From PEAK to Apex — Hunting Made Better With Splunk + Anvilogic
As users and fans of Splunk here at Anvilogic, we were excited to see the recent SURGe blog post announcing the “Prepare, Execute, and Act with Knowledge” (or “PEAK”) Hunting Framework. The post was also very timely given we just announced our newest platform capability called “Hunt” today. While this post is not intended to dig too deep into all of the features of Anvilogic Hunt (reach out for a demo, if you’re interested), I was really excited by the three primary hunting approaches, all of which fit into our worldview of what hunting well looks like.
That said, before we get into why we believe the Splunk SURGe team is onto something here, let’s talk a little bit about the challenges we have seen our customers overcome when trying to increase the time they spend hunting (or even just get started).
A main challenge to help solve is that the preponderance of security teams have their plates full deploying and maintaining those “automated detection systems”; these are the usual suspects of SIEMs, logging platforms, XDRs, etc. At Anvilogic, we believe this is the fundamental problem we can help customers solve across any of their security analytics platforms. Our core Detect platform reduces the time and effort required of SOC teams across the entire detection engineering lifecycle. Without this boost to productivity, there isn’t time to effectively grow those hunting capabilities in a SOC.
Alright, now with that out of the way, let’s talk through the 3 main hunting “types” in the PEAK Framework, and why we believe Anvilogic has a lot to offer Splunk customers not just in detection but in hunting as well.
Let’s Take A PEAK
PEAK outlined three primary types of hunts. Let’s take them each in turn and talk about how Anvilogic directly speaks to, and even integrates into, the PEAK framework.
This is the classic definition of hunting. Someone in the SOC (not always with the official title of “threat hunter”) has a suspicion/instinct, based on threat research or maybe some weak signal in another system. That is cultivated into a formal “Hypothesis”, which also leads to a scope and a plan. Our own hunt team follows this process regularly, and we use it also to create what we call “Spotlights” (basically a way to concisely communicate Hunt findings that are worthy of our customers’ attention). Now, let’s apply this to how a customer would use Anvilogic Hunt.
When we look at the “Mandatory Steps” for hypothesis-driven hunting, we can leverage the same intelligence, trending topics, and other metadata we provide in our Content Armory to accelerate our customers through the “Prepare” phase. That initial bootstrapping effort is often the hardest as it centers more on people and process.
The meaty middle of doing the pivoting and filtering against your data is now facilitated through a simple low/no-code query builder and visual canvas, allowing the hunter to capture specific pieces of evidence, add notes and Indicators of Compromise (IoCs) to them, flagging specific events of interest as critical, etc., ultimately helping keep momentum through to the “Act” phase.
When it comes time to “Act”, we treat Hunts as first-class objects in the Anvilogic Platform. For every hunt:
1) The activity of the hunter is logged
2) Evidence is stored in a timeline
3) You can export a final report for management purposes, share a hunt with your detection engineering team, or pass it along to your Threat Intelligence team to supplement their research
To make it a bit more real, the screenshot below highlights the ease of navigating from the Trending Topics in our Armory, selecting a Threat Group, and simply starting a hunt based on events of interest tagged with that Threat Group identity (FIN7 in this case). While the field you initially gather data on can be arbitrary, we believe that starting at the “apex” of the Pyramid Of Pain provides hunters with an advantage. Also note, that while it’s not in this screenshot, building that initial query required zero coding or data language expertise.
Baseline (AKA Exploratory Data Analysis or EDA) & Model-Assisted Threat Hunts (M-ATH)
We’re going to combine these two since it was a core tenant of how we went about building our Hunt capability. One of our most effective and beloved features is called “Insights,” of which we provide Tuning Insights focused on eliminating false positives, and making detections better over time, and Hunting Insights, which use machine learning to automatically elevate cases like “first time seen” or “extremely rare” patterns (among others).
Both types of Insights leverage ML models that our data science team has been building and refining for the last 2 years. In the case of Hunting Insights, we’ve created an on-ramp to our core Hunt experience directly from the Insight itself. When we think again in the context of “Prepare”, “Execute” and “Act”, Anvilogic does the majority of heavy lifting, like “identifying datasets,” “researching data sources”, “selecting algorithms”, “developing models”, “reviewing distributions”, among the others listed. These non-trivial tasks often require domain-specific expertise in ML, usually some experience with programming or data-wrangling languages, and ultimately creates an artificially high bar to what should be accessible to SOCs of all sizes.
Per the example (and heavily redacted) screenshot below, we bubbled up a “First time or extremely rare” Insight, that you can immediately start a Hunt on top of. It’s important to keep in mind that we always anchor these types of insights to the original Use Case that spawned them; maintaining a tight relationship with the threat research, and intentions behind the creation of a particular detection. We also embed some initial pointers in the Insight, that are easily executed through one or two clicks of a mouse within the Hunt UI.
In the “act” phase, all the benefits we saw by using Anvilogic for “hypothesis” driven hunts apply here. Be it completely human-driven, or supplemented with models, the key is to drive toward an actionable outcome that prioritizes operational efficiency and effectiveness.
Using a slightly more built-out example, the Hunt “object” as we call them, has a time ordered set of evidence, a visual representation of important entities, and their relationships, as well as notes and in some cases IoCs. This report can then be used to level up other folks wanting to hunt, as well as better understand gaps in existing detections or new adversarial behaviors that need to be tracked and accounted for.
Like we said before, we’re big fans of Splunk (we even have an app!). There really is no better product out there for ingesting, indexing, and searching unstructured and semi-structured data. When you need to get to the underlying raw data, Splunk is going to be best in class, and we have a Content Armory of detections that take advantage of all of Splunk’s strengths with raw data.
Where we think Anvilogic can help add value
First is in the creation, deployment, and maintenance of those Splunk searches (what we call use-cases and threat indicator searches). From our purple team minting high-quality SPL (and doing the ongoing research necessary for keeping those detections relevant and up-to-date), to the customer-specific Tuning Insights we generate to ensure your detections are as good as they can be; we help Splunk customers maximize the value they get out of every single detection search they deploy (warning, alert and informational).
The second area is operationalizing PEAK for SOCs of all sizes. By taking a different approach of hunting on the output of all of your detections (regardless of deployed mode), we automate many of the “prepare” and “execute” steps so that the human-driven element is elevated. Coupled with a tight feedback loop between detection and hunting, we believe that all Anvilogic and Splunk customers can move not just to the PEAK of hunting but to the apex.
By leveraging the strengths of both platforms, security teams can benefit from a connected approach between hunting and detection engineering. Anvilogic’s Detection Engineering and Hunting Platform can help SOC teams implement more accurate detections in a few clicks, and provide the necessary tools for preparing and executing hunts more efficiently across data lakes and security tools, while Splunk’s PEAK Framework can help teams structure their hunts and ensure that they are acting on the findings in a meaningful way.
Together Anvilogic and Splunk can help to provide a comprehensive approach to threat hunting and detection engineering that includes both the necessary tools and a structured approach to executing hunts. This can help security teams reduce the amount of time and effort required for detection engineering while improving their ability to detect and respond to threats.
If you’re interested in some further reading as well as some of the inspiration for this post, the below are what was linked to inline:
One of two very excellent posts by Andrew VanVleet at Edward Jones who got the juices flowing:
Splunk’s PEAK Blog Post by David Bianco, the seed for this post:
Anvilogic’s Detection At The Apex, b/c I mean…I work for them: