Threat Hunting
What is Threat Hunting?
Threat hunting is the proactive search for leading indicators of an attack that might be missed by standard detection mechanisms because they either require additional context, human interpretation, or might be too noisy if they’re configured as alerts. Armor is constantly on the lookout for such emergent threats and attack vectors that might otherwise fly under the radar.
Often, threat hunting is an iterative process, whereby risks and concerns are progressively enriched based on context and threat intelligence to qualify and quantify such risks and explore how they might be exploited in your environment. The origin phases of threat hunting typically fall into these three categories:
- Intelligence-Driven – indicators from our curated threat intelligence feeds are used to identify potential attack vectors for your specific infrastructure and application footprint.
- Situation-Driven – context-specific scenarios (such as a risk assessment, penetration test, or other emergent findings) may prompt for further investigation into the potential for a given type of exploit.
- Analytics-Driven - behavioral profiles are automatically created as data flows into the SIEM and analytics platform. These profiles represent behavioral norms for each individual entity (users, hosts, and, applications). Deviations, especially those that follow specific patterns, are another interesting entrypoint for threat hunting campaigns.
Threat Hunting Automation
Armor leverages intelligent automations throughout the threat hunting process, including automated queries that are used to develop a hunting hypothesis, as well as programmatic scaffolding (such as Jupyter notebooks and automated enrichment jobs) to assist in maintaining consistency in all aspects of a hunting campaign.
Outcomes & Repeatability
Once hunting leads or hypotheses are validated, an investigation is launched (similar to investigations in an incident response context). If active exploitation is discovered, an incident is created just as it would be if the exploit had been discovered by the SIEM. Subsequently, the hypotheses are translated into correlation rules and investigation steps into enrichment jobs that can be reused to ensure that the specific type of attack can be detected automatically in the future.