Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

02:00 PM
Chris Hoff
Chris Hoff
Connect Directly
E-Mail vvv

Scale Up Threat Hunting to Skill Up Analysts

Security operation centers need to move beyond the simplicity of good and bad software to having levels of "badness," as well as better defining what is good. Here's why.

Findings of a recent SANS Institute survey "Closing the Critical Skills Gap for Modern and Effective Security Operations Centers (SOC)" addressed hiring plans for 2020, including an assessment of what skills security managers believe are needed. Security operational skills were noted by respondents as the most needed, and for those responsible for threat hunting and malware analysis, the challenge for security managers is not only how to recruit talent, but how to continue up skilling for improved retention and career growth.

As noted in recent research from Cybersecurity Insiders, organizations are increasing their operational maturity and investments in threat hunting. Although threat hunting is still an emerging discipline, 93% of organizations agree that threat hunting should be a top security initiative to provide early detection and reduce risk. The challenge is that most threat hunting initiatives are manual, and with at least one million never-before-seen threats being released into the wild on a daily basis, it becomes an unscalable and cost prohibitive exercise.

Related Content:

7 Non-Technical Skills Threat Analysts Should Master to Keep Their Jobs

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: Securing Slack: 5 Tips for Safer Messaging, Collaboration

Malware analysis is central to many modern threat-hunting initiatives. Many organizations already do some form of threat hunting with most focused on searching for indicators of compromise in the hopes they will find something missed by traditional tools. But hope isn't a strategy. Security can't be a binary system of good and bad, and to be fair it never was. When the focus was simply on detection, anything that was not specifically bad, or malware, was assumed to be good. However, with the volume of threats seen each day increasing, that assumption has contributed to many breaches over the years. In order to improve the effectiveness of our security stacks, and begin to effectively automate a trustworthy response, we need to move beyond the simplicity of good and bad software to having levels of "badness," as well as better defining what is good. Only with the right context can we determine what threats to investigate and to understand if a threat will have a crippling impact or will simply be a nuisance.

Consider that by chasing irrelevant malware, threat hunters may miss the "big one." The key to knowing what malware to chase down is to quickly be able to understand how it's affecting you so you can better equip the security stack to address the problem. Improving our knowledge through automated threat-hunting tools helps get us to a place where this is possible. At the same time, in order to mature the skills of the security team, we must go beyond the binary good or bad of malware detection and give clear explanations why a behavior is malicious.

In order to achieve this context faster we need to move away from the manual process of reverse engineering, which can take hours or days to whittle down and reveal malware's essence, and move to automating the decryption and deobfuscation of files with explanations to speed the threat hunters' ability to detect, identify, and respond to threats. Simply put, automated analysis with context provides an understanding of what you're looking at, as well as the ability to explain the risks to less technical staff.

The technical benefits are obvious and include scaling up the SOC's productivity, reducing dwell time of malware, and speeding the remediation of zero-day threats. But the benefits of automated, context-aware threat hunting go further, enabling the SOC to expand visibility into file types and operating systems that were not previously being monitored due to lack of time or skills. Additionally, it allows the security team to reduce efforts spent on threats that have limited impact, and refocus on addressing new attack techniques and filling in gaps in the security architecture.

Automating malware analysis delivers productivity benefits and the ability to deliver faster responses, but just as importantly, can also provide insights for analyst education and up-skilling. The key to improved threat hunting and simultaneous up-skilling is having transparent and context-aware diagnoses that humans can understand, interpret, and act upon accordingly. Context-aware diagnoses enable organizations to "participate in their own rescue" by providing insights that are specific to how an attack relates to them. Understanding what the diagnosis means to the organization affects the response. And with finite resources, prioritization as to what to address and how to respond must also be taken into account. Not every organization needs to treat the exact same piece of malware alike. And with improved threat hunting, they won't have to.

Chris Hoff is product marketing manager at ReversingLabs. As a long time "security guy" he is currently driving the technical product marketing effort at ReversingLabs.  Chris has over 15 years of security experience driving innovation in roles at Sophos, Imperva and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I can't find the back door.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting