It is challenging to approach a complex problem as an outsider, especially in a relatively young field like cybersecurity where conceptual frameworks are still developing and pedagogy has only begun to take shape. Many instructors of college-level cybersecurity courses do not have degrees in the subject; this is simply because there was no one to grant them. These experts are bootstrapping their own field in real time. When Anvilogic decided to build a threat hunting tool: Anvilogic Hunt, I (an experienced front-end developer with little-to-no security background) took on the challenge with excitement, curiosity, and a “beginner’s mind.”
Many readers will be familiar with the OODA loop (observe, orient, decide, act), a framework for operating in unfamiliar or dynamic circumstances. It allows a person or organization to adapt to changes in an environment or to an adversary’s behavior. The stages of the OODA cycle are:
Observe - Gather information about the situation from available resources, the environment, and previous iterations of the OODA loop
Orient - Synthesize observations with prior experience and knowledge to develop an applicable mental model of the situation
Decide - Select an approach that is likely to lead to a desired outcome
Act - Perform activities toward that goal, the results of which feed back into observations for the next iteration
As a newbie approaching a somewhat nebulous domain, I had plenty of observing and orienting to do. I had practitioners I could interview and frameworks like TaHiTI (PDF Link) to guide me, but even with these resources, threat hunting seemed as much art as science.
Our in-house experts each approached hunting differently, using their own heuristics and intuitions to find and investigate anomalies. They maintained bespoke queries across multiple languages, often using spreadsheets and text files to track their research. Customer interviews revealed similarly disparate processes and tools.
All this raised a simple question which appeared to lack a simple answer: “What is threat hunting?”
A defining trait of humanity is that we tell stories to one another and to ourselves. These narratives vary in their truthfulness and their utility, but ultimately they allow us to make sense of the raw incomprehensible complexity of the world. We rely on these stories to orient ourselves. What I came to realize is that at its core, threat hunting is telling a story. We select a few key events from the thousands or millions (or more!) available to us, and we craft a narrative about them to determine whether the actors involved are benign or malicious.
During a threat hunting exercise, the hunter writes the exposition of a harrowing adventure we must resolve: Once upon a time, a threat actor (the villain in our tale) leveraged an exploit on a particular host to gain access to our systems. They then attained persistence, performed internal reconnaissance, and moved laterally to other hosts in the network. As the heroes of the story, we must intervene and defend the realm before their dastardly schemes come to fruition. Once the protagonists have saved the day, we write the denouement where reviews are conducted, vulnerabilities are patched, and detections are put in place so that we can live happily ever after… until the next threat arises!
Don’t Lose the Plot
Telling a story necessarily involves identifying and connecting a set of related events to create something comprehensible and meaningful. We need to include enough detail to tell the whole story while omitting confusing or irrelevant details. Security professionals have an overwhelming amount of data at their disposal, including the events, hosts, users, processes, files, and other entities needed to tell their tale. An expert may have the skills and intuitions to discover and integrate them, but for those organizations looking to bootstrap a hunting practice, a more curated experience is needed. This means a threat hunting tool must provide users with a guide to filter through an ocean of data, collect only the artifacts relevant to the current hunt, and distill all of that effort and intuition into a story that can be understood by folks who are still cultivating their expertise.
To plan the Anvilogic Hunt experience, we began by identifying our first-class objects. The core of a hunt is a sequence of events (the “evidence”) and the relevant fields from those events (such as “entities”). These are embellished with metadata like analyst notes to provide context as well as an abstract that summarizes the hypothesis and findings at a high level. Our aim with this tool is to facilitate synthesizing these elements into a cohesive narrative which not only illuminates a potential incident, but also becomes part of a corpus that builds institutional knowledge.
We designed this initial release with beginner and intermediate threat hunters in mind. Experts already have tools, tactics, and procedures to succeed - we want Anvilogic to be a force multiplier that empowers all SOC analysts to deliver high-quality results. To do this, we developed a library of queries and an intuitive experience that allows users to perform and refine searches with a few mouse clicks. By keeping the interactions simple and flexible, we reduce the time and effort required to find the signal in the noise. Selecting relevant events and entities is similarly easy. As analysts build their story they also enrich the context of the hunt. This makes it trivial to pivot to new lines of investigation as relevant information is discovered.
Hunts in Anvilogic can be queried, shared, and reviewed, allowing analysts to collaborate and build on past investigations. As findings accumulate over time, recurring themes may emerge that reveal previously hidden dynamics in an organization’s security landscape. Our feature roadmap includes tools for meta-analysis across hunts to discover patterns such as common entities and IoCs, so keep an eye out for new releases and announcements.
Ins, Outs, and What-have-yous
We’re excited for our users to use Anvilogic Hunt, but how do they integrate with existing features and workflows? For our first release, we are leveraging Hunting Insights, another powerful Anvilogic feature that combines expert hunters and machine learning to identify especially suspicious or anomalous events. Our initial “on-ramp” for threat hunting allows users to automatically import relevant details from a Hunting Insight as the beginning of the hunt. Using a Hunting Insight as a pre-built hypothesis provides a seamless experience that reduces analyst effort by starting with pre-identified anomalies and guiding users through deeper investigation.
At the other end of the process, we offer one-click report generation that can be used to export PDF documentation or simply save results for later review. We have future plans for other “off-ramps” that integrate with ticketing systems, tune allow-list rules, and update detections so that findings rapidly and reliably lead to appropriate actions. We designed Anvilogic Hunt to synergize with the rest of the Anvilogic platform and expect it to become a key part of our customers’ SOC operations. By leveraging our integrated tools, Anvilogic greatly reduces the time and costs that stand between observation and action.
Anvilogic’s biggest competition in the threat hunting space is “not doing hunting”. This just means that SOC analysts are overworked and often don’t have the time and expertise to dive into an ocean of data. We built Anvilogic Hunt as an easy-to-use but still powerful tool that enables our customers to begin their hunting journey. As we expand the capabilities we offer, we will continue providing a simple, powerful experience while adding new features for novice hunters and power-users alike. By leveraging and integrating with our other features - detections, insights, maturity scoring, and data ingestion pipelines - we believe we are offering the best and most comprehensive cybersecurity experience on the market.
Mike Kissinger - Principal UI Engineer, Anvilogic