Need suggestions on threat hunting periodicity & if it has to be done by SOC team ...?

Hello,

This is being posted on behalf of Rejo Thomas, CISO, Exide Life Insurance.

Can anyone give me suggestions on threat hunting periodicity & if it has to be done by SOC team or an independent service provider. Any other inputs would be appreciated.

Views: 96

Reply to This

Replies to This Discussion

Threat hunting is an continuous proactive hunting looking for hidden threats in your environment that otherwise go undetected. SOC L3 engineers are engaged or responsible for threat hunting using built-in SIEM platform tools with all events streamed or use external tools streaming logs into it such squirrel etc.,

Dear Team,

Threat Hunting has to be done by SOC team only.  This is not an one time activity, this is periodically required and also whenever there is any exploit which is published on various sources from which the threat leads are obtained.  There are more than 200 sources from which threat leads are obtained i.e. various Operating Systems, databases, applications, application platforms, etc.

Also threat hunting is of no use if you do not run the available threat exploit of the available environment against the asset profile which need to have vulnerabilities in the available environment.  Therefore, threat hunting need to correlate with vulnerability profile of the asset, so one need to also subscribe to periodic vulnerability services to assess current vulnerability of the asset and whether there are threat leads in the threat hunted repository.

The above can be put in more sophisticated way and elaborate.  But I put my onion in short which can be understandable.

Sanjivan Shirke

Also please note that, incase of any security incident which cannot be resolved easily, the expert advise need to come only from expert which is from SOC team only.  Therefore expertise lay in SOC and thus Threat Hunting need to be part of SOC only.

As correctly pointed out by Sridhar and Sanjivan Threat hunting is a continuous proactive activity and should not be looked as a one time activity. A threat hunting team would not only look for threats from within the organization but also gathers inputs from external sources like Open forums, paid threat intel service, police, etc.
These inputs are converted into IOC's which will help to identify any existing or possible attacks on the organization. Integrating threat hunting within SOC makes sense so that they can work closely and finetune the SIEM tool based on their inputs.

Threat hunting need to be continuous and that why it is usually integrated with continuous monitoring activity done through SOC/SIEM setup and so SOC team definitely play a role here. Some threats maybe discovered/hunted on your network interface through SOC/SIEM/continuous monitoring and others threats maybe through independent parties or other sources who maybe alerting on new threats that may not have yet surfaced on your setup....

I concur with Sanjivan, Sridhar & all.

Threat Hunting should always be a part of SOC team and should be a continuous & proactive process that should cover all the 4 dimensions: Endpoint, Network, Application & User Behavior. This should be a hand-in-glove model with a Big Data SIEM so that the investigator can view all the alerts in the form of an attack story over a period of time to stay on top of unknown threats as well.

RSS

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service