Artificial Reality | The PatternEx Blog

Collections of the thoughts and the people behind the PatternEx Virtual Analyst Platform powered by AI2.

There Is No Auto-Pilot for Threat Hunting!

Vendors may claim complete automation for threat hunting, but they are promising the impossible.  PatternEx believes threat hunters need a co-pilot—not a replacement.

Let us agree on a "threat hunting" definition

This term has been used to describe many different roles and responsibilities.  Most people will agree threat hunting contains two key focus areas:

  1. Proactive security – looking for threats or active breaches lurking in the environment (but not yet escalated or detected)
  2. Reactive security – investigating escalated alerts and finding out root cause and/or validating threat itself

Threat hunters will usually be associated with a SOC.  Sometimes they will be part of incident response or security intelligence, depending on the organizational structure and size.  At times, threat hunters may be considered Level 3/Subject Matter Expert in title.  But in all cases, they will still perform the above tasks.

Can't we automate threat hunting completely?

Adversaries are very good at changing tactics or using multi-stage, low and slow attacks—all of which makes threat hunting a very challenging task that requires real-time context. So threat hunters have to learn from existing threat intelligence (internal and external to the organization), draw from past experiences, and generally use intuition to locate threats. Automation, even with AI, cannot replace the threat hunter.

The challenge, of course, is the technical sophistication and time it takes to achieve a successful hunt.

  SIEM and Tier 1
Analyst Based Detection
Threat Hunting
Based Detection
False Positives High Low
False Negatives High Low
Threat Types Basic to Intermediate APT, multi-stage, multi-entity
Efficiency High coverage, fast Narrow coverage, slow

 

How can we improve the efficiency and speed of threat hunting?

Many threat hunting teams want a more mature threat hunting process. This maturity requires some automation and use of data science (to leverage AI technology) generally considered Level 4 or Level 5 of maturity (depending hunting maturity framework). At a high maturity level, threat hunting focuses on analysis—not the details of figuring out to get data, sort data, and write code to figure out patterns. In this regard, PatternEx can act like a co-pilot to threat hunters and get rid of the mundane task of managing data, sifting through data, and doing trial and error modeling around data analysis.

What value does PatternEx add to threat hunting?

 Even with AI, the threat hunter must be core to the hunting process.  

With that in mind, PatternEx's Virtual Analyst Platform provides the following key benefits to threat hunting teams:

  1. Automated correlation for pattern matching across multiple data sources and multiple entities
  2. Fast conversion of hunt findings into AI models that can be shared with other analysts 
  3. Instant "playbooks" on hunt findings (for Tier 1/2 analysts) to run as part of their playbooks, no additional work needed
  4. Automated data science to leverage 50+ AI models "out of the box" or to create custom models without coding

If you or your organization need to increase the speed, efficiency, or maturity of your threat hunters, I encourage you to check out some resources that may help:

  1. Watch our webinar: AI Enabled Threat Hunting: Automation Through Auto Correlation
  2. Learn more about the technology

Or contact us for a deep dive discussion on how PatternEx can help mature your organization.  

Topics: SOC

Subscribe Now