"Threat hunting is in flux. What started as a largely reactive skill became proactive and is progressing toward automation. Threat hunting is the practice of finding threats within the system. It sits between external attack surface management (EASM), and the security operations center (SOC). EASM seeks to thwart attacks by protecting the interface between the network and the internet. If it fails, and an attacker gets into the system, threat hunting seeks to find and monitor the traces left by the adversary so the attack can be neutralized before damage can be done. SOC engineers take new threat hunter data and build new detection rules for the SIEM."
"A common perception of cybersecurity defines defense as necessarily reactive. Defenders are naturally forced into a position of reacting to attacks, while attackers are free to be proactive in their own activity. In many cases this is valid, but the distinction doesn't fit neatly into threat hunting. Threat hunting is reactive in seeking evidence of an event that has already happened; but is proactive since it doesn't know what the event was, nor even if it really happened. It assumes a breach but doesn't know the breach has occurred until it finds evidence."
Threat hunting is transitioning from a reactive skill to a proactive and increasingly automated discipline as adversaries adopt automation and AI. Threat hunting locates and monitors traces left by intruders after external attack surface protections fail, operating between external attack surface management (EASM) and the security operations center (SOC). The practice assumes a breach and searches for evidence that may be unknown in form or existence. Threat hunting provides data that SOC engineers convert into SIEM detection rules. Organizational implementations vary, requiring a balance of proactive searching, reactive verification, and automation to scale detection and response.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]