Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

02:00 PM
Chris Hoff
Chris Hoff
Connect Directly
E-Mail vvv

Scale Up Threat Hunting to Skill Up Analysts

Security operation centers need to move beyond the simplicity of good and bad software to having levels of "badness," as well as better defining what is good. Here's why.

Findings of a recent SANS Institute survey "Closing the Critical Skills Gap for Modern and Effective Security Operations Centers (SOC)" addressed hiring plans for 2020, including an assessment of what skills security managers believe are needed. Security operational skills were noted by respondents as the most needed, and for those responsible for threat hunting and malware analysis, the challenge for security managers is not only how to recruit talent, but how to continue up skilling for improved retention and career growth.

As noted in recent research from Cybersecurity Insiders, organizations are increasing their operational maturity and investments in threat hunting. Although threat hunting is still an emerging discipline, 93% of organizations agree that threat hunting should be a top security initiative to provide early detection and reduce risk. The challenge is that most threat hunting initiatives are manual, and with at least one million never-before-seen threats being released into the wild on a daily basis, it becomes an unscalable and cost prohibitive exercise.

Related Content:

7 Non-Technical Skills Threat Analysts Should Master to Keep Their Jobs

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: Securing Slack: 5 Tips for Safer Messaging, Collaboration

Malware analysis is central to many modern threat-hunting initiatives. Many organizations already do some form of threat hunting with most focused on searching for indicators of compromise in the hopes they will find something missed by traditional tools. But hope isn't a strategy. Security can't be a binary system of good and bad, and to be fair it never was. When the focus was simply on detection, anything that was not specifically bad, or malware, was assumed to be good. However, with the volume of threats seen each day increasing, that assumption has contributed to many breaches over the years. In order to improve the effectiveness of our security stacks, and begin to effectively automate a trustworthy response, we need to move beyond the simplicity of good and bad software to having levels of "badness," as well as better defining what is good. Only with the right context can we determine what threats to investigate and to understand if a threat will have a crippling impact or will simply be a nuisance.

Consider that by chasing irrelevant malware, threat hunters may miss the "big one." The key to knowing what malware to chase down is to quickly be able to understand how it's affecting you so you can better equip the security stack to address the problem. Improving our knowledge through automated threat-hunting tools helps get us to a place where this is possible. At the same time, in order to mature the skills of the security team, we must go beyond the binary good or bad of malware detection and give clear explanations why a behavior is malicious.

In order to achieve this context faster we need to move away from the manual process of reverse engineering, which can take hours or days to whittle down and reveal malware's essence, and move to automating the decryption and deobfuscation of files with explanations to speed the threat hunters' ability to detect, identify, and respond to threats. Simply put, automated analysis with context provides an understanding of what you're looking at, as well as the ability to explain the risks to less technical staff.

The technical benefits are obvious and include scaling up the SOC's productivity, reducing dwell time of malware, and speeding the remediation of zero-day threats. But the benefits of automated, context-aware threat hunting go further, enabling the SOC to expand visibility into file types and operating systems that were not previously being monitored due to lack of time or skills. Additionally, it allows the security team to reduce efforts spent on threats that have limited impact, and refocus on addressing new attack techniques and filling in gaps in the security architecture.

Automating malware analysis delivers productivity benefits and the ability to deliver faster responses, but just as importantly, can also provide insights for analyst education and up-skilling. The key to improved threat hunting and simultaneous up-skilling is having transparent and context-aware diagnoses that humans can understand, interpret, and act upon accordingly. Context-aware diagnoses enable organizations to "participate in their own rescue" by providing insights that are specific to how an attack relates to them. Understanding what the diagnosis means to the organization affects the response. And with finite resources, prioritization as to what to address and how to respond must also be taken into account. Not every organization needs to treat the exact same piece of malware alike. And with improved threat hunting, they won't have to.

Chris Hoff is product marketing manager at ReversingLabs. As a long time "security guy" he is currently driving the technical product marketing effort at ReversingLabs.  Chris has over 15 years of security experience driving innovation in roles at Sophos, Imperva and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Sure you have fire, but he has an i7!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-05
SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.
PUBLISHED: 2021-03-04
On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure.
PUBLISHED: 2021-03-04
Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to gain access to device's serial number without permission.
PUBLISHED: 2021-03-04
Graphic format mismatch while converting video format in hwcomposer prior to SMR Mar-2021 Release 1 results in kernel panic due to unsupported format.
PUBLISHED: 2021-03-04
A possible arbitrary memory overwrite vulnerabilities in quram library version prior to SMR Jan-2021 Release 1 allow arbitrary code execution.