Sometimes we refer to concepts without knowing the full extent of what they mean. Let’s see what reactive, proactive and threat hunting mean in the context of security operation center (SOC) maturity.
SOC operating models
In recent years, security operations have gained importance in representing the function that should carry the responsibility for detection and response in alignment with organizational business goals. However, working closely with hundreds of customers, I observed that SOC doesn’t have the same meaning for everybody. This seems to depend upon how the security operation center was started in an organization.
In some cases, it involves grouping a few people around an existing technology with very basic processes. In these cases, the only improvements overtime occur on the technology front. In other cases, security operations are run by a partner, delivered as a service and consumed by internal security personnel for incident follow-up and remediation.
There is also a combination of those two models in a hybrid multi-tiered approach. In the hybrid approach, initial detection and alert triaging is performed by an external organization and the deeper investigation and response is the responsibility of an internal team.
Understanding which approach is best is outside the scope of this article and the most optimal approach for you should be considered in the context of your specific organization.
It's all about maturity
One aspect that is universally true and applicable to every organization is how security operations mature over time, how that maturity is driven by business goals, and how it is tracked. Business goal alignment is a key aspect for every supporting function in an organization. This is even more true for security operations, which is at the front line to reduce business risk.
Another key aspect involves achieving the right balance between people, processes and technology. Technology is typically the easiest part because it’s simply a matter of acquiring hardware, software or services and consuming their output.
People is probably the most difficult challenge to overcome. The shortage of knowledgeable, well-qualified cybersecurity professionals is no secret and very high analyst turnover represents a daily problem for SOC management.
Processes are the glue that keeps it all together. They can have a positive impact when fully aligned with the business and provide agility and consistency. Processes must include good, accurate metrics to score how the SOC is doing against key performance indicators and business objectives.
Achieving balance across these three elements will translate into good maturity and, more importantly, the capability to mature faster.
React vs. hunt
Processes should in part define and implement a proactive investigative approach that goes beyond the detect and react model that rarely learns from incidents.
The reactive approach tends to search rapidly for a fix without going too deeply into broader considerations. Proactive investigations go farther by asking more and more questions to discover hidden threat aspects, commonalities across multiple incidents, and secondary effects unassociated with the incident under investigation.
When this approach becomes systematic and tends to be more and more unrelated to specific incidents, it assumes the characteristics threat hunting. In threat hunting, the environment and historical data are searched for artifacts related to the threat.
Threat hunting should focus on attacker behaviors in the form of TTPs, attack methodology and tools rather than on atomic indicators. This approach will have a beneficial impact on both threat coverage and detection durability.
I’m not saying that file hashes, IP addresses or domains are not useful. They can be a great way of scoping out the extent of a breach. But a proactive approach invests more time on threat hunting for a more durable outcome.
Threat hunting should also be performed in conjunction with the MITRE ATT&CK matrix. As per Matt Bromiley from the SANS Institute states: “By associating threat hunts with known threat actor objectives, techniques and tactics, starting to think of threat hunting not as a singular activity but rather in the context of how an attacker may achieve that objective within your environment."
A scientific approach
Another key difference between threat hunting and threat detection resides in the processes that drive them. Threat detection is a linear process in which alerts are generated, triaged and, if relevant, the response phase will kick off.
On the other hand, threat hunting fits more into the scientific methodology that starts with formulating a hypothesis. It then involves research, an evaluation of the results and returning to more research if results don’t prove the hypothesis.
Reactive, proactive and threat-hunting methods all bring value, but at different levels.
A successful, mature SOC that aligns with business drivers has likely gone through the exercise of balancing people, processes and technology components. At the same time, it enables you to transition from a reactionary mode to real threat hunting based on threat behaviors and attack methodologies rather that artifacts that are used as possible evidence.