Hunting for IoCs: from singles searches to an automated and repeatable process
2024-10-3 18:47:2 Author: blog.sekoia.io(查看原文) 阅读量:4 收藏

Understanding cyber threats is crucial for protecting your organisation from cybercriminal activities.

At Sekoia, we’ve embraced this by developing a comprehensive solution that combines Cyber Threat Intelligence (The Sekoia Intelligence product) with our detection platform, Sekoia Defend, into a single SaaS platform.

However, for CTI to be truly effective, it needs to be seamlessly integrated into your daily security operations. A key component of CTI is IoCs (Indicators of Compromise), which allow organizations to identify potential threats, hidden in their logs. Indicators of Compromise are aimed to be operationalized, meaning that organizations must leverage them in their day-to-day security operations. IoCs can be used for proactive detection or for looking at past presence of an indicator on the logs of the organization (retro hunting).

When based on accurate, relevant data, these practices significantly enhance threat detection, providing dynamic insights and valuable context to help analysts identify and understand the threats they face.

Manually searching for IoCs is no longer sustainable

While the concept of matching IoCs to detect malicious behavior seems simple, conducting this process at scale is a significant challenge.

Indeed, manually searching through logs and security events for thousands, or even millions, of Indicators of Compromise is a time-consuming and resource-intensive task.

Fortunately, solutions like Sekoia Defend are transforming how companies conduct IoCs hunting by automating and scaling these operations. This blog article explores the advantages of automated IoC hunting with Sekoia Defend and how it enables businesses to better defend against cyber threats.

How Sekoia can help you scale in IoC hunting and retro hunting

Sekoia is redefining how companies approach IoC matching through its advanced Defend platform. Unlike traditional solutions that rely heavily on manual processes, Sekoia offers an automated and scalable way to match millions of IoCs in real time and retroactively.

Here’s how Sekoia magic works out:

1 Benefit natively from Sekoia IoCs and avoid complex integration of third-party CTI

First of all, IoC hunting requires IoCs. Sekoia eliminates the need for complex integrations and multiple licensing costs by including natively an access to our commercial-grade database of IoCs, curated and contextualized by our own CTI analysts.

We provide the detection engine AND the CTI.

Sekoia Defend CTI database includes millions of IoCs from all type
Sekoia Defend CTI database includes millions of IoCs from all type

Sekoia Intelligence (CTI) contains a comprehensive list of contextualized IoCs, including IPs, URLs, domains names and file hashes, that is solely built to reinforce your detection capabilities and help you detect proactively cyber-threats. Each IoC is linked to the threat that it is representing. This context will benefit security analysts in their day to day operations and help them go faster in the qualification of eventual security incidents.

Every single IoC is contextualized and linked to a specific cyber threat. Sekoia.io Threat Intelligence platform
Every single IoC is contextualized and linked to a specific cyber threat

Eliminate the need for complex manual integrations operations of a CTI feed in your detection engine by having your CTI (IoCs included), directly in your detection platform.

For more information about the quality Sekoia Intelligence CTI and how it is produced, please visit this article.

2 Automated IoCs detection at scale and without manual operations

One of the most significant limitations of other SIEM and XDR solutions is to rely on manual processes for IoCs matching. Analysts are often burdened with sifting through large volumes of security logs and large volumes of IoCs, which is time-consuming and inefficient.

Quite often, one needs to select the proper IoCs to detect and build a dedicated search to look for IoCs in the logs coming from the organization. Such process can be complex and time-consuming.

Sekoia Defend eliminates this bottleneck by automating the detection of millions of IoCs across your entire infrastructure. Sekoia Defend’s powerful engine continuously scans all your logs and network traffic for known threat indicators without requiring human intervention. This allows organizations to focus on higher-value tasks while Sekoia Defend works in the background to catch potential threats.

It works like this : Sekoia Defend has a native detection rule that will compile all IoCs coming from Sekoia CTI and look for the presence of these IoCs, in real time, in the logs you are sending to the platform.

If you would like to know more about how this detection engine works and which fields coming from your logs are supervised, do not hesitate to have a look at our dedicated documentation.

The Sekoia Defend rules catalog includes a rule dedicated to the automation of IoC hunting
The Sekoia Defend rules catalog includes a rule dedicated to the automation of IoC hunting

3 Retro hunting across millions of Indicators of Compromise

Threats evolve, and attackers may lie dormant within networks for extended periods. Sekoia Defend’s retro hunting capabilities allow organizations to search historical data for past IoCs automatically.

This retroactive analysis helps detect long-running, stealthy campaigns that may have bypassed initial detection mechanisms. The platform can search through vast datasets to uncover missed threats, ensuring companies have complete visibility into their network’s security.

Retro hunting can also be useful in situation where SOC analysts needs to verify the potential targeting of their organizations by a threat or vulnerability that has been publicly discovered and with potential implications in the past.

Our detection engine natively supports retro hunting by taking into account validity periods of an IoCs (valid from and valid until fields).

Validity period of an indicator of compromise, taken into account for detection
Validity period of an indicator of compromise, taken into account for detection

Let say that a new IoC is added for detection and that this IoC is considered as having activities periods in the past (meaning he potentially circulated in the past). Sekoia analysts will then adjust the validity period of this IoC to reflect this lifecycle.

The detection platform will use these dates to determine the period that it should use to look for the IoC in your logs.

Furthermore, for each new IoC, whether it comes from Sekoia or your own custom lists of IoCs, our detection engine will automatically look for the presence of this IoC in the last 5 days of your logs.

If you have logs from the past in your tenant and that this IoC is considered valid in the past, Sekoia Defend will automatically tell you if this IoC was spotted in the past in your logs, eventually triggering a “retrohunt” alert (considering also the retention period for your events on Sekoia platform).

An set of alerts triggered by Sekoia Defend retrohunt engine
An set of alerts triggered by Sekoia Defend retrohunt engine

4 Bring your own IoCs for hunting and retro hunting on specific threats

Sekoia Defend allows you to use your own lists of IoCs and to use them for automated detection on your logs, just like it is done with Sekoia IoCs.

Obviously, retro hunt also works as mentioned above when it comes to your own Indicators of Compromise!

You have the choice to create an automated detection rule that will support hunting in the past or to generate a report in one-click that will tell you in a second if your own IoCs were spotted on your logs during the past year (no matter the retention period you subscribed with Sekoia Defend, thats magic!).

Telemetry report showing the circluation of an IoC in your logs
Telemetry report showing the circluation of an IoC in your logs

These lists of custom IoCs can be created either manually, either through the import of a file (CSV, etc.) either through an API.

With Sekoia, you can import and hunt for 500 000 custom IoCs in your tenant.

5 Scalable IoCs Matching Without Manual Intervention

One of the most critical advantages of Sekoia is its ability to scale. Traditional SIEM solutions can struggle with scalability when faced with the need to process millions of Indicators of Compromise. Manual searches can lead to inefficiencies and missed threats. Sekoia addresses this challenge by providing a fully automated system capable of matching massive amounts of IoCs seamlessly, regardless of data volume. This allows businesses to scale their threat hunting efforts effortlessly, improving overall security posture.

Whether it is on Sekoia IoCs or on your custom lists of IoCs, Sekoia Defend’s detection engine will not let you down.

Key benefits for your organization

Scaling IoC matching activities can be a daunting task, especially for organizations with limited resources or growing data volumes. With Sekoia’s automated and scalable approach, we have seen that automatically looking for millions of IoCs becomes easy and straightforward, bringing a series of major benefits for the organization.

  • Overcome the limitations of traditional SIEMs / XDR solutions

Sekoia takes the heavy lifting out of manual searches. Analysts no longer need to spend hours combing through logs or cross-referencing data—they can rely on Sekoia to handle the work in real-time.

Many traditional SIEM and XDR solutions require significant manual intervention for IoC searches and often lack the scalability needed to manage the growing number of IoCs generated by modern threat landscapes. These limitations can result in missed threats, delayed responses, and a heavier burden on already overwhelmed security teams.

  • Ease the life of analysts and reduce their workloads

By automating IoC hunting at scale, Sekoia frees up analysts to focus on higher-priority tasks like threat analysis and incident response, rather than getting bogged down by repetitive, time-consuming manual searches.

This streamlined approach not only saves time but also allows teams to scale their threat hunting capabilities without needing extra manpower. In short, Sekoia’s automated IoC hunting makes analysts’ lives easier, their work more effective, and their organizations more secure.

  • Minimize Detection Gaps

With real-time matching and retrohunting capabilities, Sekoia ensures that no threat indicators slip through the cracks, providing comprehensive coverage across your infrastructure.

Automated IoC hunting helps avoid detection gaps by continuously scanning for threats, ensuring no suspicious activity slips through unnoticed. Unlike manual processes that might miss key indicators due to oversight or time constraints, Sekoia’s system runs 24/7, keeping watch on all data streams in real-time. By automating this process, it ensures that even the smallest, most subtle threats are detected and addressed promptly. This proactive approach closes any gaps that could be exploited by attackers, providing comprehensive coverage and peace of mind for security teams.

  • Optimize Response Times

Sekoia’s automated IoC hunting significantly optimizes response times by instantly identifying potential threats the moment they arise. Instead of analysts manually searching through data to uncover issues, the platform detects and flags malicious indicators in real-time, enabling faster threat identification.

This quick detection allows security teams to respond immediately, reducing the time between detection and action. As a result, the overall incident response process is streamlined, helping to contain and mitigate threats before they escalate. The automation ensures swift, effective responses, keeping security threats under control.

Key figures around IoCs hunting at Sekoia

The following illustration provides some insights regarding the figures around IoC hunting and retro hunting with Sekoia Defend platform and without retro hunting capabilities.

Scale your Indicators of Compromise hunting operations with Sekoia
Scale your IoCs hunting operations with Sekoia

These figures demonstrate how Sekoia can help you scale your Indicator of Compromise hunting and especially retro hunting capabilities by switching from manual searches to a truly automated process allowing you to miss no threats.

Future-Proof Your Threat Hunting with Sekoia

In today’s ever-evolving threat environment, being proactive about threat detection is essential. IoC matching is a critical part of any organization’s defense strategy, but doing it manually is no longer sustainable.

Sekoia empowers organizations to automate and scale their IoC matching efforts, transforming threat hunting from a labor-intensive task into an efficient, repeatable process. By enabling real-time detection and retrohunting across millions of Indicators of Compromise, Sekoia ensures businesses can stay ahead of attackers, reduce response times, and ultimately strengthen their cybersecurity posture.

In a world where threats evolve constantly, automated and scalable solutions like Sekoia are no longer a luxury, they’re a necessity.


Thank you for reading this blogpost. Feel free to share your feedback, and read other contents:

Share this post:


文章来源: https://blog.sekoia.io/hunting-for-iocs-from-singles-searches-to-an-automated-and-repeatable-process/
如有侵权请联系:admin#unsafe.sh