Threat Hunting with Security Onion

Why does this topic matter?

• Threat hunting in cybersecurity is crucial because it allows an organization to take a proactive approach against advanced threats that evade traditional security measures.
• Searching for signs of malicious activity or even indicators of compromises can reduce down time and enhance incident response.

How are Threat Hunting and Pentesting different?

• Here is a breakdown of the difference between threat hunting and pen-testing.
  • Threat hunting
    • It's an active/proactive activity.
    • You use tools, techniques, and data sources to identify threats that may have evaded traditional security measures.
  • Pen-testing
    • Its a controlled simulation of a cyber attack carried out to identify vulnerabilities.
    • The goal of pen-testing is to assess the security posture and identify weaknesses that threat actors could exploit.

What is the primary objective of Threat Hunting?

• The primary objective of threat hunting is to proactively detect and respond to advanced threats that may have bypassed traditional security controls.
• These security controls can include firewalls, antivirus software, or IPS and IDS.
• Professional security professionals look for indicators of compromise (IoC).

Your organization has a fully functioning SOC but not active Threat Hunting. How would you advocate for your security organization to start Threat Hunting activities?

• I would explain to the stakeholders that SOC is great for monitoring and responding to known threats, but there are sophisticated or even emerging threats that could evade detection.
• I would also add that its better to be proactive, seeking out threats before a trigger or alert happens is always preferable.

Things I want to know more about.

• I would like to know more about threat intelligence feeds and how they can inform threat hunting activities.
• I would also like to know how to stay informed about the latest trends and developments in the cyber threat landscape.