About Threat Hunting:
Hunting is classified as a discipline to identify unknown threat through searches and analytics. Hunting is based primary on hypothesis, hunches and dashboards with threat intel as a scope/aim to make the search easy.
- Analyst workspace: allow the analyst to CREATE a workspace where you can write you hypothesis to always remember what you are hunting for and record and save a hunting search.
- Record Steps: Try to find a threat can take a lot of searches and it’s good to record every step that can allow the analyst to return to some points and begin a new track of investigation. This records are saved inside the workspace.
- Workspace Package: When you hunting its possible don’t find any artefacts related to the hypothesis that you looking for… in this time, but in a hunting process it’s important to have a loop back search to revisit previous hunting to check if the artefact can be found later, so if you save the workspace you can return to this workspace months later and try to find the threat again.
- Export Hunting to ESM: The main objective when you find a threat is inform the incident response team to handle this new threat and the second one is transport the hunting findings to ESM as a rule to, if this threat shows up again, ESM can alert the SOC team, or used as threat feed for correlation.
- Multiple workspace: Sometime when you hunting you can find evidence of other threat not related to the threat you are looking for, so it’s important that you can CREATE a new workspace with that threat to allow you to hunting after.
- Visualization: Visualization of interactions with objects (IP, URL, feeds) and actor (ID, credential, UEBA info) is very important and special when you hunting. Pivoting through this resources can improve the findings. See this tool named SQRRL (they us bought by Amazon): https://www.youtube.com/watch?v=wXw1yNjhDHM. This is similar to ESM Graphic View but real time and interact.
- Integration with MITRE ATT&CK framework: MITRE ATT&CK is one of the famous framework and knowledge base for Cyber Security and Threat Hunting. It’s give a several threat vector and how to find/search for it. Pass the Hash example: https://attack.mitre.org/techniques/T1075/. It will be useful to have this framework on Investigate (and ESM as well) to help Security Analysts and Hunter to identify the pattern of an attack or link their finds to the framework.
I understand that the features can make the investigation easy, controlled and organized to the analyst side as they need to response an incident more quickly than ever.
I hope this can help to make ArcSight Investigate more competitive and be leader in threat hunting segment. Bellow I print some charts about the SANS 2018 Threat Hunting Survey Results.
Thank you for your time and hope I can contribute to a better product!
Marcus Batalha - BR