loader image
Mindflow won the Jury Prize at the FIC 2022 Startup Award! Get a demo to transform your SecOps forever.

Orchestrate your Threat Hunting tools to SOAR

threat hunting tools

Most of the time, threat management comes after an incident has occurred. You’re starting investigation processes after the alarm has been rung.

However, more advanced threats can go past your defenses without ringing the bell. To counter this, analysts need a complementary approach. They gather threat hunting tools and processes to perform proactive searches within your networks and detect and neutralize these more advanced threats before they cause damage.

They thus need to dedicate specific resources such as threat hunting tools and time to decipher deep malicious behavior to create specialized reports that aim to understand the attack in-depth and identify its root cause.

With the rise of more advanced threats, Threat Hunting is more than ever a critical process in your company. However, it is too often put on the side because of various factors, making your company vulnerable to the most dangerous threats.

Below we’ll see:

Threat hunting challenges

Looking at the global data concerning security breaches, we’ll find interesting facts about the need (lack) for Threat Hunting. In 2021, the average length of a breach going undetected was 212 days, up from 200days a year earlier. Combined with the fact that breaches are costing more money to companies, attacks are growing sneakier and deadlier.

Also, it means that they have evaded your defenses. From that point, either you’re waiting for the breaches to materialize, or you’re going to hunt them down proactively. In other words, if you consider the kill chain, Threat Hunting helps you gain visibility where you’re traditionally blind, between recon and action.

threat hunting challenges

Easy to say, hard to do. There are numerous challenges to implementing and conducting regular Threat Hunting processes. We’re listing some of them that your company may face today.

First, as we said above, Threat Hunting needs dedicated resources. Yet, resources are scarce. Even though the workforce gap was reduced in 2021, from 3.1 to 2.4 million workers shortage, there is still a gap to be fulfilled to ensure a proper level of defense in every company.

Also, cyber professionals’ salaries are growing at a fast pace. In 2020, they grew at 16.3%, five-fold more than tech salaries in the US. It’s becoming increasingly complex for companies to recruit top talents and thus properly perform advanced tasks, notably managing threat hunting tools and processes.

Even though a company was to recruit such talent with success, they would instead dedicate them to value-oriented tasks. Threat Hunting tasks regroup many manual processes that are time-intensive and tedious, thus creating a loss of value about an expensive human resource.

On top of that, companies have an increasing number of tools to use. Modern companies have, on average, 40 different tools available in their cybersecurity stack. Threat Hunting tools are thus diverse and create multiple panes of glass for the analysts, which is time-consuming.

Let’s describe the usual processes an analyst has to follow to proactively search for unknown threats on your network.

The analyst first consults their Threat Intelligence sources, such as RSS feeds, Threat Intelligence feeds and specialized blogs. Manually, they collect relevant or new information about unknown Tactics, Techniques, and Procedures (TTPs) employed by attackers and Indicators of Compromise (IOCs) of an attack.

At this point, the analyst notices a particular IOC, such as a Hash, indicating an early stage of the attack. The analyst now has to begin a further investigation about the IOC to determine its criticality by performing multiple queries on different threat hunting tools.

Once they validate the severity of the IOC collected, the analyst logs into your SIEM or your EDR to begin the hunt. They have to run queries on each of them to verify the presence of this particular IOC on your systems.

If your analyst is to find matches, they now have to start documenting them to create the incident reports, which the number of devices infected, files names, and other details.

Finally, the finished report is submitted to a higher Tier analyst for approval. Your analyst waits to notify the concerned parties.

The senior analyst, in turn, starts a deeper analysis of the threat. They try to discover new patterns that evaded your defenses and which tools the attacker used to improve your company’s defense against familiar attacks in the future. These tasks are the most challenging yet the most rewarding.

TH without SOAR

Without leveraging orchestration and automation technologies, your analysts are experiencing multiple stages of pain, especially when navigating between their Threat Hunting tools. This implies a risk of false-positive alerts during the process for rather easy-to-automate tasks.

Fortunately, the SOAR, thanks to its automation and orchestration capabilities, can drastically reduce the time and skills needed to perform Threat Hunting.

How you can leverage the SOAR to orchestrate your threat hunting tools and processes

As we said above, due to the variety of challenges using Threat Hunting tools, many companies have put it to the side. The SOAR makes this accessible. Let’s look at how your analysts can leverage a SOAR to ease the Threat Hunting process.

TH with SOAR

In a former article, we’ve described how a SOAR ingests Threat Intelligence thanks to automated workflows. When talking about Threat Hunting, these workflows deliver massive value. Once on your SOAR platform, you’re able to check for the results of your automated ingestion of relevant Threat Intelligence data from Threat Intelligence feeds.

Your analyst can check out a particular malicious intel within this data, like the one we’ve described above. Suppose your TI ingestion workflow hasn’t already planned cross-checking steps before multiple TI Feeds. In that case, your analyst can trigger a specific enrichment workflow to gather additional information, such as the criticality of the IOC.

Based on the results of this additional search, the analyst can trigger a threat hunting workflow across your company’s environment. Thanks to APIs integrated by the platform, the workflow starts querying the specific IOC gathered before your security tools, such as your SIEM and your EDR. Your analyst doesn’t have to jump between your Threat Hunting tools but wait to complete the search.

Once the search has been done, your analyst can generate a report based on the findings, such as the number and the criticality of the devices infected, the severity of the threat detected, files names, hashes, etc. Then he can elevate it to the senior analyst for decision.

As a matter of deeper investigation of the threat, the senior analyst can trigger another workflow. he can detonate the discovered file on a sandbox to report its effects, for instance, and check on the file history to reverse engineer the attacker’s TTPs.

Let’s recap the value brought by the SOAR

Automated Threat Intelligence ingestion: SOAR ingests Threat Intelligence data in a centralized data lake for the analyst to leverage it. It seamlessly integrates data from various sources like external threat intelligence feeds.

Proactive and Automated Threat Hunting process: Your analyst reduces the time needed to hunt down threats by using SOAR capabilities to search for malicious activity across your network automatically. By triggering workflows, they can find designated IOC faster and prepare the work for much more complex tasks, such as the correlation of the IOCs with attackers’ previously unknown TTPs.

Build automated workflows to streamline processes from a Single Platform: You can pre-build your incident response procedures from your SOAR platform, like Mindflow, by creating workflows with pre-built actions. Your SecOps teams thus acquire complete visibility about the Threat Hunting tools and processes activated to perform the hunt.

Using these workflows, your analysts automate the repeatable and time-consuming tasks described above and focus on forensics tasks to discover new TTPs.

Remediate Threats faster: Finally, the SOAR can leverage your environment – your EDR platforms or Mail Security tool, for instance – to automate the proper remediation of the discovered threat.

Paul-Arthur Jonville

CEO of Mindflow. I share our thoughts and vision about cybersecurity and how Mindflow can answer current issues on this blog.

About Mindflow

Mindflow is an agnostic and no-code SOAR making cybersecurity more accessible to face current challenges. It aims to break silos between technologies and teams, following Fusion center and Cybersecurity Mesh concepts.

Recent Posts