Abstract
Cyber threats are continuously evolving in both complexity and scale, with attackers constantly adapting their tactics and techniques to evade detection. To address these challenges, many organisations rely on their Security Operation Centres (SOCs) to detect, respond to, and mitigate threats daily. While SOCs have proven effective in strengthening the security posture of organisations, existing research reveals that SOCs face significant, ongoing challenges that affect their capabilities. For instance, SOCs often lack established best practices for threat detection, their defence controls and technology may fall short in mitigating sophisticated attacks. Furthermore, SOCs struggle to adapt to emerging digital technologies and global crises.As the threat landscape evolves and new challenges impact SOCs capabilities, it is essential for the practices and technologies underpinning SOC operations to adapt to remain effective. There is a growing need for proactive strategies, innovative methodologies, and solutions that integrate existing technologies with advanced, emerging ones to counter increasingly sophisticated and varied cyber threats. Despite this need, existing research on SOC practices remains limited, particularly regarding how analysts conduct threat hunting, the effectiveness of the cyber defence controls they use, and the future trajectory of SOCs as technologies advance and work environments transform.
This thesis seeks to address these research gaps by focusing on enhancing SOC capabilities across four key domains: people, processes, technology, and services. First, it address people, processes, and services aspects, with a particular emphasis on threat hunting practices. It examines current threat hunting practices and challenges within SOCs. By identifying and examining three prominent threat hunting approaches, this work demonstrates that integrating these methods improves the detection of subtle indicators of compromise that may go undetected if relying on a single technique. Second, it focuses on the technological aspect, evaluating the effectiveness of cyber defence technical controls in protecting against diverse cyber threats. This thesis uncovers significant shortcoming in current defence controls in effectively countering sophisticated adversaries, especially ransomware attacks that employ advanced tactics to bypass traditional detection mechanisms. This study introduces novel enhancements to SOC capabilities, by suggesting additional control measures to enhance SOC resilience. Finally, it anticipates the evolution of SOCs into virtualised environments, such as Metaverse, exploring how virtual SOCs can be implemented in such immersive environment, and assessing the potential threats and mitigation strategies that needed to keep these virtual SOCs safe and secure. This thesis introduces a novel conceptual metaverse SOC architecture, providing an in-depth exploration of the potential cyber threats posed by virtual environments, and outlining mitigation strategies tailored to these emerging threats.
Overall, this thesis significantly contributes to enhance SOC capabilities by offering insights into effective threat-hunting practices, evaluating cyber defence controls, and proposing an architecture and threat model for future virtual SOC environments. These findings provide the security community with actionable strategies to strengthen SOCs against increasingly complex and evolving cyber threats.
| Date of Award | 30 Sept 2025 |
|---|---|
| Original language | English |
| Awarding Institution |
|
| Supervisor | Marvin Ramokapane (Supervisor) & Eleonora Pantano (Supervisor) |
Cite this
- Standard