New Course Enquiry:
9513167997
9108318017
New Course Enquiry:
9513167997
9108318017
August 19, 2023
119
In this article, we will discuss threat hunters vs SOC Analysts.
Threat hunting is also known as cyber threat hunting. It is a process of repeatedly searching within an organization’s network to detect threats that avoid existing security solutions. Such solutions include intrusion detection systems (IDS), firewalls, malware sandboxes and SIEMs.
What happens normally is the investigation in existing security solutions whenever an incident has occurred. But in threat hunting, organizations usually hire skilled professionals who use advanced tools to investigate previously unknown, or ongoing- non remediated threats to mitigate it.
The role of a SOC analyst has been a traditional threat detection role for decades, but nowadays, by the complexity of techniques, threat hunting is a new approach to combat modern attacks.The two roles SOC Analyst and threat hunter are two different and vast roles.
In traditional detection of threats, SOC analysts use a large quantity of tools that will automatically generate alerts for investigation and mitigation. This model matches traditional indicators such as malicious IPs. This has proved to have a high false-positive rate and is ineffective for threat detection because of attackers constantly changing their infrastructure and tools.
Comparatively, the threat hunting model uses research-focus to enable hunts for both known and unknown threats.
The SOC analyst role deals with the alerts generated from the various SIEM tools monitoring on a day-to-day basis. This relies on ‘correlation’ rules for detection to report an analyst about the thing that they need to investigate. This approach has the following number of weaknesses:
In detail, the SOC Analyst approaches primarily on finding ‘known’ threats. The process includes reacting to alerts that are triggered off of known malicious indicators, that includes, a key string related to the attack, the hash of a file, or IPs of the attacker’s control channel.
This approach could be of high confidence rules, but often, the rules are poorly written or are too broad for all suspicious activity to catch, which results in lots of false-positive alerts. It is common for an analyst having hundreds of alerts a day, that leads to alert fatigue.
One other major drawback of the process is that it has no capability to detect unseen or hidden threats. This is considered a serious drawback because of the high percentage of new attacks that occur. And so, it becomes easy for attackers to generate new variants of threats that easily bypasses traditional security operation centre detection mechanisms.
The process pushes analysts into a ‘reactive’ mind-set, waiting for alerts, and for changes to be pushed by vendors, instead of proactively searching for new threats. The traditional model was less technical leading to less effective detection capabilities.
By contrast, threat hunters use the approach that focuses less on detection technology like SIEM and instead, focuses more on the professional knowledge of key attacker techniques and behaviors. Threat hunters’ focus on detecting attacker behaviors instead of volatile indicators, which is then coupled with a proactive mindset. Hunting for specific techniques allows you to catch different variations of malware using the same common technique.
The focus of threat hunters are on attacker techniques rather than the volatile indicators which has the advantage that there are very few techniques to cover. They focus on end-point areas, along with the new attacker techniques that bring the possibility of covering all possible attacks. Traditional indicators have infinite possible values, that means a SOC team needs to have endlessly playing catch up.
The threat hunting process do not depend on rules or signatures to trigger alerts, There is far less mental fatigue experienced by threat hunters than the SOC analysts. Threat hunters proactively hunt by tagging interesting techniques, and generate hypotheses for the new attack techniques. This proactive mindset needs an organization empowering threat hunters to be interactive with the environment. This decreases the effort and time spent investigating suspicious activity as in the case of SOC Analyst. And so allos threat hunters to continuously hunt for quicker response times.
threat-hunting-
Threat hunting is an innovative and research-focused detection mantra that is a great shift from the traditional SOC analyst, which is more a technology-centric approach. Threat hunting is now a growing niche area in the industry that is gaining significant attention from many organizations alongwith their existing SOCs. Earlier, there was no industry standard for the threat hunting approach, however, the transition from a SOC Analyst in the field of threat hunting is not simple. It requires a new analysis skill set and a change in mental approach to detection.
However, both the job roles names, SOC Analyst vs Threat hunter position pay off well in the long run in terms of job satisfaction. The development of a security professional team for enterprises is not simple. It is not like going out and buying new technology, however, it requires a shift in mindset and capabilitities.
Join Azure Sentinel training Online with real-time lab access.
We do offer our trainings at your city also :
SOC Analyst Training in Kolkata , SOC Analyst Training in Mumbai , SOC Analyst Training in Noida , SOC Analyst Training in Trivadrum , SOC Analyst Training in Visakhapatnam , SOC Analyst Training in Pune.
