401 Reading 33 - marsecguy/reading-notes-cyberops GitHub Wiki

Threat Hunting

1. How are Threat Hunting and Pentesting different?

   • Pentesting is an approved, internal process of having authorized actors seek vulnerabilities to exploit and seeing if those attempts are detected.
   • Threat hunting is looking for unauthorized exploits (internal or external) that have already eluded detection.

2. What is the primary objective of Threat Hunting?

   • To bridge the gap between detection and response and take a proactive approach to searching for and eliminating threats that may have already escaped detection.

3. Your organization has a fully functioning SOC but not active Threat Hunting. How would you advocate for your security organization to start Threat Hunting activities?

   • I would point out that many previous data breaches have happened despite SOC controls and often continued to exploit the targets for long periods of time before being detected. I would also show that most of the times these events have been detected, it has been through outside intervention, such as law enforcement notification or external audits.

Source: Active Countermeasures