Hunt and Investigate

Maintaining the cybersecurity of your organization and its assets requires a multifaceted approach. The Cybereason CMC Engine provides automated detection for a variety of known and unknown malicious behaviors, but you may find that you want to perform your own analysis of the processes on your system. You may also want to dig deeper when responding to MalOps. We call these procedures hunting and investigation.

Hunting and investigation are related concepts, often used interchangeably. Here, we’ll explain these concepts and their importance as part of your cybersecurity strategy.

What is hunting?

A comprehensive cybersecurity strategy includes hunting, where a security team proactively searches for malicious behavior that has not yet been detected by any person or tool.

Hunting enables you to:

• Narrow the lead an attacker has. You may find the attacker in an early stage of an attack, long before existing detection rules would raise an alert.

• Free you from dependence on alerts of malicious behavior. Instead of waiting to receive a notification, you find it and act on it.

Cybereason provides powerful tools for conducting hunts, which are available within the Investigation screen. The Query Use-Case Examples section includes examples of such queries, which you can use to discover various stages of cyber attacks.

Note

Hunting can also refer to the intelligent action of the Cybereason platform CMC Engine, in its search for malicious behavior.

What is investigation?

Investigation often refers to the more reactive process of examining the details of malicious behavior (e.g. MalOps, malware, suspicions, evidence) to determine if they are malicious or benign, their cause, and their severity.

When responding to a Malop or malware alert, you can click various elements (e.g. processes, files, evidence, suspicions) and investigate them more deeply in the Investigation screen.

Why hunt and investigate?

Cybereason triggers a MalOp only for behaviors that are very likely to be malicious, so as not to overwhelm your platform and to help analysts focus their efforts.

In addition, as part of their detection, many legacy security tools use fixed indicators to identify malicious activity. Once a tool identifies a malicious indicator, they update their databases and push updates to users. Then, if a tool identifies an item with the malicious indicator, they raise an alert. Even if a tool includes detection rules, updates take time. The tool development team researches the malicious behavior, creates a detection rule, and updates databases with the new rule.

Therefore, it is important to apply both reactive and proactive methods to protect your environment and improve your cybersecurity posture. Hunting for malicious behaviors may lead to the discovery of an attack before your environment is compromised, and conducting deeper investigation into MalOp and malware alerts enables you to accurately classify and respond to alerts within the system.

Related resources

• Intro to Hunting Part 1 (Video)

• Intro to Hunting Part 2 (Video)

• Hunt and Investigate FAQ

• Quick-Start Guide to Hunting

• Hunting and Investigation API Reference

• Hunting with the Query Builder in the Cybereason Academy