to do just that. 

One expert worth following in this area is Alex Pinto, Chief Data Scientist at Niddel who offered this in a podcast:

“Using human analysts to review every scenario doesn't scale, especially given the complexity and number of factors they have to explore in order to make a decision… When we automate as much of this process as possible, we improve efficiency, the use of our team’s time, and consistency.”

Of course, there is some agreement that good decisions on what, and how, to automate are required for this approach. You can’t just throw some data scientists at the problem without experienced hunters guiding the inputs and questions being asked – nor can it be allowed to remain static against an ever changing threat.

Argument #3: The Middle Road – Liberate the Humans

Brian Concannon of Vector8 believes automation will “liberate” humans. He argues there is a role for humans, but much of the heavy lifting and tasks required in threat hunting can, and should, be automated. He points out several items in his article that automation is good at:

  • Collecting and manipulating datasets
  • Performing lookups
  • Querying for a particular pattern or behavior
  • Any single task that takes 10 clicks when it could be done with 2

Infocyte is an advocate of this third approach. We don’t think relying solely on human detection is effective at scale. While human intuition is critical to hunting sophisticated threats in complex environments, we also have to consider the sheer scale of the persistent compromise problem and the lack of experienced people to throw at it. 

Based on our in-depth experience as real-world hunters, we learned that only way to scalably address the issue of finding hidden compromises within organizations is to use automation to create a repeatable process that can evolve to keep ahead of changing threats. This is why we created Infocyte HUNT.

Infocyte’s Scalable Approach to Hunt Automation

One reason for the false belief that hunting can’t be automated is the fact that most automated real-time defensive tools are only automating attack prevention and detection. They aren’t built to peer into the internals of networked systems to look for post breach indications of compromise (see MITRE’s ATT&CK matrix for examples of the types of things an automated hunt solution should look for). 

Post breach detection is different. Infocyte HUNT assumes endpoints are already compromised and then uses an approach called Forensic State Analysis (FSA) to find definitive proof. It sweeps thousands of endpoints, spending a couple minutes on each host, and conclusively validates their state by answering the questions: 

  • What is running? 
  • What is scheduled or triggered to run? 
  • Is there any evidence of manipulation of the host operating system? 

The answers to these questions let us determine if a system or network is "Compromised" or "Not Compromised".

For mature security organizations, Infocyte’s automation takes care of the lower order persistent threats and empowers human analysts to find the truly stealthy ones. The Infocyte platform gives experienced hunters access to the unfiltered forensic state data and presents it using enriched data stacking principles. Manual malware analysis drill-down is also available in-app for diving into a potential threat that isn’t directly characterized by automated engines.

For organizations new to hunting or with limited security personnel, automation is critical to enabling any threat hunting capabilities at all. The fact is, most organizations simply don’t have the manpower or expertise to effectively hunt – but it’s simply not an option to let a threat dwell in their network undetected. A well-tuned automated threat hunting tool, built by a team of experienced hunters like those at Infocyte, can give a resource-strapped organization the safety net it needs to ensure successful attacks aren’t allowed unfettered access to their network.

To see how Infocyte can help your organization get started with hunting or scale your existing hunt team, schedule a demo.