Findings of a recent SANS Institute survey "Closing the Critical Skills Gap for Modern and Effective Security Operations Centers (SOC)" addressed hiring plans for 2020, including an assessment of what skills security managers believe are needed. Security operational skills were noted by respondents as the most needed, and for those responsible for threat hunting and malware analysis, the challenge for security managers is not only how to recruit talent, but how to continue up skilling for improved retention and career growth.
As noted in recent research from Cybersecurity Insiders, organizations are increasing their operational maturity and investments in threat hunting. Although threat hunting is still an emerging discipline, 93% of organizations agree that threat hunting should be a top security initiative to provide early detection and reduce risk. The challenge is that most threat hunting initiatives are manual, and with at least one million never-before-seen threats being released into the wild on a daily basis, it becomes an unscalable and cost prohibitive exercise.
Malware analysis is central to many modern threat-hunting initiatives. Many organizations already do some form of threat hunting with most focused on searching for indicators of compromise in the hopes they will find something missed by traditional tools. But hope isn't a strategy. Security can't be a binary system of good and bad, and to be fair it never was. When the focus was simply on detection, anything that was not specifically bad, or malware, was assumed to be good. However, with the volume of threats seen each day increasing, that assumption has contributed to many breaches over the years. In order to improve the effectiveness of our security stacks, and begin to effectively automate a trustworthy response, we need to move beyond the simplicity of good and bad software to having levels of "badness," as well as better defining what is good. Only with the right context can we determine what threats to investigate and to understand if a threat will have a crippling impact or will simply be a nuisance.
Consider that by chasing irrelevant malware, threat hunters may miss the "big one." The key to knowing what malware to chase down is to quickly be able to understand how it's affecting you so you can better equip the security stack to address the problem. Improving our knowledge through automated threat-hunting tools helps get us to a place where this is possible. At the same time, in order to mature the skills of the security team, we must go beyond the binary good or bad of malware detection and give clear explanations why a behavior is malicious.
In order to achieve this context faster we need to move away from the manual process of reverse engineering, which can take hours or days to whittle down and reveal malware's essence, and move to automating the decryption and deobfuscation of files with explanations to speed the threat hunters' ability to detect, identify, and respond to threats. Simply put, automated analysis with context provides an understanding of what you're looking at, as well as the ability to explain the risks to less technical staff.
The technical benefits are obvious and include scaling up the SOC's productivity, reducing dwell time of malware, and speeding the remediation of zero-day threats. But the benefits of automated, context-aware threat hunting go further, enabling the SOC to expand visibility into file types and operating systems that were not previously being monitored due to lack of time or skills. Additionally, it allows the security team to reduce efforts spent on threats that have limited impact, and refocus on addressing new attack techniques and filling in gaps in the security architecture.
Automating malware analysis delivers productivity benefits and the ability to deliver faster responses, but just as importantly, can also provide insights for analyst education and up-skilling. The key to improved threat hunting and simultaneous up-skilling is having transparent and context-aware diagnoses that humans can understand, interpret, and act upon accordingly. Context-aware diagnoses enable organizations to "participate in their own rescue" by providing insights that are specific to how an attack relates to them. Understanding what the diagnosis means to the organization affects the response. And with finite resources, prioritization as to what to address and how to respond must also be taken into account. Not every organization needs to treat the exact same piece of malware alike. And with improved threat hunting, they won't have to.