Threat hunting has been around for a while, but it has only recently become a focus of modern enterprise Security Operation Centers (SOCs). Hunting can revolutionize the threat detection efforts of an organization, and many have already recognized that proactive hunting needs to play a role in their overall detection practices (a common mantra one often hears is “prevention is ideal but detection is a must”). According to a recent survey on threat hunting conducted by the SANS institute, 91% of organizations report improvements in speed and accuracy of response due to threat hunting. It’s clearly worth your time, but it’s also worth knowing what exactly you’re investing in.

Also, many organizations are quickly discovering that cyber threat hunting is the next step in the evolution of the modern Security Operations Center (SOC), but they remain unsure of how to start hunting or how far along they are in developing their hunt capabilities.

We define hunting as the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions. There are many different techniques hunters might use to understand the bad guys, and no single one of them is always “right”. The best one often depends on the type of activity you are trying to find.

Hunting consists of manual or machine-assisted techniques, as opposed to relying only on automated systems like SIEMs. Alerting is important, but cannot be the only focus of a detection program. In fact, one of the chief goals of hunting should be to improve automated detection by prototyping new ways to detect malicious activity and then turning those prototypes into effective new automation.

Source: https://sqrrl.com/