Integrate threat hunting into SOC triage to mitigate software supply chain risk

With the continual evolution of malware, it is often too late to prevent the initial infection by the time a security alert is generated. Additionally, malware files are frequently changing, rendering file name or hash-based alerts fundamentally useless.

The ability to triage an alert retroactively, evaluating functionality over a signature, is a critical capability to quickly mitigate the spreading of malware.

Here are key insights into second- and third-tier Security Operations Center (SOC) investigations — and how a robust threat-hunting and malware analysis platform can significantly enhance the triage process.

Key takeaways: Supply chain security risks addressed in new Gartner reportGet the Gartner report: Mitigate Enterprise Software Supply Chain Security Risks

What is threat hunting?

Threat hunting is traditionally a human-driven activity on networks and computers that enables them to proactively look for cyber threats to an enterprise. It is a practice usually employed by mature security teams yielding results that can preempt material damage from cyber exploitation.

Hunting is typically a pre-activity of incident response; if done correctly, it should reduce the level of response. In many instances, hunting also involves a historical analysis of previous incidents, including the environments where those incidents occurred.

Hunting has not been used extensively in software environments but could play an important role in ensuring that the code used by organizations or shared between them is protected.

The evolution of threat analysis and hunting

Whether it’s an enterprise using technology or a product organization selling technology and services, we are moving to everything as code. This pivot represents an enormous opportunity to evolve the use and scalability of technology products and services for business outcomes.

It also means a shift in the attack surface. This means our methods and tools must also shift. The code landscape is made up is billions of lines of programming and millions of executable files. This is highly dynamic and changes at a pace much faster than computer and network components. It is an environment where cyber threats have already started to exploit and represent a serious risk to any organization using technology.

This is an opportunity to converge and optimize activities from SOC analysis, threat hunting, and incident response. Because of the prevalence of code in our enterprises, we must move faster with greater precision.

Here's how ReversingLabs Threat Intelligence delivers a comprehensive approach to threat hunting:

• File reputation and intelligence. It starts with a file reputation service that contains tens of billions of files and classifies them to provide in-depth, rich context, threat classification and intelligence. This classification increases by millions daily and cannot be scaled by traditional intelligence functions. Security teams can correlate a single sample with billions of goodware and malware samples to understand the intent of a file. This context allows analysts to defend against global and targeted attacks effectively, accelerating investigations and response activities.
• Explainable machine learning. Combining static, dynamic, and machine learning for code analysis provides a full understanding of malware behavior and identifies malicious files masquerading as benign. Machine learning detection based on human-readable indicators provides explain ability, transparency and relevance to making learning-based threat detection.
• Automated static and dynamic analysis. Similar to the value developers place on the effectiveness of tools and integration, automated analysis workflows and orchestration via API allow closer inspection of suspicious code samples or forwards to other tools.
• High volume processing and integration. The magnitude of data that needs to be collected, analyzed, and integrated must be done at scale and very accurately. This capability must use file decomposition to extract detailed metadata, add global reputation context and classify threats. It automatically acquires files by integrating with email gateways, intrusion detection systems, firewalls, and other devices. Results feed into SIEM, SOAR, and analytics platforms to provide visibility and enriched data for remediation and advanced hunting.

Modern SOCs should focus on supply chain security

It is likely that advances in these areas, especially ingesting, analyzing, and orchestrating large volumes of data pertaining to code and the software supply chain, will be essential to address threats today and into the future.

There are no easy ways to evolve these operations, but whenever you can effectively use technology to set conditions for more effective operations and greater resiliency, you drive up the cost and level of effort for advanced threats.

It’s a continuous cycle of innovation and creativity that requires human insights. When selecting platforms that deliver these results, be sure you consider challenges and opportunities over the horizon.

TAG CYBER SERIES

• Chris Wilder: Modernize your SOC with advanced malware analysis, real supply chain security — and best practices
• John Masserini: Software supply chain security and SBOM automation: The next big step in risk management
• Edward Amoroso: Leverage third-party software validation to bolster your supply chain security
• Chris Wilder: Shift the SOC left: Why your organization should integrate DevOps with Security Operations