The main goal of threat hunting is to find new unknown threats. Threat hunting is not just about finding the threats, but also discovering evidence of attacks and how the attackers are operating.
Here are ways on how you can automate threat hunting with security analytics:
1. Using Security Analytics to automatically find new attacks
2. Using Security Analytics to automatically find the attackers
3. Using Security Analytics to automatically detect and track the attacker’s activities
4. Using Security Analytics to automatically detect victims.
5. Using Security Analytics to automatically build a profile of an attacker by combining all the evidence of their attacks and activities
Let us discuss each of these in detail below:
1. Using Security Analytics to automatically find new attacks
Security analytics uses statistical models, machine learning, and artificial intelligence to detect anomalies and flag them as potential incidents, thus it can be used to automate threat hunting. Automation is a useful approach when you are trying to make sense of large volumes of data and detect threats that are not detectable by humans.
2. Using Security Analytics to automatically find the attackers
The Security Analytics platform can be used to detect attackers and their malicious activities. It can be used to find new threats and alert you about them. It uses behavioral analytics, machine learning, and artificial intelligence to identify the new threat.
3. Using Security Analytics to automatically detect and track the attacker’s activities
Using Security Analytics, you can automatically detect an attacker’s activities by identifying the inevitable patterns in their behavior. For instance, you might find that every time an attack happens, the attacker usually turns off one of your devices for a certain period.
4. Using Security Analytics to automatically detect victims.
Security analytics is capable of detecting new victims by finding patterns in the network traffic that indicate that a device is under attack. For instance, if a device suddenly starts requesting a lot of data from a URL that it never accessed before, it could be an indication of an attack.
5. Using Security Analytics to automatically build a profile of an attacker by combining all the evidence of their attacks and activities
Security analytics can build profiles of attackers by combining all the evidence of various malicious events that occurred during an attack.
For instance, if this is a case where a website was hacked, then you could use Security Analytics to find all the indicators of compromise (IoCs) such as IP addresses or domain names that relate to the hacker who attacked your website.
The same goes for any other type of attacks such as ransomware, spam, etc., where you can use Security Analytics to gather IoCs related to the victim(s), the attacker(s), tools, and other related information.
In Conclusion
In summary, Security analytics can be useful to automatically find threats and detect the attackers who are behind them. It can also be useful to detect new victims and build a profile of an attacker.
While Security Analytics is capable of automating these processes, it is a good idea to have an alerting mechanism in place that allows you to review any alerts generated by the Security Analytics platform. This ensures that you can take action in case there is a need to do so.
Moreover, it is advisable to identify thresholds for different security events and use them to trigger alerts. For instance, you can set a threshold for the number of failed logins, which warns you if there is an unusual increase or decrease in the number of failed logins.