Automating a threat-hunting playbook with the help of AI

Many threat-hunting playbooks we build for use cases can have between 50 to 100 steps – some even more than that. Even for an analyst well-versed in automation, this can easily take a one to two weeks to execute.

We asked ourselves, can we create an AI bot to do a lot of the hard work involved in building this sort of playbook to reduce the time it takes from approximately two weeks to perhaps two days, or even two hours? The short answer is yes.

Watch a step-by-step demo of how a threat-hunting automation assistant can help a security analyst take event data to find the proverbial needle in a haystack, all in under 15 minutes.

We created a short demo of this AI bot that can assist an analyst with automating a threat hunting playbook by using factor analysis – in under 15 minutes. The AI bot helps the analyst to determine the applicable factors, assign them scores, and then develop the logic to combine those scores into the final score.

The playbook defines which events and alerts match a certain threshold – say a 9 or 10 on a scale of 1 to 10 – which are then turned into an actionable case and sent to an analyst for review, along with a suggested response. The AI bot can help the analyst build a full threat hunting playbook in a matter of a few minutes to a few hours – depending on complexity.

eBook: The Definitive Guide to AI and Automation Powered Detection and Response
Why Your Next SOC Assistants Are Bots (and Your Networks Will Be More Secure Than Ever)

1. Build a new threat-detection playbook

We will walk through how an AI bot, a threat hunting automation assistant, can help a security analyst take any kind of event data and find the proverbial needle in the haystack. This can be done directly from the LogicHub interface. (If you’d like to follow along, you can download the LogicHub Free SOAR Edition, and build your own playbook).

2. The chat interface

LogicHub provides expert human guidance via live chat. Meanwhile, the AI bot asks for input on hunting a particular set of events. Let’s say the "haystack" is a collection of logs from audit events and you want to find the most suspicious one. We can start with the last 24 hours of data.

3. Go fetch

The bot assistant automatically creates notes on this basis, even with minimal input from the human analyst. A skilled automation engineer might take up to 10 minutes to do this manually, but our platform makes it possible with just a few clicks.

4. Figure out the factors

Use factor analysis to score the factors and combine those feature scores. In 24 hours, you might have 4,340 different unique events, 28 different event types, and 10 distinct user names. Nine event categories, six sources, and four user agents.

5. Determine users and user agents

Build a feature, such as a feature user agent, and manually score it. The human defines the parameters for the code so that the machine can do its part.

6. Automatic playbook building

The system will extract unique user agents, some of which may be standard use cases, others of which may be more suspicious. These can be scored higher. In this case, more than 4000+ events don’t need to be individually scored — just four features can be. This is called "dimensionality reduction," and this is the machine doing what it does best with initial human input.

7. Build another feature

We're done one with this user agent, and now we'll look at the username. The convention remains the same, but this time, I don't want to score it manually. Instead, I want to just look at the baseline. If it has existed in the baseline, score it low. If it doesn't exist in the baseline, score it high.

8. Build the baseline

Now we need to decide how often we want to build a baseline. I’m going to select once a day, and we can go back seven days. You could do 30 or 90 days as well, but for the demo, we’re just going to go with seven days and voila – the system already built the baseline for us.

Forrester analyst Allie Mellen joins LogicHub as a featured guest speaker to discuss the evolution of SOAR technology and how AI can enable a new generation of solutions for the SOC. Please join us on May 19th at 8:00am PT / 11:00am ET!

9. Obtain the final score by combining multiple feature scores

We have created two features, and both are scored. I scored the user agent manually, and I used a baseline to build the user name feature. We can build as many features as we’d like, but for this demo, we’ll just use these two features.

At this point, we need to be able to combine multiple feature scores into one final score that will tell us whether it is a “needle” or if it is “hay.” We can do this manually or use a machine learning (ML) model, such as the "nearest neighbor" model, whereby a few human-provided examples give the system the data to extrapolate other similar examples to be scored similarly.

For example, if the user agent score is nine and the username is zero, that’s a nine. Two zeros can be marked as zero and discarded. A zero and a five might be marked four. Using this final score based on human input, the system generates alerts with scores greater than five. This is not a case, which we only want to generate when a human security analyst needs to investigate. The threshold for cases is much higher, such as a bare minimum of eight on a one to 10 scale. And of course, we can adjust these scores at any time for any reason.

10. Ongoing feedback loop

As we go along, the system gets smarter and will reflect the logic of the analyst. It is no different than providing a feedback loop for a junior analyst. You would hope that after a month or two, the junior analyst will have learned a lot from you and is able to do as good a job as you do. Over time, the AI will be able to make the decisions with the same accuracy as you, but at a hundred or thousand times the speed, and it will be doing it 24/7.

As an example, our LogicHub SOC team use the bot and the automation platform to automate an entire threat hunting playbook. We have a saying here that if you have to do anything more than two times, you should automate it. Once our SOC team triages a case, we automate it and bring those insights into the playbook either by adding new features and new factors, or we adjust the scores to eliminate false positives.

The advantages of automated threat detection

The advantage of automated threat detection is that the technology goes far beyond what rules engine-based systems can do. Secondly, 90% of security teams just don't have the bandwidth to take on something as time intensive as threat hunting.

If you're a three-person or a five- person or even a 10-person security team, there's so much to do that threat hunting or threat hunting automation becomes a luxury that you never quite achieve. Even though you have the data, you are missing the threats in the data. If you can hand that process off to a machine, teach it, and then let it run at machine speeds and machine scale, it can sort through all the data within an organization – non-stop, 24/7/365. This frees up the human analysts to work on higher value security activities that are better handled by human reasoning and insight.

And there you have it: An entire automatically generated playbook in under 15 minutes.

LogicHub harnesses the power of AI and automation for superior detection and response at a fraction of the cost. From small teams with security challenges, to large teams automating SOCs, LogicHub makes advanced detection and response easy and effective for everyone.


Related Posts

September 13, 2022 Kumar Saurabh

Why No Code Solutions Are a Double-Edged Sword

Most out-of-the-box security automation is based on a simple logic — essentially, if “this”...

Learn More

August 16, 2022 Willy Leichter

Understanding MDR, XDR, EDR and TDR

A program with proper threat detection and response (TDR) has two key pillars: understanding the...

Learn More

August 9, 2022 Willy Leichter

Intuition vs. Automation: What Man and Machine Bring to Data Security

Cybersecurity experts Colin Henderson and Ray Espinoza share their take on the automation-driven...

Learn More

August 2, 2022 Anthony Morris

Using AI/ML to Create Better Security Detections

The blue-team challenge Ask any person who has interacted with a security operations center (SOC)...

Learn More

July 26, 2022 Willy Leichter

How to Select the Right MDR Service

It can be difficult to understand the differences between the various managed detection and...

Learn More

July 21, 2022 Willy Leichter

The Evolving Role of the SOC Analyst

As the cyber threat landscape evolves, so does the role of the security operations center (SOC)...

Learn More

July 19, 2022 Kumar Saurabh

Life, Liberty, and the Pursuit of Security

As cyber threats evolve, organizations of all sizes need to ramp up their security efforts....

Learn More

July 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: July 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

July 12, 2022 Willy Leichter

Security Tools Need to Get with the API Program

No cloud API is an island The evolution of cloud services has coincided with the development of...

Learn More

July 6, 2022 Willy Leichter

Why the Rush to MDR?

LogicHub recently published a survey conducted by Osterman Research, looking at changing trends and...

Learn More