How can SOC analysts hunt more efficiently? By not hunting

If you ask a Security Operations Center (SOC) analyst, “What’s your biggest challenge when hunting threats?” The majority will give a response like this, “We have a lot of disparate tools that we need to correlate together to identify what are actual threats vs. false positives and noise.”

The problem has plagued SOC analysts for years and is only getting worse as the proliferation of data, and lucrativeness of stealing it continues. Buried in alerts, SOC analysts scramble to manually decipher which ones need immediate attention. Oftentimes, they end up wasting time on lower priority alerts while the more critical ones slip by.

According to an IDC survey of C-level executives worldwide, 37% said they deal with at least 10,000 alerts every month — and 52% of those alerts are false positives. So how can SOC analysts hunt more efficiently? The answer is by not hunting at all. But before I explain further, let’s take a step back.

Defining the kill chain & lateral movement attacks

The goal of threat hunting is to identify a bad actor early in a cyber breach process such as a kill chain so that they are stopped before data is exfiltrated. Or, in the case of lateral movement, identify a bad actor or malicious insider before they seize more than one machine. Expanding on the cyber breach kill chain concept, there is a set of steps most bad actors take to break in and steal data. The steps have been defined by the industry based on historical patterns of criminal actions.

Here’s the typical sequence of events. An employee visits an infected website or is the victim of a phishing email and clicks on a malicious link, causing malware to be downloaded on their machine. The malware gives the bad actor access to the network. From there, the bad actor looks around and figures out to which applications and systems they can authenticate. Once the bad actor accesses the crowned jewels, they exfiltrate the data. The earlier a SOC analyst can identify the bad actor during this series of events, the faster the bad actor can be stopped.

For a lateral movement attack, a bad actor steals an employee’s credentials, logs into the person’s computer, and uses it as a jumping point to seize other machines. The goal for SOC analysts is to detect the compromised user before the bad actor can control more machines. This kind of attack is more difficult to detect. One main identifier is if an analyst sees a hundred logins in one minute, which means it’s not a human being (and most likely a bot), or if unusual behavior is detected such as “Jane” from the marketing department logged into the engineering SQL server.

Logging tools alone are not enough

To detect bad actors early in the kill chain or laterally moving from machine to machine, many organizations are using a logging tool that they have had for years. Based on what they have seen in the past, analysts manually build queries and rules for the logging tool to identify indicators of an attack. For example, if someone logs into a machine a hundred times, that’s a sign of an attack that a logging tool would detect and alert analysts.

The problem with this method is that a smart bad actor will distinguish themselves, by for example, logging into a different machine than what’s expected. They will complicate the attack, making it undetectable by the logging tool. Don’t get me wrong. logging tools are important cyber security tools and do have their place. They are excellent at aggregating and storing data coming from disparate security tools. However, there must be a level of intelligence on top of that functionality.

Disrupting the kill chain & lateral movement attacks, no threat hunting required

This is where security analytics and user and entity behavior analytics (UEBA) provides value. Security analytics platforms bring together and analyze data from disparate security tools, add their own proprietary algorithms including UEBA, and automatically detect scenarios that are known (i.e. the ones defined in rules and queries, however analysts don’t need to manually define them), as well as more complex threats. UEBA identifies and prioritizes unusual behaviors such as in the case of a compromised user, and whitelists behaviors that are business-as-usual reducing noise and false positives in the SOC.

With security analytics platforms, the only information SOC analysts receive is which threats need immediate investigation and why. For example, a security analytics platform automatically detects a bad actor that’s in the fourth stage of the kill chain, prioritizes and sends the threat to the analyst along with evidence that validates the claim. The analyst doesn’t need to hunt; the platform says, “You need to investigate this threat because it’s about to exfiltrate highly valuable data.”

Today’s SOC analysts have done the best they can with what they have, which in most cases is a logging tool. However, building queries and rules takes a lot of time, in addition to the problem of analysts being buried in alerts unable to decipher which ones are real. To enable SOC analysts to work more efficiently and prioritize and stop the most critical threats before valuable data is exfiltrated, there must be the extra level of intelligence that security analytics provide.

That does not make logging tools obsolete. They are still very much needed for aggregating and storing data. If anything, security analytics optimize logging tools’ effectiveness, ingesting the tool’s data as another piece of the puzzle of who and where is the threat so it can be stopped.