INTRODUCTION – Threat Hunting
This module delves deeper into threat hunting across Security Operation Centers (SOCs) because here, the learners will know all the important methodologies and techniques used in hunting down and neutralizing threats proactively. By applying data analysis with threat intelligence and detection strategies, an analyst or student can build the tools necessary to identify vulnerabilities that would not have been exploited.
This also enables participants to richly appreciate the dynamic nature of SOCs and the specific way they apply themselves to tackling the onslaught of increasingly sophisticated and dynamic methods of cyber attacks. Thus, empowering them to develop organizational cybersecurity practices and come up with strategies for threat detection and mitigation.
Learning Objectives:
- Using the QRadar Analyst Workflow to analyze cybersecurity threats.
- Define the structure of a team that is amongst the most effective in cyber threat hunting.
- Cite a real-world industry concern in reference to principles of cyber threat hunting.
- State the primary purpose of cyber threat hunting at the SOC.
- Be oriented towards the reason for threat hunting in SOCs.
- Discuss global cyber trends and challenges.
THREAT HUNTING OVERVIEW KNOWLEDGE CHECK
1. Cyber threats pose many challenges to organizations today. Which three (3) of these are among those cited? (Select 3)
- There is a cybersecurity skills shortage (CORRECT)
- Almost half of the breaches are caused by malicious or criminal acts (CORRECT)
- It takes an average of 191 days to even detect an attack has occurred (CORRECT)
- There are too few cybersecurity tools available from too few vendors
Partially correct!
2. What percent of security leaders reported that threat hunting increased the speed and accuracy of response in detection of advanced threats?
- 10%
- 27%
- 91% (CORRECT)
- 100%
3. While 80% of the threats are known and detected, the 20% that remains unknown account for what percent of the damage?
- 20%
- 40%
- 80% (CORRECT)
- 100%
4. True or False. The skill set of a cyber threat hunter is very different from that of a cybersecurity analyst and many threat hunters a have backrounds doing intelligence work.
- True (CORRECT)
- False
5. Your enemy uses a cyber kill chain to plan and execute his attack against your organization. Which three (3) of these are steps in a cyber kill chain? (Select 3)
- Delivery (CORRECT)
- Reconnaissance (CORRECT)
- Negotiation
- Weaponization (CORRECT)
Partially correct!
6. True or False. A cyber threat hunting team generally sits at the center of the SOC Command Center.
- True
- False (CORRECT)
7. There is value brought by each of the IBM i2 EIA use cases. Which one of these delivers net new discovery of correlating low level alerts and offenses?
- VIP Protection
- Fraud Investigations
- Insider Threat
- Cyber Threat Hunting (CORRECT)
THREAT HUNTING GRADED ASSESSMENT
1. What is one thing that makes cybersecurity threats so challenging to deal with?
- There is a big shortage in cyber security skills and many job openings unfilled (CORRECT)
- Most organizations are faced with too few attacks to study effectively or dedicate full-time specialists to investigate
- The large majority of “breaches” are inadvertent mistakes by employees which distracts from investigating the few that are from real cyber criminals
- ‘There are too few cybersecurity tools available from too few vendors
2. The level 3 and 4 cybersecurity analysts working in a Security Operations Center (SOC) combat cyber crime by performing which type of activity?
- Cyber forensic investigations (CORRECT)
- Cyber data mining
- Cyber threat hunting
- Penetration testing
3. True or False. If you have no better place to start hunting threats, start with a view of your own organization then work your way up to an industry view and then a regional view, a national view and finally a global view of the threat landscape.
- True
- False (CORRECT)
4. Your enemy uses a cyber kill chain to plan and execute his attack against your organization. Which three (3) of these are steps in a cyber kill chain?
- Recovery
- Exploitation (CORRECT)
- Installation (CORRECT)
- Delivery (CORRECT)
Partially correct!
5. True or False. A cyber threat hunting team generally sits outside the SOC command center.
- True (CORRECT)
- False
6. There is value brought by each of the IBM i2 EIA use cases. Which one of these identifies net new money chain transfers?
- Fraud Investigations (CORRECT)
- VIP Protection
- Insider Threat
- Cyber Threat Hunting
7. There is value brought by each of the IBM i2 EIA use cases. Which one of these delivers net new discovery of correlating low level alerts and offenses?
- VIP Protection
- Fraud Investigations
- Insider Threat
- Cyber Threat Hunting (CORRECT)
CONCLUSION – Threat Hunting
In a nutshell, this module has equipped participants with an understanding of the importance of threat hunting within SOCs. They have learned about the proactive detection techniques, and how threat intelligence feeds into these. Furthermore, they have learned about the approaches for this type of data analysis, which culminated in them having the necessary skills to trace and counteract threats before they ever turned into an Incidents of Major Security.
Armed with this knowledge now, they will be able to raise the bar on the fortification of defenses against that which can be done themselves and others to ensure proactive fighting against these ever-evolving cyber threats. Practical implementation of the practices and principles learned in this module will turn them into active participants in the protection of their organizational assets and the maintenance of a continuous defense against new emerging cyber risks.