How to Build a Threat Detection Playbook In 15 Minutes or Less
Automating a threat-hunting playbook with the help of AI
Many threat-hunting playbooks we build for use cases can have between 50 to 100 steps – some even more than that. Even for an analyst well-versed in automation, this can easily take a one to two weeks to execute.
We asked ourselves, can we create an AI bot to do a lot of the hard work involved in building this sort of playbook to reduce the time it takes from approximately two weeks to perhaps two days, or even two hours? The short answer is yes.
Watch a
step-by-step demo of how a threat-hunting automation assistant can help a security analyst take event data to find the proverbial needle in a haystack, all in under 15 minutes.
We created a short demo of this AI bot that can assist an analyst with automating a threat hunting playbook by using factor analysis – in under 15 minutes. The AI bot helps the analyst to determine the applicable factors, assign them scores, and then develop the logic to combine those scores into the final score.
The playbook defines which events and alerts match a certain threshold – say a 9 or 10 on a scale of 1 to 10 – which are then turned into an actionable case and sent to an analyst for review, along with a suggested response. The AI bot can help the analyst build a full threat hunting playbook in a matter of a few minutes to a few hours – depending on complexity.
eBook: The Definitive Guide to AI and Automation Powered Detection and Response
Why Your Next SOC Assistants Are Bots (and Your Networks Will Be More Secure Than Ever)
1. Build a new threat-detection playbook
We will walk through how an AI bot, a threat hunting automation assistant, can help a security analyst take any kind of event data and find the proverbial needle in the haystack. This can be done directly from the LogicHub interface. (If you’d like to follow along, you can download the LogicHub Free SOAR Edition, and build your own playbook).
2. The chat interface
LogicHub provides expert human guidance via live chat. Meanwhile, the AI bot asks for input on hunting a particular set of events. Let’s say the “haystack” is a collection of logs from audit events and you want to find the most suspicious one. We can start with the last 24 hours of data.
3. Go fetch
The bot assistant automatically creates notes on this basis, even with minimal input from the human analyst. A skilled automation engineer might take up to 10 minutes to do this manually, but our platform makes it possible with just a few clicks.
4. Figure out the factors
Use factor analysis to score the factors and combine those feature scores. In 24 hours, you might have 4,340 different unique events, 28 different event types, and 10 distinct user names. Nine event categories, six sources, and four user agents.
5. Determine users and user agents
Build a feature, such as a feature user agent, and manually score it. The human defines the parameters for the code so that the machine can do its part.
6. Automatic playbook building
The system will extract unique user agents, some of which may be standard use cases, others of which may be more suspicious. These can be scored higher. In this case, more than 4000+ events don’t need to be individually scored — just four features can be. This is called “dimensionality reduction,” and this is the machine doing what it does best with initial human input.
7. Build another feature
We’re done one with this user agent, and now we’ll look at the username. The convention remains the same, but this time, I don’t want to score it manually. Instead, I want to just look at the baseline. If it has existed in the baseline, score it low. If it doesn’t exist in the baseline, score it high.
8. Build the baseline
Now we need to decide how often we want to build a baseline. I’m going to select once a day, and we can go back seven days. You could do 30 or 90 days as well, but for the demo, we’re just going to go with seven days and voila – the system already built the baseline for us.
Forrester analyst Allie Mellen joins LogicHub as a featured guest speaker to discuss the evolution of SOAR technology and how AI can enable a new generation of solutions for the SOC. Please join us on May 19th at 8:00am PT / 11:00am ET!
9. Obtain the final score by combining multiple feature scores
We have created two features, and both are scored. I scored the user agent manually, and I used a baseline to build the user name feature. We can build as many features as we’d like, but for this demo, we’ll just use these two features.
At this point, we need to be able to combine multiple feature scores into one final score that will tell us whether it is a “needle” or if it is “hay.” We can do this manually or use a machine learning (ML) model, such as the “nearest neighbor” model, whereby a few human-provided examples give the system the data to extrapolate other similar examples to be scored similarly.
For example, if the user agent score is nine and the username is zero, that’s a nine. Two zeros can be marked as zero and discarded. A zero and a five might be marked four. Using this final score based on human input, the system generates alerts with scores greater than five. This is not a case, which we only want to generate when a human security analyst needs to investigate. The threshold for cases is much higher, such as a bare minimum of eight on a one to 10 scale. And of course, we can adjust these scores at any time for any reason.
10. Ongoing feedback loop
As we go along, the system gets smarter and will reflect the logic of the analyst. It is no different than providing a feedback loop for a junior analyst. You would hope that after a month or two, the junior analyst will have learned a lot from you and is able to do as good a job as you do. Over time, the AI will be able to make the decisions with the same accuracy as you, but at a hundred or thousand times the speed, and it will be doing it 24/7.
As an example, our LogicHub SOC team use the bot and the automation platform to automate an entire threat hunting playbook. We have a saying here that if you have to do anything more than two times, you should automate it. Once our SOC team triages a case, we automate it and bring those insights into the playbook either by adding new features and new factors, or we adjust the scores to eliminate false positives.
The advantages of automated threat detection
The advantage of automated threat detection is that the technology goes far beyond what rules engine-based systems can do. Secondly, 90% of security teams just don’t have the bandwidth to take on something as time intensive as threat hunting.
If you’re a three-person or a five- person or even a 10-person security team, there’s so much to do that threat hunting or threat hunting automation becomes a luxury that you never quite achieve. Even though you have the data, you are missing the threats in the data. If you can hand that process off to a machine, teach it, and then let it run at machine speeds and machine scale, it can sort through all the data within an organization – non-stop, 24/7/365. This frees up the human analysts to work on higher value security activities that are better handled by human reasoning and insight.
And there you have it: An entire automatically generated playbook in under 15 minutes.
LogicHub harnesses the power of AI and automation for superior detection and response at a fraction of the cost. From small teams with security challenges, to large teams automating SOCs, LogicHub makes advanced detection and response easy and effective for everyone.
*** This is a Security Bloggers Network syndicated blog from Blog | LogicHub® authored by Kumar Saurabh. Read the original post at: https://www.logichub.com/blog/how-to-build-a-threat-detection-playbook-in-15-minutes-or-less
