What is the difference between Threat Intelligence vs Threat Hunting?
Knowing the difference between the two is important because it can prevent organisations from thinking that they already have a threat hunting program in place when they do not.
What Is Threat Intelligence?
Threat intelligence provides information about current or emerging threats that could harm the security of an organisation.
Usually, this information is given to an organisation’s IT and cybersecurity teams via a threat intelligence feed or platform.
Threat intel feeds can take on several forms. For example, threat intelligence feeds can include IP addresses or domain names where security professionals have detected suspicious activity.
Threat intelligence can also take the form of reports that look at the activities of specific threat actors and thus be able to identify the tools and processes they are using for malicious activity.
The ease with which the lists can be automated in existing processes is a key factor. For example, an organisational firewall or IDS (Intrusion Detection System) can detect patterns that can react to traffic coming from an IP address on a threat intelligence list.
Why is Threat Intelligence Important?
We can summarise the importance of cyber threat intelligence within an organisation in the following four measures:
- Predictive measures: threat intelligence can help organisations look ahead and predict threats and thus allow organisations to be able to plan for and prevent attacks.
- Preventative measures: threat intelligence can better prepare organisations to stop incidents occurring in the first place, such as preventing malware attacks, for example.
- Detection measures: intelligence that identifies threats as they arise or threats that may already be present within current networks (for example, the Tactics, Techniques, and Procedures (TTP) being practised by cybercriminals as they undertake reconnaissance or active operations).
- Responsive measures: intelligence that can inform a response to existing security incidents to mitigate their extent or impact. An example would be an indicator of compromise (IoC) being discovered in an organisation’s environment. This intelligence will guide security teams to the adversaries likely next steps and how the team should respond in the event of a cyber-attack.
It is worth noting that to be successful in consuming & implementing threat intelligence information, organisations must assess their security posture and maturity/knowledge of their in-house teams.
This task will help your organisation improve its threat detection capabilities and deal with cyber threats more effectively.
What Is Threat Hunting?
A threat hunting service uses gathered and processed intelligence to carry out a thorough, system-wide search for specific threats.
In simple terms, threat hunting is the process of proving or disproving hypotheses of identified threats across an organisation’s environment. One example of threat hunting would be a threat hunter team – using indicators of compromise (IOCs) to begin investigating evidence of a threat actor’s activity within an organisation’s network.
Why is Threat Hunting Important?
A successful threat hunting program is only possible if the intelligence that hunters are using is rich in context.
Therefore, the intelligence gathered from a threat intel service must provide valuable clues for threat hunters to contextualise threats – as we mentioned earlier, one informs the other.
Threat hunting then brings a human element that works to complement automated systems.
The art of threat hunting is all about finding evidence with an organisation’s environment. A threat hunting team utilises detection technologies, security information and event management (SIEM) endpoint detection and response (EDR) and others, together with threat intelligence and their analytical skill.