ATHAFI: Agile Threat Hunting And Forensic Investigation

TL;DR

ATHAFI is a framework that automates agile threat hunting and forensic investigation, enhancing detection and response capabilities by integrating adaptive data collection, hypothesis testing, and threat intelligence.

Contribution

It introduces a novel automated framework for threat hunting that adapts workflows based on real-time threat intelligence and attack hypotheses.

Findings

Automates threat hunting at multiple levels.

Enhances analyst productivity during investigations.

Adapts workflows to emerging threats using external intelligence.

Abstract

Attackers rapidly change their attacks to evade detection. Even the most sophisticated Intrusion Detection Systems that are based on artificial intelligence and advanced data analytic cannot keep pace with the rapid development of new attacks. When standard detection mechanisms fail or do not provide sufficient forensic information to investigate and mitigate attacks, targeted threat hunting performed by competent personnel is used. Unfortunately, many organization do not have enough security analysts to perform threat hunting tasks and today the level of automation of threat hunting is low. In this paper we describe a framework for agile threat hunting and forensic investigation (ATHAFI), which automates the threat hunting process at multiple levels. Adaptive targeted data collection, attack hypotheses generation, hypotheses testing, and continuous threat intelligence feeds allow to perform simple investigations in a fully automated manner. The increased level of automation will significantly boost the analyst's productivity during investigation of the harshest cases. Special Workflow Generation module adapts the threat hunting procedures either to the latest Threat Intelligence obtained from external sources (e.g. National CERT) or to the likeliest attack hypotheses generated by the Attack Hypotheses Generation module. The combination of Attack Hypotheses Generation and Workflows Generation enables intelligent adjustment of workflows, which react to emerging threats effectively.