Threat hunting is arguably one of the trendiest parts of cybersecurity, but it can prove to be quite a challenging task. In particular, searching for IOCs (indicators of compromise) in your environment is one area with a wide disconnect between importance and complexity. Information is simple to get from threat intelligence feeds, but taking the data and locating IOCs in your organization's environment can be extremely difficult. Let’s explore the three biggest challenges in turning threat intelligence information into actionable information.
1. Data Alignment
Having a list of known malicious IPs, domains, file hashes, etc. is often not enough. SOC teams must either run expensive, time-consuming full-text searches or understand specifics of where IOC data can be found within each schema in each data source. That means that if your team has logs from CrowdStrike, Okta, and Windows Event Logs, analysts need to understand how each of those individual data models are built so they can search them effectively.
A solution to this would be to create a unified schema across all data sources. This normally means leveraging the functionality of an ETL tool (extract, transform, load) to ingest data from multiple sources and normalize it under a unified schema. SOCs often maneuver between several different softwares, so adding an ETL to the stack can be an additional piece that adds complexity and cost to an already convoluted process.
2. Understanding the full context of an attack
Let’s assume you are successful in locating an IOC in your environment. Unfortunately, this is just the beginning of fully investigating the event.
Depending on the situation, a certain IOC may be more or less malicious (or even not at all) depending on the additional context. For example, if an IOC was found once in your environment but then took no further action or found in a low-severity data source like external firewall logs, it may not need to be moved to the top of your priority list. However, if an IOC has been in continuous communication with one of your endpoints, this might be worth investigating immediately.
All of this means that it is imperative for SOC teams to be able to link IOCs to many different log sources to understand the full context of the IOC’s engagement.
Context can come from multiple places:
- Threat intelligence sources. Pulling public or private threat intel means teams must receive information in whatever form it is shared and fit it into their own threat detection and investigation systems. This can be a time consuming and error prone task.
- Internal data sources. Your organization may have data logs that come from internal tools like log management, but often these exist in a silo.
- Security tools. SOCs utilize multiple tools in order to secure their environments. Several tools may detect the same IOC, but if they are not connected it is difficult to correlate events together to get the full picture of its activity.
Connecting this data to get a full view of the entire attack surface is difficult, but it is necessary to take appropriate and effective action. If you can’t see it, how do you know what action to take?
3. Lengthy searches
Organizations continually deal with larger and larger amounts of data everyday. With more log sources, devices, applications and types of data, security teams wanting to search raw data logs are finding themselves adjusting their strategy based on the resources they have available.
When an organization is collecting multiple TBs a day, IOC searches can take upwards of multiple hours and even more. In practical terms, that means that analysts are beginning searches, walking away from their desks, and losing context on their threat hunt before they get a single result from a query.
Full-text searches can not only cost your organization time, but it can also leave you with some surprisingly large bills from your SIEM or other security solution. When compute power is being utilized in large quantities, it can add up quickly.
As you put this kind of time constraint and cost increase on an action that could potentially be business critical, problematic (and stressful) situations are inevitable.
The right tool for the job
Searching and hunting for IOCs can be complex, costly or clunky, so it is important to use the appropriate tools and processes to facilitate the task.
A few weeks ago we launched Hunters’ IOC Search bar to allow anyone in your SOC to search for IOCs and get results from raw data within seconds - without needing to write an SQL query. It is a simple, powerful and extremely fast tool that is built to help SOC teams increase accuracy and efficiency.
Using the IOC Search bar and combining it with the power of the Hunters complete SOC Platform, Hunters customers can tackle the above 3 challenges that come with IOC hunting. With Hunters you can:
- Ingest unlimited data (at a predictable cost), and normalize it under one unified schema
- Automatically enrich and correlate data from all of your data sources in order to give you a detailed view of each IOC’s complete activity within your environment.
- Search your raw data logs at lightning speed, returning actionable results within seconds
Test drive Hunters’ IOC Search here and be sure to follow us for more updates on how to optimize your SOCs operations.