Transitioning Your SOC Analysts from Data Gatherers to Threat Hunters

Threat hunting is defined as an iterative and focused approach to searching, understanding and identifying internal adversaries that are found in the defender’s network. It’s been shown that incident response automation tools can provide Security Operations Center (SOC) team members with additional time that can be leveraged in a more focused, threat hunting role within the SOC environment.

The SOC staff members should have some understanding of how they can use this additional time provided by incident response automation to enable them to hunt for threats, rather than spending valuable time and resources gathering threat information which could otherwise be done in an automated fashion.  It’s long been established as we make the migration from threat prevention to threat discovery that malicious actors and processes are frequently well-hidden within the organizations infrastructure and in order to effectively locate and investigate them we must start by asking the 5 W’s, who, what where, when, why and perhaps most importantly, how.

SOC team members must first understand what threat hunting is to be truly effective. The staff members should channel their question on the three tenets that make up the threat triangle; capability, intent, and the opportunity. By focusing on these three tenets, threat hunters can leverage orchestration to accomplish not only the system monitoring but the automated data gathering to support this expanded role without adding additional infrastructure. Additionally, team members must understand that the threats can be human and not just, for example, malware that is directed at them. This, coupled with an understanding of the affected systems function, will help provide the insight into possible contributing factors to the incident.

As the level of automation scales upward, we’ve seen a corresponding scaling of the transition from simple incident data gatherers to data hunters. Additional time and resources will become available to teams that leverage incident automation, permitting them to forego the traditional gatherer role and begin to embrace a more proactive hunter role. The good news is both of these roles can be supported within the SOC and also within the same Security Orchestration, Automation and Response (SOAR) platform. IncMan SOAR from DFLabs provides the necessary combination of force multiplication and machine learning to ensure that not only are incidents capable of being prioritized automatically, but the necessary actions for successful resolution are available at incident inception.

If you would like to see how a SOAR platform can give your incident response team the necessary tools to make the migration from simple data gatherers to threat hunters, reach out to us for a free, no obligation demo.