Exam SY0-601 topic 1 question 789 discussion

I'm a bit uncertain of my answer, however I'm leaning towards Threat Feed (C). According to CompTIA, "threat hunting is an assessment technique that utilizes insights gained from threat intelligence to proactively discover whether there is evidence of TTPs already present within the network or system. This contrasts with a reactive process that is only triggered when alert conditions are reported through an incident management system (Section 3C)." The question uses the word "primarily," which I am using to make my inference. I find it more reasonable that threat hunters will use threat feeds to identify exploitable systems, rather than sifting through packet capture files. Obviously, both threat feeds and packet capture can be integrated into a SIEM, which is where my uncertainty comes into play. Also are threat feeds considered to be threat intelligence rather than threat hunting? The semantics causes me to overthink it almost every time, however considering the above excerpt from CompTIA, threat feeds just strike me as more proactive than reactive compared to packet capture.

https://blackcell.ae/why-packet-capture-is-an-important-tool-in-the-threat-hunting-toolbelt/

COMPTIA says "Where vulnerability scanning uses lists of patches and standard definitions of baseline configurations, threat hunting is an assessment technique that utilizes insights gained from threat intelligence to proactively discover whether there is evidence of TTPs already present within the network or system". This eliminates option A. Vulnerability scan. Darril Gibson mentions the tools used for threat hunting include OSINT, threat feeds, intelligence fusion (which combines all this data to create a picture of likely threats and risks for an organization. This helps the cybersecurity analysts understand how threat actors may maneuver through the network, how to detect them, and how to mitigate their efforts once they’re discovered)

Gonna go with Packet Capture here.. Vulnerability Scanning looks for known vulnerabilities which the SOC team should already do. Threat hunters are gonna work slower and precise.. aka packet capture.

Within the Darril Gibson Sec+ SY0-601 Study Guide it identifies and lists Threat Feeds within its Threat Hunting section. Threat Hunting is the process of actively looking for threats within a network before an automated tool detects and reports on the threat. An important part of Threat Hunting is gathering data on the threat through threat intelligence. This knowledge comes from both internal and external sources. Threat Feeds provide subscribers with up-to-date information on current threats. Threat Feeds use both structured data reports and unstructured reports.

B. Packet capture Explanation: Packet capture means looking at the data going back and forth on the network. By checking this data, the team can find any strange or suspicious activity that might be a cyberthreat. It helps them find systems that could be attacked or already compromised. While other methods like scanning for vulnerabilities (Option A), checking threat updates (Option C), and watching user behavior (Option D) are useful, looking at the network data directly is the best way to spot potential problems

given the context that the threat-hunting team is looking for cyberthreats that the SOC has not detected, focusing on anomalous user behavior could indeed be a more direct approach to identifying potentially exploitable systems that may have evaded detection. D. User behavior

A - Threat hunting is looking for potential threats using monitoring tools. Vulnerability Scanning - Automated probing of systems, networks, and applications to discover potential vulnerabilities. The fastest way to look for a threat is to scan. Packet capturing is good but how long will take a while to find a potential threat by device? That's my take.

At first I was thinking vulnerability scan but its probably packet capture. All these can be right, but I think network traffic can give you the most valuable information to attack a network, seeing where all the data is going, what is secure and what is not etc. If nmap was an option I might go with that but given these are a bit more general I will say B.

The threat-hunting team primarily uses packet capture data to identify systems that are exploitable by analyzing network traffic for suspicious or malicious activities.

C. Threat feed. “Threat hunting is an active process of locating cyberattacks and mitigating them as they are discovered…Numerous sources provide information about cutting-edge attacks and security threats: intelligence infusion, threat feeds, and advisories and bulletins.” (Mike Meyers’ CompTia Security + 601 Cert Guide) Think STIX and TAXII.

I agree with Rumcajs. B - Packet Capture

B. Packet capture Packet capture data provides a detailed record of network traffic, including the content of packets being transmitted between systems. By analyzing packet capture data, the threat-hunting team can identify suspicious or malicious activity that may indicate systems that are exploitable. This could include unusual network connections, patterns of communication indicative of malware or unauthorized access, or attempts to exploit vulnerabilities in network services or protocols

Here it says Threats not detected before by the SOC team. SO Option B makes more sense.

Vulnerability scanning is the process of identifying security weaknesses and flaws in systems and software running on them.

A. Vulnerability scan to identify systems that are exploitable