It would be nice to imagine our SOC analysts as the apex predators of the IT jungle, stalking the network perimeter and tracking the scent of trespassing attackers. But, for most SOCs and their analysts, that’s far from the reality of their operations. Most are overwhelmed by data points and ill-equipped to correlate and analyze them. Analysts, who wish they could proactively hunt down threats and remediate vulnerabilities, are too busy churning through alerts and documenting false positives. According to our 2024 Unit 42 Incident Response Report, 90% of SOCs say they rely on manual processes.
It’s not just a haystack that SOC analysts are combing through; it’s a hay mountain. They are sniffing for even a trace of compromise. Forget finding a needle. Most don’t even know how many needles there are.
SOC leaders need to outfit their analysts with the right gear and training. Upgrade your SOC and analysts, so they can hunt down the threats lurking in your network.
Everyone knows there is still a shortage of cybersecurity professionals. Federal initiatives, like NICE, seek and promote “an integrated ecosystem of cybersecurity education, training, and workforce development,” but the demand for qualified professionals continues to outpace the supply.
No one feels the strain more than SOC leaders, who struggle to keep their SOC staffed 24/7 with experienced personnel. Analysts are fleeing SOCs in droves, and industry reports provide some answers as to why:
SOC analysts say they spend too much time investigating and reporting false positives. They’re overwhelmed by disparate data points and forced to triage alerts. They also claim that reporting is one of their least favorite tasks and consumes most of their time, especially when the majority of reports say “Nothing to see here.”
Threat hunting appeals to budding and enthusiastic cybersecurity professionals, but the reality of SOC life sends them searching for new opportunities.
Infosec professionals are typically excited about SOC work; at least in theory. They know that automated processes and smart tools could empower them to make high-level decisions about potential threats.
Most discover, however, that manual processes and poorly tuned tools make the SOC a miserable place to work. Instead of proactively hunting for vulnerabilities and advanced persistent threats on the network, they spend all their time just trying to catch up.
The majority of SOC work revolves around investigating alerts generated by dozens of tools. Consider the extraordinary number of devices in an enterprise organization. Each generates its own logs and produces a data trail that may contain indicators of attack and/or compromise (IOAs and IoCs):
The average SOC receives tens of thousands of alerts each day. Without tools that can automatically aggregate and categorize relevant telemetry, SOC analysts are burned out chasing ghosts across treacherous, unmapped terrain.
Analysts would prefer to be prowling the wilds and proactively hunting for threats.
Threat hunting is the systematic pursuit of hidden threats within your network. It's a multipronged approach that involves fortifying defenses against attackers and flushing out advanced persistent threats (APTs). Hunters employ various tactics:
Indicators of Attack and Tactics, Techniques and Procedures (TTPs)
Hunters search for patterns associated with known attacker behavior, such as unusual data exfiltration attempts (large file transfers at odd hours) or reconnaissance activities (probing for vulnerabilities). This often involves analyzing network traffic logs and endpoint activity for suspicious patterns.
Indicators of Compromise
These are specific signatures of malware or malicious activity, such as a known command and control (C2) server address or a specific malware hash. Hunters can leverage threat intelligence feeds and internal security data to identify potential IOCs.
Hypothesis-Driven Hunting
This involves developing hypotheses about potential threats based on industry trends, intelligence reports or internal security incidents. Hunters then test these hypotheses by searching for specific indicators or patterns within network data.
Specialized Techniques
There are various techniques used in threat hunting, such as network traffic analysis, memory forensics and endpoint analysis. The specific techniques used will depend on the nature of the hunt and the available data.
The right tools are crucial for threat hunting. Well-tuned solutions can connect the dots across disparate data sources, helping analysts prioritize legitimate threats for investigation.
For example, security platforms that offer threat-hunting capabilities can automate some tasks, like log analysis and threat correlation, and provide context for analyst investigations with threat intelligence feeds.
There’s just too much data to correlate and analyze — activity from every device on the network, including nodes that facilitate inbound and outbound traffic from anywhere in the world. Automation is inevitable.
Many SOCs get buried by their tools, triaging alerts that are almost always false positives. SOCs need smart, calibrated tools that can connect thousands of inputs and analyze activity from a multitude of perspectives.
Most SOCs struggle to reconcile insights generated by their tools — XDR, SOAR, ASM, SIEM, etc. Solutions like Cortex XSIAM combine these components and connect all the data points to generate legitimate leads.
Cortex XSIAM leverages AI models for advanced analysis that streamlines the decision-making process, which enables analysts to spend less time investigating and documenting dead-end leads, and more time hunting for large game.
A successful threat-hunting program offers several benefits beyond simply identifying and mitigating threats:
Attackers have evolved, leveraging automation and AI to launch more sophisticated campaigns. The modern SOC needs to meet this challenge head-on with superior firepower. SOC analysts should command fleets, not paddle around in a rowboat.
Take a machine-led, human-powered approach to threat hunting. Fight fire with fire – upgrade your SOC and your analysts with AI-powered tools that give them advantage.
Want to learn more? Find out how Unit 42 Managed Threat Hunting Services can help you proactively hunt down threats in your environment. You can also register for our upcoming workshop to sharpen your investigation and threat hunting skills.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.