Threat Hunting Techniques for the Future SOC

Threat hunting: Top 5 challenges facing SecOps

Data Growth

SOCs are plagued with high rates of data growth and organizational silos – both of which impact visibility. This is further aggravated by a constantly growing attack surface with new applications and services constantly being added.

High Cost

For most SOCs, license costs and data storage make it too expensive to collect and store all security data for real-time and historical analysis.

Slow Queries

Running queries against large volumes of data can slow response times. Some traditional solutions can take hours to run a query due to scalability and performance issues, threatening an organization’s ability to identify and respond to threats.

Lack of Context

Threat hunting requires relevant context to accurately identify a sign of compromise, but it can be difficult and time-consuming to connect the dots across petabytes of data and multiple point products.

Threat Complexity

Modern threats are complex, multi-faceted beasts. Threat actors can now morph attacks on the fly, requiring analysts to hunt dynamically for tactics, techniques, and procedures (TTP).

Threat Hunting Techniques & Methodologies

Technique 1: Test evolving hypotheses across all data

Missing data can lead to a missed cyber threat, and if left undetected for too long, a potentially high-profile, expensive breach. SOCs leading the charge on threat hunting recognize the need for a single line of sight into all real-time and historical data for comprehensive analysis. This requires collecting, storing, and analyzing all security data in one place, regardless of type, source, or time-horizon, to test evolving hypotheses.

Technique 2: Conduct a historical analysis

Threats run deep in an environment, remaining undetected for months, even years. Modern SecOps combines the analysis of live, hot data with historical analytics to accurately establish the threat path, tactics, and impact to the business. This requires a powerful data platform that can collect and store event data, always hot, for as long as necessary. The ability to easily look back and drill down into petabytes of data to identify patterns is critical for threat hunting.

Technique 3: Support creativity with agile search

Threat hunting does not always lead to a positive outcome. Hunters may test multiple hypotheses throughout the discovery process. As a result, they need agile querying capabilities to pivot, filter, and iterate on their analyses. Threat hunting platforms support creative detective work by enabling simple, fast queries at scale. This allows threat hunters to collect, analyze, and connect various data sets for richer context, without having to wait hours to see the query results.

Technique 4: Integrate threat intelligence

The cyber threat hunting process for campaigns like advanced persistent threats, or APTs, is difficult in the absence of threat intelligence. Threat hunters tap into high confidence, high fidelity threat intelligence feeds curated by practitioners and indicators of compromise (IoCs) to inform their analyses. This includes integrating proprietary, third-party, and open-source intelligence, or OSINT, feeds in a single threat hunting platform. and automatically enriching hunts with relevant context.