A SOC team is tasked with continuously monitoring its environment in order to detect, analyze, and
respond to cybersecurity incidents, and ultimately improve the security posture of the organization
However, to effectively monitor their environment, it isn’t enough for SOC teams to deploy security
systems and tools that will alert them to an indiscriminate number of events. They need to know
what threat actors are doing, what their activity may look like, and how to find traces of said activity
across their infrastructure.
Usually, the sort of traces that are left behind by threat actors and picked up by the monitoring systems will be either observables or even indicators of compromise (IoC)—IP addresses, host and domain names, email address, filename and file hashes—which on their own and out of context won’t be enough to conduct an in-depth investigation.
For a proper analysis that can lead to attribution as well as to effective countermeasures against similar attacks being built, SOC analysts need to enrich and contextualize the traces found in their internal systems.
This is where an often-confusing concept comes in: Threat intelligence. To better understand it, we
will walk through the most popular elements related to the subject matter