As cybercriminals constantly develop new, more advanced attacks and become as organized as any other crime syndicate, it makes perfect sense that most intelligence-driven SOCs (Security Operations Center) have embraced both threat intelligence and threat hunting.
Threat intelligence gathers information from multiple sources on the most recent attack techniques, tendencies, and both Indicators of Compromise (IOCs) and Indicators of Attacks (IOAs), applying this actionable knowledge about threats to strengthen an environment against attacks. Threat hunting, on the other hand, takes a quite different approach.
Threat hunting assumes an advanced threat has already evaded the existing security controls. By creating context-driven hypotheses, a team of threat hunters – the Sherlock sort of cybersecurity specialists – proactively search for threats, analyzing the patterns on network traffic and logs from existing devices and discovering abnormalities that may indicate a compromise.
What Types of Threats Can Be Hunted?
A key point is understanding the types of threats that can be hunted. By definition, a threat is any agent with the desire, capability and opportunity to do harm to an organization. This can be a rather lengthy list, including disgruntled/dishonest employees, competitors, hacktivists, cybercriminals and even nation-states.
Since threat hunting should be based on the organization context, a good first step is defining what sort of threat the organization is most exposed to. That way, their motivations and techniques can be taken into consideration during the hunt, especially when devising the hypothesis that will be tested. For example: “Are any of our endpoints infected with a new malware and remotely controlled by an unauthorized agent trying to steal confidential information?”
Here are a few examples of the most common threats every organization should be hunting.
Abnormal Network Activity
It’s quite common to say threat hunters are usually looking for the needle in the (Read more...)
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Claudio Dodt. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/wfIaEQHL0NQ/