Threat hunters are some of the most specialized and experienced workers in the SOC. They are incredibly valuable to the organization, but as the 2023 SANS Threat Hunting Survey finds, they’re continually being asked to multi-task and take on other duties. And that’s taking away from their primary job of hunting for threats. How can we change this status quo and help threat hunters (and the organizations they work for) be successful? That’s the million-dollar question.

When it comes to protecting data in an evolving threat landscape, two common strategies are at the forefront: incident response and threat hunting. While both processes can safeguard an organization's data, their approaches, objectives, and execution differ significantly. Understanding the differences between the two strategies is critical for organizations aiming to.

At Splunk, you may hear us pontificating on our ponies about how awesome and easy it is to use Splunk to hunt for threats. Why, all you need to do is use X and Y with Splunk to find a Z score (no zombies were injured) and BOOM! That baddie in your network is detected. Going back to at least a decade, we’ve tried to make it easy — as you’ll see in the resources below — and yet threat hunting is about as easy as telling someone how easy it is to draw an owl.

Oh no! You’ve been hacked, and you have experts onsite to identify the terrible things done to your organization. It doesn’t take long before the beardy dude or cyber lady says, “Yeah...they used DNS to control compromised hosts and then exfiltrated your data.” As you reflect on this event, you think, “Did I even have a chance against that kind of attack?” Yes, you did because Splunk can be used to detect and respond to DNS exfiltration.

For years, security leaders have debated the advantages of building in-house security operations centers or outsourcing the SOC function to a third party. Both options have their pros and cons. The best choice for each organization depends on a few factors: the type of threats it encounters, the resources it has at its disposal, the complexity and breadth of their attack surface, and the commitment it wants to make to advanced threat hunting.

IoCs are forensic data threat intelligence teams use to confirm cyberattack occurrences and build cyber-defense strategies. IoCs are critical in identifying system vulnerabilities, and determining how a cyber-crime was executed. While the relevance of IoCs cannot be downplayed in the cyber security space, they are not all that’s needed in building an effective cyber-defense strategy.

Welcome to the third entry in our introduction to the PEAK Threat Hunting Framework! Taking our detective theme to the next level, imagine a tough case where you need to call in a specialized investigator (even Sherlock depended on Watson from time to time!). For these unique cases, we can use algorithmically-driven approaches called Model-Assisted Threat Hunting (M-ATH). In this post, we’ll look at M-ATH in detail.

Picture yourself as a cyber detective, ready to uncover the hidden threats lurking in the shadows of your organization's network. Sounds exciting, right? Well, hypothesis-driven hunting is all about channeling your inner Hercule Poirot to stay one step ahead of adversaries working against you. The PEAK threat hunting framework identifies three primary types of hunts: In this post, we’re going to look at hypothesis-driven hunting in detail.