Social Network For Security Executives: Help Make Right Cyber Security Decisions
Threat hunting is an continuous proactive hunting looking for hidden threats in your environment that otherwise go undetected. SOC L3 engineers are engaged or responsible for threat hunting using built-in SIEM platform tools with all events streamed or use external tools streaming logs into it such squirrel etc.,
Threat Hunting has to be done by SOC team only. This is not an one time activity, this is periodically required and also whenever there is any exploit which is published on various sources from which the threat leads are obtained. There are more than 200 sources from which threat leads are obtained i.e. various Operating Systems, databases, applications, application platforms, etc.
Also threat hunting is of no use if you do not run the available threat exploit of the available environment against the asset profile which need to have vulnerabilities in the available environment. Therefore, threat hunting need to correlate with vulnerability profile of the asset, so one need to also subscribe to periodic vulnerability services to assess current vulnerability of the asset and whether there are threat leads in the threat hunted repository.
The above can be put in more sophisticated way and elaborate. But I put my onion in short which can be understandable.
Also please note that, incase of any security incident which cannot be resolved easily, the expert advise need to come only from expert which is from SOC team only. Therefore expertise lay in SOC and thus Threat Hunting need to be part of SOC only.
Threat hunting need to be continuous and that why it is usually integrated with continuous monitoring activity done through SOC/SIEM setup and so SOC team definitely play a role here. Some threats maybe discovered/hunted on your network interface through SOC/SIEM/continuous monitoring and others threats maybe through independent parties or other sources who maybe alerting on new threats that may not have yet surfaced on your setup....
I concur with Sanjivan, Sridhar & all.
Threat Hunting should always be a part of SOC team and should be a continuous & proactive process that should cover all the 4 dimensions: Endpoint, Network, Application & User Behavior. This should be a hand-in-glove model with a Big Data SIEM so that the investigator can view all the alerts in the form of an attack story over a period of time to stay on top of unknown threats as well.