property | value |
tags | defensive-tradecraft,elastic-stack,kernel,pkm-pocket-pipeline,procedure-syscalls,process-telemetry |
url | |
original_word_count | 0 |
Article Excerpt
Long Summary
Threat intelligence and threat hunting are two distinct but related concepts in the world of cyber security. Threat intelligence is the process of collecting and analysing data related to potential and current cyber threats, such as indicators of compromise (IOCs), malware signatures, and attack patterns. It is used to inform broader security strategies and to direct defenders on threats to focus on. Threat hunting, on the other hand, is the process of proactively searching for and identifying potential cyber threats or IOCs within an organisation’s network or systems. It seeks out potential threats, rather than being reactive like traditional cyber security measures.
Threat intelligence involves collecting and analysing data from open-source intelligence (OSINT), social media, dark web forums, and information sharing platforms. This data is then turned into information by adding context to it, so it’s easier for the recipient to make a decision. There are three main types of threat intelligence: strategic, operational, and tactical. Strategic intelligence provides a high-level overview of the threat landscape and is used to inform broader security strategies. Operational intelligence is focused on immediate and current risks that security teams need to prioritise their detection and response efforts on. Tactical intelligence is information on the technical details of specific threats as it relates to vulnerabilities and exploits.
Threat hunting is all about searching through data, such as logs managed by a Security Incident & Event Management (SIEM) platform, cloud logs, and Endpoint Detection Response (EDR) platforms. A threat hunter creates queries to hunt for malicious activity by taking the operational and tactical intelligence provided to them and making it actionable. The ultimate goal of threat hunting is to catch bad guys lurking in the organisation’s network or systems.
Building out a comprehensive cyber security programmes requires both a threat intelligence and a threat hunting function. The two processes feed into each other and an effective pipeline is needed to get the most out of intelligence and hunting. Automation can be used to some extent, but analysts are needed to pick apart the threat intelligence, analyse it, and distribute it appropriately. This ensures the right people get the right data so they can make efficient decisions that holistically improve the security of the organisation.
Short Summary
📓
👉🏽 👉🏽 Threat intelligence collects and analyses data on potential and current cyber threats. 👉🏽 It identifies indicators of compromise (IOCs), malware signatures, and attack patterns. 👉🏽 The purpose is to inform broader security strategies and direct defenders on threats to focus on. 👉🏽 Threat hunting proactively searches for and identifies potential threats within an organisation’s network. 👉🏽 It seeks out potential threats, rather than being reactive like traditional cyber security measures. 👉🏽 Threat intelligence involves collecting and analysing data from OSINT, social media, and dark web forums. 👉🏽 There are three main types of threat intelligence: strategic, operational, and tactical. 👉🏽 Threat hunting involves searching through data, such as logs, cloud logs, and EDR platforms. 👉🏽 Automation can be used, but analysts are needed to pick apart the data and distribute it appropriately. 👉🏽 Both threat intelligence and threat hunting are necessary for a comprehensive cyber security program.
🔗 summarized content: undefined
#ThreatIntelligence #ThreatHunting #CyberSecurity #DataAnalysis #Automation