6. Responding to Threat or Vulnerability
In the previous steps, analysts have gathered enough data to answer their hypothesis. Two types of situations can occur. Either the real threat is found or the vulnerability is detected. In both cases, analysts action is necessary. The analysts must respond immediately when a real threat is identified. However, if there is any vulnerability, they should also resolve this before it becomes a really big nightmare.
Is your CSIRT team facing too many security alerts? Is your SOC has various security products that are jumbled together? Are you worried about setting the sensitivity of each product? How a severity level should be assigned to each imminent incident? These questions are hard to answer by today’s security professionals. However, security orchestration plays a crucial role in helping experts to address these questions.
Threat hunting is the practice of iteratively and proactively hunting for threats or Advanced Persistent Threats (APT) that are launched by adversaries. Unlike traditional security systems such as antivirus program, firewalls, or SIEM, who use a reactive approach to threats, threat hunting utilizes a proactive approach to pursuing threats even before they compromise organization’s network or IT infrastructure.