CHAPTER 9The Future of Threat Hunting

If we look at the most recent SolarWinds breaches, the attackers evaded existing defenses for months. One of SolarWinds customers, FireEye, was the first to detect the breach, citing activity dating back to March 2020. The evasive hackers went undetected inside the victims' environments, giving them access to secure information over a long period of time. These are sophisticated actors that know the tripwires associated with simplistic rules and analytics people use to find them. The SolarWinds breach exemplifies organizations' need for effective and proactive threat hunting.

Legacy-based threat detection systems used heuristics and static signatures on a large amount of data logs to detect threats and anomalies. However, this meant that analysts needed to be aware of how normal data logs should look. The process included data being ingested and processed through the traditional extraction, transformation, and load (ETL) phase. The transformed data is read by machines and analyzed by analysts who create signatures. The signatures are then evaluated by passing more data. An error in evaluation meant rewriting the rules. Signature-based threat detection techniques, though well understood, ...

Get Threat Hunting in the Cloud now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.