Blog

August 2, 2020

How Cyborg Creates Threat Hunting Content

Written by: cyborgsecurity

Cyborg Security is on a quest to provide the best threat hunting experience to organizations at all different security maturity levels. We believe that when threat hunters from around the world are provided a pipeline of contextualized threat hunting content, they’re more quickly able to proactively find the adversaries hidden in their environments. This is how we hope to change the game of threat hunting.

The best threat hunting content is the kind that can perform queries or hunts against aggregated security data using the most relevant, timely, and contextualized intelligence available about any given threat. Cyborg takes threat intel to the next level by operationalizing it into our threat hunting platform.

Here’s how we do it.

It starts with contextualized threat intel

In order to build a foundation of great threat hunting content, we concurrently produce a base of threat intelligence that contextualizes data and vets it far more than the average threat feed.

We’re using that core intel to create this very specific threat hunting content to find different threat actors, malware activity, and tool sets within a given enterprise environment. What our threat hunt content writers will do is operationalize that data developed by our threat intelligence team and weaponize it so our customers can use it.

Sandboxing and query development

The creation of threat hunting content starts by reverse engineering and recreating the effects of attack tools detailed in the threat intelligence. Cyborg threat hunters will do this in multiple sandbox environments. We detonate the malware and observe the effects, and logged data appears within numerous platforms such as Elasticsearch, Splunk, QRadar, and so forth. From there we craft those threat hunt queries to look for the artifacts observed and tailor them in such a way that they will be very high fidelity. This makes it easier for an independent threat hunter to be able to directly find exactly what they’re looking for.

Make it cross-platform

As a part of developing threat hunting content, Cyborg’s threat hunting team wants to make it universal for a wide variety of organizations—no matter what platforms they’re using. In order to do that we’ve established a unique syntax that takes threat hunt queries for our platform so that they’ll be directly applicable to any customer’s data or platforms. For each hunt, the customer initiates a hunt for a specific query based on all of the groundwork we’ve done for that particular piece of content

The idea behind the process is to develop a portfolio of threat hunting content that can augment what an existing enterprise team can already do. When the Cyborg team develops content, the process can take anywhere between a half-hour to half a week, depending on the complexity of the attack.

Ultimately, we believe that threat hunting content can help organizations start proactive searches for threats on level footing.

To learn more about how content is more important to the threat hunting process than automation, read our blog, Threat Content, Not Automation, Fuels Effective Threat Hunting.

 

About the Author