When it comes to dealing with cyber security threats, there are many strategies that can be employed and approaches that can be taken. Two of the most widely recognised today are threat hunting and threat detection. It might seem like these practices come hand in hand, however, there are some important distinctions that set them apart.
In this blog, we’ll be discussing the key differences between cyber threat hunting and detection, so you have a clearer idea of how best to protect your business.
What is threat hunting?
Threat hunting is classed as a form of cyber counterintelligence. It takes a proactive stance in locating potential threats before they initiate an attack. The goal is to identify, analyse and expose threats before any systems become compromised. Threat hunting also constantly seeks to gain a deeper understanding of the cyber threat landscape.
During threat hunting, an IT security professional will take it upon themselves to examine security data. They then investigate any anomalies that could represent a hidden threat. This includes malware, patterns of suspicious activity, system vulnerabilities, or other aspects missed by traditional detection technologies.
What is threat detection?
Threat detection is an approach designed to identify cyber security threats that are actively trying to breach a company’s infrastructure. It uses specialised systems that trigger a response when a suspected security breach is detected. Examples include:
- Endpoint detection and response (EDR)
- Intrusion detection systems (IDS)
- Antivirus software
- Intrusion prevention systems (IPS)
Each of these measures are concerned with monitoring different parts of a business’s security infrastructure or kick in when different conditions are met. Regardless, they all provide an automated response to mitigate the effects of the threat.
Once these threat detection systems have provided information on the nature of the threat, a cyber security officer can respond appropriately. In this way, it is a more reactive approach. However, detection engineering can be employed following the identification of a threat to make updates to any existing threat detection mechanisms.
As cyber security consultants, we would recommend using both threat hunting and threat detection for maximum defence. As a small or medium sized company though, it might be the case that you only have the resources to consider one approach. That’s why we’ve summarised their differences below.
As mentioned, threat hunting is proactive whereas threat detection is active. This means the former involves seeking out threat patterns, sometimes in external environments. For the latter, manual action is only taken once a potential breach has been indicated or suspicious activity flagged by a system.
The tools used in threat detection are automated security systems that constantly scan for threatening activity. Their framework is based off well known types of malware and established techniques used by cyber criminals. More advanced detection tools will use AI and machine learning technology to identify new threats as they emerge and adapt to them as they progress.
While threat hunters will make use of the data gathered by threat detection systems, they often utilise specialised tools such as KELA. This is to supplement manual vulnerability and anomaly scanning activities. Other tool examples include:
- Managed detection and response (MDR).
- Security information and event management software (SIEM).
- Packet analysers.
Both approaches contain a variety of techniques which can be employed to isolate and neutralise threats. For threat hunting, this includes:
- Situation-based – threats are most likely to target high-value areas.
- Hypothesis-based – strategy based on recent tactics and techniques used by attackers.
- In consideration of IoCs and IoAs – indicators of attacks and indicators of compromise are used to gain an understanding of attackers’ actions.
- Data processing-based – large data sets are examined to reveal suspicious patterns.
Threat detectors typically use the following three methods to detect threats:
- Threat intelligence – approach informed by knowledge gained from previous cyber attacks.
- Behaviour analysis – systems analyse current user behaviour looking for irregularities.
- Machine learning-based – systems detect known attack patterns in real time and to a high level of accuracy.
Experienced cyber security consultants
At CyberWhite, we take a blended approach that combines cyber security expertise with leading technology solutions. This means your business can both hunt and prepare for potential threats when they come knocking. Contact us today to get your consultancy started with a security check.