The discussion around “automation” in Threat Hunting is usually defined as something tautological. The definition of threat hunting on several circles accounts for “human activity to find badness that the automated products missed”. The issue with this definition is that according to it, as soon as something is automated, it ceases to be Threat Hunting.
This argument is rooted on the belief that the only kind of automation that exists is “signature-based” or similarly simplistic forms of rule-based automation. Under this view, humans would use intuition and knowledge to learn from the existing signatures and unusual markers in organization log data to supplement a static signature matching approach.
Now, it is obvious that a signature-based strategy does not scale with the number of threats available, so the idea of doing something “smarter” to complement that is a good one. However, computer science is long past the point in which it was believed that humans alone could learn from experience to make complex multivariate decisions with accuracy.
In order to inform this discussion, Niddel proposes a Hunting Automation Maturity Model with four distinct levels in which to classify automation activities:
A lot of the frustration we perceive on the market comes from the fact that marketing materials advertise Artificial Intelligence capabilities that seem as magical as the Fourth Order described above, while they can barely deliver First Order results.
Niddel Magnet is the only system on the market today that implements the functionalities on the Third, Second and First Orders of this maturity model for end-to-end hunting automation.