Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10/8/2020
02:00 PM
Chris Hoff
Chris Hoff
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Scale Up Threat Hunting to Skill Up Analysts

Security operation centers need to move beyond the simplicity of good and bad software to having levels of "badness," as well as better defining what is good. Here's why.

Findings of a recent SANS Institute survey "Closing the Critical Skills Gap for Modern and Effective Security Operations Centers (SOC)" addressed hiring plans for 2020, including an assessment of what skills security managers believe are needed. Security operational skills were noted by respondents as the most needed, and for those responsible for threat hunting and malware analysis, the challenge for security managers is not only how to recruit talent, but how to continue up skilling for improved retention and career growth.

As noted in recent research from Cybersecurity Insiders, organizations are increasing their operational maturity and investments in threat hunting. Although threat hunting is still an emerging discipline, 93% of organizations agree that threat hunting should be a top security initiative to provide early detection and reduce risk. The challenge is that most threat hunting initiatives are manual, and with at least one million never-before-seen threats being released into the wild on a daily basis, it becomes an unscalable and cost prohibitive exercise.

Related Content:

7 Non-Technical Skills Threat Analysts Should Master to Keep Their Jobs

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: Securing Slack: 5 Tips for Safer Messaging, Collaboration

Malware analysis is central to many modern threat-hunting initiatives. Many organizations already do some form of threat hunting with most focused on searching for indicators of compromise in the hopes they will find something missed by traditional tools. But hope isn't a strategy. Security can't be a binary system of good and bad, and to be fair it never was. When the focus was simply on detection, anything that was not specifically bad, or malware, was assumed to be good. However, with the volume of threats seen each day increasing, that assumption has contributed to many breaches over the years. In order to improve the effectiveness of our security stacks, and begin to effectively automate a trustworthy response, we need to move beyond the simplicity of good and bad software to having levels of "badness," as well as better defining what is good. Only with the right context can we determine what threats to investigate and to understand if a threat will have a crippling impact or will simply be a nuisance.

Consider that by chasing irrelevant malware, threat hunters may miss the "big one." The key to knowing what malware to chase down is to quickly be able to understand how it's affecting you so you can better equip the security stack to address the problem. Improving our knowledge through automated threat-hunting tools helps get us to a place where this is possible. At the same time, in order to mature the skills of the security team, we must go beyond the binary good or bad of malware detection and give clear explanations why a behavior is malicious.

In order to achieve this context faster we need to move away from the manual process of reverse engineering, which can take hours or days to whittle down and reveal malware's essence, and move to automating the decryption and deobfuscation of files with explanations to speed the threat hunters' ability to detect, identify, and respond to threats. Simply put, automated analysis with context provides an understanding of what you're looking at, as well as the ability to explain the risks to less technical staff.

The technical benefits are obvious and include scaling up the SOC's productivity, reducing dwell time of malware, and speeding the remediation of zero-day threats. But the benefits of automated, context-aware threat hunting go further, enabling the SOC to expand visibility into file types and operating systems that were not previously being monitored due to lack of time or skills. Additionally, it allows the security team to reduce efforts spent on threats that have limited impact, and refocus on addressing new attack techniques and filling in gaps in the security architecture.

Automating malware analysis delivers productivity benefits and the ability to deliver faster responses, but just as importantly, can also provide insights for analyst education and up-skilling. The key to improved threat hunting and simultaneous up-skilling is having transparent and context-aware diagnoses that humans can understand, interpret, and act upon accordingly. Context-aware diagnoses enable organizations to "participate in their own rescue" by providing insights that are specific to how an attack relates to them. Understanding what the diagnosis means to the organization affects the response. And with finite resources, prioritization as to what to address and how to respond must also be taken into account. Not every organization needs to treat the exact same piece of malware alike. And with improved threat hunting, they won't have to.

Chris Hoff is product marketing manager at ReversingLabs. As a long time "security guy" he is currently driving the technical product marketing effort at ReversingLabs.  Chris has over 15 years of security experience driving innovation in roles at Sophos, Imperva and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4626
PUBLISHED: 2020-11-30
IBM Cloud Pak for Security 1.3.0.1 (CP4S) could reveal sensitive information about the internal network to an authenticated user using a specially crafted HTTP request. IBM X-Force ID: 185362.
CVE-2020-4627
PUBLISHED: 2020-11-30
IBM Cloud Pak for Security 1.3.0.1(CP4S) potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 185367.
CVE-2020-4696
PUBLISHED: 2020-11-30
IBM Cloud Pak for Security 1.3.0.1(CP4S) does not invalidate session after logout which could allow an authenticated user to obtain sensitive information from the previous session. IBM X-Force ID: 186789.
CVE-2020-4900
PUBLISHED: 2020-11-30
IBM Business Automation Workflow 19.0.0.3 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 190991.
CVE-2020-4624
PUBLISHED: 2020-11-30
IBM Cloud Pak for Security 1.3.0.1 (CP4S) uses weaker than expected cryptographic algorithms during negotiation could allow an attacker to decrypt sensitive information.