Security incidents and the false-positive alerts generated by security systems have grown considerably over the last decade. More and more enterprises have begun evolving their passive defense into a proactive defense via automated threat hunting systems. In this talk, we take a deep dive into the technical aspects of designing and creating an effective AI-driven threat hunting system from the ground up. Automated threat hunting systems, such as our Fuchikoma, alleviate alert fatigue by automating the investigation process, alert triage, and auto-generating attack storylines. Learn how automated threat hunting systems are increasing efficiency by allowing analysts to rapidly identify and focus on the more severe incidents, their root cause, auto-enriched contextual information of each step of the attack. 

Fuchikoma first processes creation events from the event logs—specifically, command-line information. In order to aggregate the massive amounts of information from each and every event, an analysis-unit builder reassembles events into analysis units, which also contain information from all its children and parent processes. Anomaly detection then locates abnormalities within all the analysis units. Meanwhile, a self-created community separator is used to identify connected events that could possibly belong to an operation session via the graph community algorithm. By grouping together abnormal units and communities, keywords—representations of communities potentially related to an attack—are highlighted via a topic model. These outlying abnormalities are then analyzed by experienced analysts. Each step of our design process on Fuchikoma’s automated ML-driven threat hunting system will be broken down step-by-step and explained thoroughly in detail.