top of page

Threats

In a Security Operations Centre (SOC), the terms threat intelligence, threat analysis, threat hunting, and threat detection represent distinct but interrelated activities, each playing a crucial role in safeguarding an organisation from cyber threats. Here’s how they differ:

​

​

​

​​​​​

​​​

​

Threat Intelligence

​​

 Threat intelligence is the process of gathering, analysing, and sharing information about potential or current threats that could impact an organisation. It includes data on threat actors, their tactics, techniques, and procedures (TTPs), and emerging vulnerabilities.

​

  • Role in SOC: SOC teams use threat intelligence to stay informed about the latest trends in cyber attacks and to pre-emptively strengthen defences. This intelligence comes from external sources (such as cybersecurity vendors, government bodies like CISA) and internal sources (like logs or previous attacks).

​

  • Example: Identifying a specific malware variant targeting a particular industry and sharing ways to defend against it.

Threat Analysis

 Threat analysis is the process of examining identified threats to assess their potential impact, severity, and how they might affect the organisation. It involves reviewing data from alerts, logs, and threat intelligence to understand the nature and scope of a threat.

​

​

  • Role in SOC: SOC analysts perform threat analysis to prioritise incidents, evaluate their significance, and determine the best course of action. They interpret indicators of compromise (IoCs) and assess whether the organisation is at risk.

​

  • Example: Analysing an alert to determine whether it represents a real attack or a false positive.

Threat Hunting

Threat hunting is a proactive activity where SOC analysts search through systems and networks to identify threats that have evaded automated defences and detection systems. Threat hunters look for hidden or sophisticated attacks that standard tools might miss.

​

​

  • Role in SOC: Unlike detection, which is reactive, threat hunting is a proactive approach. SOC Tier 3 analysts often engage in hunting activities to uncover advanced persistent threats (APTs) or dormant malware within the network.

​

  • Example: Manually searching through logs and network traffic to detect abnormal patterns or behaviour that indicate a hidden threat

Threat Detection

​

 

Threat detection is the process of identifying and recognising threats in real-time, often using automated tools such as SIEM, IDS, or EDR systems. It involves monitoring network traffic and system activity for suspicious behaviour.

​

  • Role in SOC: Threat detection forms the foundation of a SOC’s defensive capabilities. Automated tools generate alerts when abnormal activity is identified, allowing SOC teams to quickly investigate and respond to threats.

​

  • Example: Detecting a phishing attack when a suspicious email triggers an alert in a spam filter or SIEM system.

Summary of Differences

​

  • Threat Intelligence: Focuses on gathering and sharing information about potential or known threats.

  • Threat Analysis: Involves analysing and understanding the impact and nature of a specific identified threat.

  • Threat Hunting: Proactively searches for hidden threats that evade detection.

  • Threat Detection: Reactively identifies threats in real-time through automated systems.

​

Each of these activities plays a crucial role in the overall cyber defence strategy of a SOC.

A Security Operations Centre (SOC)

Empower Your Cyber Security Journey 

Cyber Security / Information Security

  • LinkedIn
bottom of page