Prowling the Wilds — Upgrade Your SOC and Hunt Down Threats

May 21, 2024
7 minutes
... views

It would be nice to imagine our SOC analysts as the apex predators of the IT jungle, stalking the network perimeter and tracking the scent of trespassing attackers. But, for most SOCs and their analysts, that’s far from the reality of their operations. Most are overwhelmed by data points and ill-equipped to correlate and analyze them. Analysts, who wish they could proactively hunt down threats and remediate vulnerabilities, are too busy churning through alerts and documenting false positives. According to our 2024 Unit 42 Incident Response Report, 90% of SOCs say they rely on manual processes.

It’s not just a haystack that SOC analysts are combing through; it’s a hay mountain. They are sniffing for even a trace of compromise. Forget finding a needle. Most don’t even know how many needles there are.

SOC leaders need to outfit their analysts with the right gear and training. Upgrade your SOC and analysts, so they can hunt down the threats lurking in your network.

SOC Analysts Are Burnt Out

Everyone knows there is still a shortage of cybersecurity professionals. Federal initiatives, like NICE, seek and promote “an integrated ecosystem of cybersecurity education, training, and workforce development,” but the demand for qualified professionals continues to outpace the supply.

No one feels the strain more than SOC leaders, who struggle to keep their SOC staffed 24/7 with experienced personnel. Analysts are fleeing SOCs in droves, and industry reports provide some answers as to why:

  • 71% say they’re burnt out by SOC work.
  • 69% claim their SOC is understaffed.
  • 60% say the workload is increasing.
  • 64% spend more than half of their time performing manual tasks.
  • 66% indicate that the majority of work could be automated.
  • 60% said they plan to quit their jobs.

SOC analysts say they spend too much time investigating and reporting false positives. They’re overwhelmed by disparate data points and forced to triage alerts. They also claim that reporting is one of their least favorite tasks and consumes most of their time, especially when the majority of reports say “Nothing to see here.”

Threat hunting appeals to budding and enthusiastic cybersecurity professionals, but the reality of SOC life sends them searching for new opportunities.

Why SOC Analysts Are Walking Away

Infosec professionals are typically excited about SOC work; at least in theory. They know that automated processes and smart tools could empower them to make high-level decisions about potential threats.

Most discover, however, that manual processes and poorly tuned tools make the SOC a miserable place to work. Instead of proactively hunting for vulnerabilities and advanced persistent threats on the network, they spend all their time just trying to catch up.

The majority of SOC work revolves around investigating alerts generated by dozens of tools. Consider the extraordinary number of devices in an enterprise organization. Each generates its own logs and produces a data trail that may contain indicators of attack and/or compromise (IOAs and IoCs):

  • Firewalls
    • A large number of connection attempts are made from a single IP address in a short period (a potential denial-of-service attack).
    • A user attempts to access a restricted resource from an unauthorized location (potentially compromised account).
  • Intrusion Detection System (IDS)
    • A known malware signature is detected on a system (a potential malware infection).
    • A user attempts to exploit a known system vulnerability (potential privilege escalation).
  • Security Information and Event Management (SIEM)
    • Multiple failed login attempts occur for a critical system account (a potential brute-force attack).
    • A user account with high privileges accesses sensitive data outside of regular working hours (a potential insider threat).
  • Endpoint Detection and Response (EDR)
    • A program attempts to access unauthorized files or folders (potential ransomware encryption).
    • A user's device connects to a known malicious domain (a potential phishing attempt).

The average SOC receives tens of thousands of alerts each day. Without tools that can automatically aggregate and categorize relevant telemetry, SOC analysts are burned out chasing ghosts across treacherous, unmapped terrain.

Hunting the Wilds

Analysts would prefer to be prowling the wilds and proactively hunting for threats.

Threat hunting is the systematic pursuit of hidden threats within your network. It's a multipronged approach that involves fortifying defenses against attackers and flushing out advanced persistent threats (APTs). Hunters employ various tactics:

Indicators of Attack and Tactics, Techniques and Procedures (TTPs)

Hunters search for patterns associated with known attacker behavior, such as unusual data exfiltration attempts (large file transfers at odd hours) or reconnaissance activities (probing for vulnerabilities). This often involves analyzing network traffic logs and endpoint activity for suspicious patterns.

Indicators of Compromise

These are specific signatures of malware or malicious activity, such as a known command and control (C2) server address or a specific malware hash. Hunters can leverage threat intelligence feeds and internal security data to identify potential IOCs.

Hypothesis-Driven Hunting

This involves developing hypotheses about potential threats based on industry trends, intelligence reports or internal security incidents. Hunters then test these hypotheses by searching for specific indicators or patterns within network data.

Specialized Techniques

There are various techniques used in threat hunting, such as network traffic analysis, memory forensics and endpoint analysis. The specific techniques used will depend on the nature of the hunt and the available data.

The right tools are crucial for threat hunting. Well-tuned solutions can connect the dots across disparate data sources, helping analysts prioritize legitimate threats for investigation.

For example, security platforms that offer threat-hunting capabilities can automate some tasks, like log analysis and threat correlation, and provide context for analyst investigations with threat intelligence feeds.

Upgrading SOC Operations

There’s just too much data to correlate and analyze — activity from every device on the network, including nodes that facilitate inbound and outbound traffic from anywhere in the world. Automation is inevitable.

Many SOCs get buried by their tools, triaging alerts that are almost always false positives. SOCs need smart, calibrated tools that can connect thousands of inputs and analyze activity from a multitude of perspectives.

Most SOCs struggle to reconcile insights generated by their tools — XDR, SOAR, ASM, SIEM, etc. Solutions like Cortex XSIAM combine these components and connect all the data points to generate legitimate leads.

Cortex XSIAM leverages AI models for advanced analysis that streamlines the decision-making process, which enables analysts to spend less time investigating and documenting dead-end leads, and more time hunting for large game.

Make the Proactive Shift

A successful threat-hunting program offers several benefits beyond simply identifying and mitigating threats:

  • Reduced Dwell Time – Threat hunting helps identify threats earlier in the attack lifecycle before they can cause significant damage.
  • Improved Security Posture – Threat hunting identifies weaknesses in your security posture. By proactively searching for threats, you can identify and address vulnerabilities before attackers can exploit them.
  • Enhanced Threat Intelligence – Threat hunting can help you develop a deeper understanding of the threats targeting your organization. Leverage the knowledge gained from investigations to improve your security strategy and inform future hunts.
  • Boosted Analyst Morale – Threat hunting empowers analysts by giving them opportunity to proactively use their skills and knowledge. This can help to reduce burnout and improve overall job satisfaction.

Attackers have evolved, leveraging automation and AI to launch more sophisticated campaigns. The modern SOC needs to meet this challenge head-on with superior firepower. SOC analysts should command fleets, not paddle around in a rowboat.

Take a machine-led, human-powered approach to threat hunting. Fight fire with fire – upgrade your SOC and your analysts with AI-powered tools that give them advantage.

Want to learn more? Find out how Unit 42 Managed Threat Hunting Services can help you proactively hunt down threats in your environment. You can also register for our upcoming workshop to sharpen your investigation and threat hunting skills.

Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.