Usually, security operation centers are equipped with tools and people to do threat hunting.
Sometimes Individual professionals are hired to do the job, however, if you do not have the infrastructure to collect logs on a real-time basis, then the process will be more complex and time-consuming, and it is a possibility that the evidence of the perceived threat or occurred threat is already overwritten on the system.
Before we dive deeper into the topic, we need to understand what skill sets are required.
- People who have natural curiosity.
- Understand how systems are interconnected aka networks, Networking knowledge.
- Patience to spend hours.
- Ability to learn quickly and more like a generalist.
- Data search and manipulation tools knowledge like SQL, PowerShell, and UNIX shell scripting.
- Ability to visualize the threat scenarios.
Objectivity in preparing the threat hypothesis you are trying to find, ability to simulate the threat scenario you are looking for in a test lab.
“Horses for the courses” not all people are equipped with knowledge in all types of IT understanding, you need to involve the right people when you decide to do a deeper analysis of the threat you are trying to find, so teamwork is an essential factor.
For example, if you are investigating a lateral movement issue with a critical database server, you need to involve the database administrator.
Understand and follow an established framework like MITRE as a base reference to visualize the threats happening in real time.