Hunters’ Automatic Investigation process is now happening faster, delivering near real-time results for fast scoping and triage. This improvement reduces time to investigate by up to 85%, allowing security teams to mitigate threats faster and focus on the most pressing incidents.
What is Automatic Investigation?
To holistically mitigate a threat, a security analyst must first thoroughly understand the threat and attack surface and know which questions to ask to refute or convict the suspicious activity. The Automatic Investigation capability in Hunters SOC Platform aims to replace the tedious investigation process traditionally performed manually by security analysts.
The Automatic Investigation process provides extensive security context through cross-correlation and enrichment of the data. This way, analysts can skip most of the manual investigation work and look at a complete incident picture that’s easy to understand, triage, and act upon at a dramatically accelerated pace.
What’s new?
Until today, it took the platform up to two hours to complete the entire Automatic Investigation process, including scoping the attack, adding context to suspicious activity and identifying the attack’s evolution.
The newly released enhancements to the Automatic Investigation drastically reduce the time to triage an alert by up to 90%. Within a few minutes, security analysts can view the entities and targets involved in an attack, such as specific individuals, servers, or executables, getting a clear picture of the Who, What, Where of an attack. This critical information can be used to expedite the remediation and containment process when integrated with SOAR tools via the Hunters API.
How does it work?
The Automatic Investigation process relies on the availability of data from multiple data sources. This presents a challenge since some data might not be available when the lead is generated. Furthermore, some advanced Automatic Investigation logic provided out-of-the-box looks for information that explicitly happens after the original event.
For instance, when a potentially malicious process is detected, Hunters collects data on the actions taken by the process after its initial execution. Looking for clues such as dropped suspicious files or network connections that may suggest the presence of a backdoor or exfiltration activity.
To speed up the investigation process, we have split the Automatic Investigation process into two phases:
- Rapid Automatic Investigation - This initial investigation for rapid attack scoping takes only a few minutes to complete and provides analysts with a basic framework and details of the possible threat.
- Advanced Automatic Investigation - On top of the initial basic layer of information, Hunters provides a deep analysis of the threat evolution inside the organization that does not exist at the time of detection, such as the execution tree of a suspicious process, network connections, or compromised user behavior. This layer takes up to an hour to complete as it requires following up on the progression of the threat, and connecting both layers of information together to provide the full picture.
Depending on the availability of data, in some extreme cases, advanced investigations can take up to two hours.
By separating the process into phases, the system is able to provide first data points about the possible threat within minutes, allowing analysts to perform an initial inquiry into the threat while the system continues to enrich this entity with data from across your attack surface to provide greater context and understanding.
With the newly released Rapid Automatic Investigation step in the full investigation process, we will further support smart prioritization of alerts and incidents, and continue reducing the redundant manual work in the triage and investigation phases.