With sophisticated, state-sponsored threats, skill-set shortages, overwhelming amounts of data, and the impacts of the remote work model on cyber-hygiene continuing to drive change in our industries, organizations are pushing department budgets and resources to their limits in an effort to identify and mitigate risks. On average, it takes companies close to 200 days to identify a threat and the average cost to an organization for a single breach is close to $4M, according to IBM.
To reduce dwell time, passive monitoring needs to be complemented with proactive threat hunting. While few organizations have established threat hunting teams, most companies are struggling to set up a threat hunting practice as they lack the resources and bandwidth needed.
TechRepublic, in an August 2021 article, discusses the recently released report from the Information Systems Security Association (ISSA) and analyst Enterprise Strategy Group ESG, The Life and Times of Cybersecurity Professionals 2021.
“The report, which surveyed 489 cybersecurity employees, shows that a heavier workload (62%), unfilled positions (38%) and worker burnout (38%) are contributing to the skills gap. Nearly all surveyed (95%) believe the gap has not improved in recent years."
To add even more challenge, great threat hunters are widely considered to be the “unicorns of the security space.” Their unique mindsets and highly specialized skills form an expertise that can’t be easily replicated. And the few that we do have in the industry are spread sparsely across many organizations and - as described above - are overwhelmed with escalations of threats and the weight of supporting the rest of the security team.
Let’s look at threat hunting from the perspective of the Observe, Orient, Decide, and Act (OODA) loop.
The OODA loop for threat hunting includes:
Every proficient threat hunter will conduct these activities, but scaling these activities and using manual processes as building blocks is nearly impossible, as it takes complete transfer of knowledge and expertise for others to participate.
By analyzing the analyst, we've discovered deeper, repeatable, logical patterns within the expert analytical workflow. Within these patterns are mechanisms to divide-and-conquer complex analytical tasks in an asynchronous way - as well as tailor each question from previously gathered evidence.
So, if we can push this OODA loop to an AI powered autonomous engine, it opens up the possibility of now replicating this OODA loop elsewhere, while the best threat hunters can contribute constantly to improving such a system.
At Kognos, we have pioneered an autonomous threat hunting system that executes hunts for threats as a threat hunter would - from start to finish - delivering complete attack stories in minutes that document everything of analytical interest.
With Kognos, threat hunters can quickly remediate attacks and get ahead of emerging threats, knowing nothing was missed and nothing is left unanswered. This allows threat hunters to focus on creating additional hunt hypotheses, questions, and actions to be fed into the Kognos autonomous system. Threat hunters can also share successful hunt hypotheses, via the Kognos content cloud, allowing other threat hunters to take advantage of them at the click of a button.
Kognos is also collaborating with world-class threat hunters from our MSSP partners to develop new hunt hypotheses that can also be shared similarly. This will - for the first time in the industry - create a network effect to cyber threat hunting, allowing threat hunters to take advantage of the collective wisdom to detect sophisticated adversaries, and reduce MTTD and MTTR metrics considerably.