The primary goal of the threat-hunting team at a large company is to identify cyberthreats that the SOC has not detected. Which of the following types of data would the threat-hunting team primarily use to identify systems that are exploitable?
The primary goal of the threat-hunting team at a large company is to identify cyberthreats that the SOC has not detected. Which of the following types of data would the threat-hunting team primarily use to identify systems that are exploitable?
The primary goal of the threat-hunting team is to identify cyberthreats that the SOC (Security Operations Center) has not detected. The most effective way to identify systems that are exploitable is through vulnerability scanning. A vulnerability scan actively seeks out security weaknesses and flaws in systems and software, providing a comprehensive view of potential exploit points. This is a proactive method to discover areas that could be vulnerable to an attack, which aligns perfectly with the threat-hunting objective of finding unnoticed threats.
I'm a bit uncertain of my answer, however I'm leaning towards Threat Feed (C). According to CompTIA, "threat hunting is an assessment technique that utilizes insights gained from threat intelligence to proactively discover whether there is evidence of TTPs already present within the network or system. This contrasts with a reactive process that is only triggered when alert conditions are reported through an incident management system (Section 3C)." The question uses the word "primarily," which I am using to make my inference. I find it more reasonable that threat hunters will use threat feeds to identify exploitable systems, rather than sifting through packet capture files. Obviously, both threat feeds and packet capture can be integrated into a SIEM, which is where my uncertainty comes into play. Also are threat feeds considered to be threat intelligence rather than threat hunting? The semantics causes me to overthink it almost every time, however considering the above excerpt from CompTIA, threat feeds just strike me as more proactive than reactive compared to packet capture.
Vulnerability scanning is the process of identifying security weaknesses and flaws in systems and software running on them.
Wouldnt SOC run a vulnerability scan? Question states what wasnt detected by the SOC, so B. Packet Capture would be the better answer.
While the SOC is focused on managing and responding to immediate threats that are known and detectable, a threat-hunting team proactively searches for more subtle, hidden, or unknown threats that may not be detected by the existing security measures.
Yeah, so threat hunters are not using common tools like a vulnerability scan. They use things like IoCs which they get from their own research and threat feeds.
Gonna go with Packet Capture here.. Vulnerability Scanning looks for known vulnerabilities which the SOC team should already do. Threat hunters are gonna work slower and precise.. aka packet capture.
Within the Darril Gibson Sec+ SY0-601 Study Guide it identifies and lists Threat Feeds within its Threat Hunting section. Threat Hunting is the process of actively looking for threats within a network before an automated tool detects and reports on the threat. An important part of Threat Hunting is gathering data on the threat through threat intelligence. This knowledge comes from both internal and external sources. Threat Feeds provide subscribers with up-to-date information on current threats. Threat Feeds use both structured data reports and unstructured reports.
C. Threat feed. “Threat hunting is an active process of locating cyberattacks and mitigating them as they are discovered…Numerous sources provide information about cutting-edge attacks and security threats: intelligence infusion, threat feeds, and advisories and bulletins.” (Mike Meyers’ CompTia Security + 601 Cert Guide) Think STIX and TAXII.
B. Packet capture Packet capture data provides a detailed record of network traffic, including the content of packets being transmitted between systems. By analyzing packet capture data, the threat-hunting team can identify suspicious or malicious activity that may indicate systems that are exploitable. This could include unusual network connections, patterns of communication indicative of malware or unauthorized access, or attempts to exploit vulnerabilities in network services or protocols
A. Vulnerability scan to identify systems that are exploitable
COMPTIA says "Where vulnerability scanning uses lists of patches and standard definitions of baseline configurations, threat hunting is an assessment technique that utilizes insights gained from threat intelligence to proactively discover whether there is evidence of TTPs already present within the network or system". This eliminates option A. Vulnerability scan. Darril Gibson mentions the tools used for threat hunting include OSINT, threat feeds, intelligence fusion (which combines all this data to create a picture of likely threats and risks for an organization. This helps the cybersecurity analysts understand how threat actors may maneuver through the network, how to detect them, and how to mitigate their efforts once they’re discovered)
A - Threat hunting is looking for potential threats using monitoring tools. Vulnerability Scanning - Automated probing of systems, networks, and applications to discover potential vulnerabilities. The fastest way to look for a threat is to scan. Packet capturing is good but how long will take a while to find a potential threat by device? That's my take.
I agree with Rumcajs. B - Packet Capture
Here it says Threats not detected before by the SOC team. SO Option B makes more sense.
B. Packet capture Explanation: Packet capture means looking at the data going back and forth on the network. By checking this data, the team can find any strange or suspicious activity that might be a cyberthreat. It helps them find systems that could be attacked or already compromised. While other methods like scanning for vulnerabilities (Option A), checking threat updates (Option C), and watching user behavior (Option D) are useful, looking at the network data directly is the best way to spot potential problems
given the context that the threat-hunting team is looking for cyberthreats that the SOC has not detected, focusing on anomalous user behavior could indeed be a more direct approach to identifying potentially exploitable systems that may have evaded detection. D. User behavior
At first I was thinking vulnerability scan but its probably packet capture. All these can be right, but I think network traffic can give you the most valuable information to attack a network, seeing where all the data is going, what is secure and what is not etc. If nmap was an option I might go with that but given these are a bit more general I will say B.
The threat-hunting team primarily uses packet capture data to identify systems that are exploitable by analyzing network traffic for suspicious or malicious activities.