We’ve expanded our partnership with Mandiant, now part of Google Cloud, to help our users operationalize and prioritize threat intelligence. READ THE PRESS RELEASE >

Accelerate SOC Maturity with Threat Hunting

What Is SOC Maturity? Why Is It Important?

SOC leaders who got their start in security 10 or 20 years ago have witnessed an incredible evolution of cyber attacks. Those who have failed to keep up find themselves operating in an unrecognizable sea of advanced adversaries. All kinds of organizations across every industry are struggling to maintain their pace on the rapid timeline that threat actors have set for them. They’re all wondering the same thing: “How can we prioritize and improve our threat management strategy amid such a turbulent landscape?”

The security operations center (SOC) – the beating heart of many enterprises’ / organizations’ threat management strategy – has taken on several new capabilities and technologies over the past decade or so. For a while, all teams were able to do was react to attacks as they happened – and at the time, that was enough. But adversaries got smarter, greedier, and faster, and any organization reacting to threats (instead of preparing for them) was sure to face catastrophic financial, data, and reputational loss.

So SOC teams adapted. They invested in tooling like security information and event management (SIEM) platforms to continuously monitor their networks, and threat intelligence platforms (TIPs) to more accurately predict the attacks they needed to worry about. The more prepared, robust, and resilient a SOC is depends on its people, processes, and technology – a metric measured and known as SOC maturity.

So, what does SOC maturity look like?

What Does a Mature SOC Look Like?

A mature SOC is one that’s not just prepared for the worst, but already several steps ahead, and they usually achieve that through their tech stack, personnel, and a deep understanding of the threat landscape (and their organization’s place within it). A term to describe this state is a threat-informed SOC.

An Immature SOC

A Mature SOC

  • Alerts are coming from an ever-increasing number of tools with a significant false positive workload
  • Operations are ad hoc and reactive
  • They typically can handle baseline threats such as malware and phishing
  • They’re operating from limited data and logs, leaving them vulnerable to detection blindspots
  • They have limited time to research threats or perform threat hunting
  • They use machine learning (ML) and artificial intelligence (AI) to predict threats and attack patterns
  • They have automated processes and simulations to understand actors before attacks occur and to remediate gaps
  • They follow end-to-end workflows for core operations like threat hunting, detection engineering, and purple teaming
  • They’re actively searching for complex threats + continuously testing and improving their own capabilities
Obviously, this is a binary view of the mature SOC, and there are many levels of maturity in between, so upending your entire SOC to achieve maturity isn’t something that can happen overnight. However, it might help to think about your objectives, what’s holding you back from maturity, and which barriers you can address to get there.

The barriers that hold organizations back from a more mature posture are often the same ones that hold them back from advanced threat management functions, such as threat hunting. And those kinds of functions are the ones that empower mature organizations to detect more threats – more relevant threats – faster.

What Holds Organizations Back from Threat Hunting?

Threat hunting is a highly coveted skill in cybersecurity, and it’s a critical function in a mature SOC – but when a team is already so busy, adding this sophisticated capability might not be at the top of their list of priorities.

Threat Hunting Challenge #1: SOC Leaders Don’t Know What They Don’t Know

Many SOCs are flying blind when it comes to their detection gaps. Without a deep understanding of their threat profile, a framework like MITRE ATT&CK™ to measure their coverage, and the ability to identify gaps and prioritize threats, they’re only able to focus on the threats they do know about…versus the threats that are lurking in their network, unbeknownst to them.

That’s what threat hunting is all about: uncovering what you don’t know. In the cyber sphere, what you don’t know can hurt you – maybe even more than your known threats. So it’s crucial to have that visibility into your gaps in order to pursue a mature activity like threat hunting.

Threat Hunting Challenge #2: SOC Leaders Don’t Understand Which Threats Matter

Even with some visibility into widespread headline threats, organizations don’t have the full picture. A mature threat management strategy isn’t about defending against every potential threat: it’s about ensuring you’re protected against the threats that matter.
A great example of this is that many enterprises take inspiration from the headlines to prioritize their threat management activities: if a new and emerging threat is taking your industry by storm, yes, you should absolutely bolster your defenses and make sure you’re protected. But in reality, adversaries are much more likely to rely on tried-and-true forces like malware, scheduled tasks, and so on.
Without a roadmap detailing which ones pose the greatest danger, organizations are trying to boil the ocean and prepare for ALL the threats…meaning they don’t have the space to focus on their more relevant adversaries.

Threat Hunting Challenge #3: SOC Leaders Can’t Correlate Their Data

SOCs get a lot of data coming in from many disconnected sources, which means they have to keep an eye on several different tools and store those inputs in several different places. That’s already challenging enough in an environment that’s so reliant on data to make and execute decisions. But from a threat hunting perspective, it’s an even bigger roadblock.
Hunters are typically dumping their information in spreadsheets, pivoting from one console to the next to get a complete view of the threats stacked up against them. That makes it really easy for things to slip through the cracks – teams are challenged to switch their brain to each tool’s UI and syntax, creating a horrible user experience for those who need to search, correlate, and use that data.

Threat Hunting Challenge #4: SOC Leaders Don’t Have the Resources In-House

Threat hunting is no easy task. It demands an advanced, scarce skill set – many SOCs might not have a person (or ideally, team) dedicated to threat hunting. SOC leaders either have to hire threat hunting personnel – which can be expensive, hard to find, and even harder to keep – or train up their existing team, which few of them have enough time to do.
The average SOC is overwhelmed as it is – adding on a new capability, and such an involved one at that, might seem out of the question. On top of that, threat hunting can be time-consuming as it requires intensive research from various resources, a deep understanding of the organization’s toolkit and threat profile, and immense effort to execute and analyze a threat hunt. A team that’s already struggling to make ends meet isn’t likely to jump at the chance to stretch themselves even thinner.

Fortunately, there are threat hunting platforms like SnapAttack that are designed to lift the burden on under-resourced organizations that want to build out a threat hunting program.

Threat Hunting Challenge #5: SOC Leaders Don’t Have Confidence

If it isn’t already clear, threat hunting has a reputation for being a complex, advanced SOC activity. It is also really difficult to measure ROI. For these reasons, many security leaders shy away from it, worried that they don’t have the resources or maturity to take it on. But the thing they think they’re too immature to handle is precisely what could propel their team toward a proactive, mature security posture.
Is threat hunting easy? Of course not – it provides a huge boost to preparedness and maturity in the SOC. It’s not easy, but it can be so impactful. With the right toolkit, training, and strategic roadmap to get you there, threat hunting can transform your SOC from a reactive, noisy environment into a next-gen security powerhouse.

Threat Hunting Benefits: Why Is Threat Hunting Important for SOC Maturity?

Threat hunting can enable security teams to get ahead of the threats that endanger their organization. But what does that look like in practice, and what are the benefits for SOC leaders and their teams?

Threat Hunting Benefit #1: Gain Visibility into Your Threat Landscape

Many security teams lack visibility into their MITRE ATT&CK™ coverage and how threats map to their unique environment. They’re trying to boil the ocean when really, they need to focus on the threats that are most likely to impact their organization based on factors like:

  • Industry
  • Size
  • Region
  • Recency
  • Impact
  • And more.

All of this information can be wrapped up into a prioritized threat profile – but few organizations have the environmental context, tooling, or time to create or use one of those. That’s why they turn to sources like headlines and online forums to focus their efforts on the threat-of-the-week (more on this later) instead of the threats that actually pose the greatest risk to their specific organization.

Think of threat hunting as the practical application of a threat profile. It’s the activity that helps you identify and assess the unknown – the threats that you need to worry about, that are already lurking deep within your network. By leveraging threat hunting, you’re actively working to discover the things your detection tools miss (such as living-off-the-land attacks) or anomalous threats that snuck past your defenses.

Threat Hunting Benefit #2: Prevent Both Emerging and Evergreen Threats

Organizations might feel protected against the threats getting their attention through the headlines, but advanced adversaries are much more likely to leverage evergreen tactics, including those that are designed to evade typical detection tools. It’s easier to hone in on the threats that are right in front of you…but what about the sea of possible threats that might not be so obvious?
New and emerging threats, or what we like to call “threats-of-the-week,” are the ones that everybody’s talking about. Just because a tactic or threat actor is trending on Twitter, that doesn’t mean your organization is necessarily at risk. Is that actor targeting your industry, region, or organizations of your size? Are you vulnerable to their techniques? These are questions that can be answered by something like a threat profile (again, the roadmap behind a strong threat hunting strategy), but most organizations jump right into a reaction before considering how concerned they should really be about that threat.
On the other hand, there are plenty of evergreen tactics that threat actors are significantly more likely to use – and their likelihood is linked to the factors involved in a threat profile (industry, region, and so on). Less mature organizations just don’t have the time and resources for this kind of preparation. So, as a result, the best they can do is to stay ahead of the headlines – even if that means they’re still vulnerable to the 99% of attacks that aren’t in the spotlight at that given moment.
How does threat hunting help with this? Threat hunting requires a threat profile as a blueprint – or at least some level of visibility into the organization’s unique threat landscape. SOC teams can reference the threat profile to determine which threats matter to them (threats-of-the-week AND evergreen ones). If they’re in the clear, great. If they’re not, threat hunting makes it straightforward to find out whether they’ve been impacted.

Threat hunting gives hunters a map of any suspicious activity related to a threat so they can formulate a hunt hypothesis. The hunt hypothesis (or, less scientifically, hunch) tells them, “if any adversaries have gotten in, this is where they’ll be, and this is what their trail will look like.” They follow that hypothesis straight to, or evidence of, the threat actor at hand, if there is a threat actor to catch, in order to prevent the incident from occurring in the first place.

Threat Hunting Benefit #3: Analyze Historical Data (And the Threats You Can’t Detect)

A strategy that relies on threat detection alone, without historical analysis, might catch most bad actors on their way in – but what about those that settled in long ago, or those designed to sneak right through the gates?

Many SOCs rely on a detection-based approach in which they’re putting all their eggs in a reactive basket. They trust their alerting rules and detection tools to catch any suspicious behavior they’d want to know about. And while those are a huge component of any solid security strategy, relying on detection 100% ignores so much of the threat landscape.
Think about it like your home security system. If your alarm was triggered, would you check the front door and windows, then assume everything was fine? Or would you give the basement and other rooms a quick peek, too?
Blind faith (or even faith that’s been tested and validated) in alerting rules causes organizations to settle into a false sense of security. That’s because many malicious techniques are designed to evade detection – bad actors can disguise themselves as admins, or use legitimate logins, or a host of other deceptive tactics. And once they’re in, they’re likely not going anywhere. It’s only a matter of time before those unknown threats make themselves known – at which point, SOC leaders are usually asking themselves, “why did I wait until it was too late?”

Threat hunting significantly cuts down the time from intrusion to discovery because organizations are proactively searching for threats instead of waiting for them to surface. That’s the beauty of threat hunting – you’re in the driver’s seat, uncovering those threats before they beat you to the punch. Detect what you can, hunt what you can’t: it’s the approach mature organizations use to get proactive and take control of the formerly-uncontrollable adversary.

Conclusion: Striving for SOC Maturity and Threat Hunting

Threat hunting is one of those core SOC functions that’s only possible when the organization is ready to invest people, time, and budget into a sophisticated, advanced capability. It’s also one of the most rewarding, proactive, and worthwhile initiatives they can take…but many organizations are held back by a lack of resources (or confidence).

Much like SOC maturity, no one is questioning whether threat hunting is a good thing to do – it’s a matter of possibility. That’s why our team of former threat hunters took all of their greatest threat hunting challenges into consideration when developing SnapAttack. SnapAttack provides a structured, repeatable workflow for threat hunting and integrates across your tech stack so each hunt can be completed from one place in just a few minutes.

The SnapAttack platform is designed to help security teams at any maturity build a threat hunting program, whether they already have some of the pieces in place or need to start from the ground up. Features like built-in Threat Profiles, the Hunter’s Workbench, machine learning-driven Recommended Hunts, and automated hunts make it possible for even less mature teams to unlock the benefits of threat hunting.

For teams who want to find out where their maturity currently stands, or put their threat hunting in the hands of experts, SnapAttack offers professional services and maturity assessments in addition to our end-to-end threat hunting platform. Get in touch today.

About SnapAttack: SnapAttack is an innovator in proactive, threat-informed security solutions. The SnapAttack platform helps organizations answer their most pressing question: “Are we protected against the threats that matter?”

By rolling threat intelligence, adversary emulation, detection engineering, threat hunting, and purple teaming into a single, easy-to-use product with a no-code interface, SnapAttack enables companies to get more from their tools and more from their teams so they can finally stay ahead of the threat.