Skip to main content

General Documents

Automatically Detect Critical Threats using Real-time Threat Hunting

Abstract

Download PDF

Category: Data Enrichment & Threat Intelligence, Endpoint

Cyware Products Used:

  • Orchestrate

  • Intel Exchange

  • Respond

Third-Party Integrations Used:

  • Splunk SIEM: Security information and event management (SIEM) tool to retrieve threat hunting events.

  • Microsoft Defender: An enterprise endpoint security platform to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

Problem Statement

Security analysts perform threat hunting to proactively identify unknown threats within an organization's network. To perform threat hunting, security analysts leverage threat intelligence data from various sources, correlate them for analysis, make the intel relevant, and forward the findings so that the threat can be proactively blocked in their networks. In reality, analyzing large numbers of intel feeds received from internal and external sources is challenging.

Solution

Cyware’s Fusion Center uses an automated solution to solve this problem. The solution allows analysts to run a Cyware Orchesrtate playbook from a threat intelligence platform to automatically perform critical operations. This includes tasks such as enrichment, threat hunting, and communication with security teams.

The threat hunting playbook queries the Microsoft Defender tool for malicious activities and retrieves the details. If any hits to ‌malicious IOCs are detected, then the playbook performs a series of response actions to mitigate the threat.

Automatically_Detect_Critical_Threats_using_Real-time_Threat_Hunting.svg

How do we solve this problem?

  1. Trigger Threat Hunting: The playbook starts when a threat intel analyst triggers the threat hunting rule from the Intel Exchange application to find out any malicious activities associated with a suspicious indicator. This will retrieve the indicator from Intel Exchange and send it to the Orchestrate threat hunting playbook.

  2. Playbook Event: The playbook receives the indicators received from Intel Exchange for threat hunting. The playbook parses the indicators and prepares them for threat hunting.

  3. Perform Threat Hunting using Splunk SIEM: The playbook enriches the indicators using Splunk SIEM to find out if there are hits to the malicious IOC.

    • If no hits to ‌malicious IOCs are detected, then the playbook sends an email report to the security teams and stops execution.

    • If any hits to ‌malicious IOCs are detected, then the playbook performs the remediation actions mentioned in step 5.

  4. Enrich using Microsoft Defender: The playbook enriches the indicators using the Microsoft Defender tool to find out if there are any hits to the malicious IOC.

    • If no hits to ‌malicious IOCs are detected, then the playbook sends an email report to the security teams and stops execution.

    • If any hits to ‌malicious IOCs are detected, then the playbook performs the remediation actions mentioned in step 5.

  5. Remediation: If any malicious activities are detected during threat hunting, the playbook performs the following activities.

    1. Send Email Report: A consolidated report is sent to the security teams with the identified malicious IOCs and affected assets.

    2. Create Respond Incident: The playbook creates a new incident in Respond and updates the IOCs and assets for analyst investigation and ‌response. You can also configure the playbook to update the ServiceNow incident table.

    3. Update Intel Exchange: The playbook also updates the notes of the indicator in Intel Exchange with Identified in Threat Hunting text to inform threat intel analysts about the malicious nature of the indicator.

Benefits

Singular View of Threats

Security teams can perform automated threat hunting by searching for IOCs in the Microsoft Defender and Splunk SIEM events and bringing them together into a single page to investigate and remediate incidents.

Faster incident response

SOAR solutions when combined with Defender tools can reduce the mean time to detect (MTTD) and mean time to respond (MTTR). Because many actions are automated, a large percentage of incidents can be investigated immediately and automatically.

Proactive Threat Hunting

The solution serves security analysts effectively in the automatic detection of malicious events resulting in proactive threat hunting.