Threat Intel Versus Threat Hunting, What’s the Difference?
I see a lot of confusion around threat hunting and threat intelligence. In fact, it’s not uncommon to hear people conflate the two. This is a challenge, because it can deceive people into thinking that they already have a threat hunting program in place, when in fact they do not. In this blog entry I’ll compare and contrast threat intelligence and threat hunting in order to help better define the two.
What Is Threat Intelligence?
Threat intelligence is the gathering of data on emerging or existing threat actors. Typically this information is delivered to organizations via a threat intelligence feed. Threat intel feeds can take on a number of forms. For example, they can be lists of IP addresses or domain names where suspect activity has been detected. They can also be reports that focus on the activities of certain threat actors and identify the tools and processes they use. The lists tend to be more popular, as they are easy to automate into existing processes. For example, a firewall or IDS can be tuned to react to any traffic going to or from an IP address on a threat intel list.
Threat Intelligence Challenges
Think of threat intelligence as being similar to legacy anti-virus software. Someone detects something malicious, they write a pattern to detect that malicious activity (example: look for traffic associated with this IP address), and share that list so others can detect it as well. There are a number of problems with this model. To start, patterns can be written to be overly broad. For example, many threat intel feeds do not distinguish between static and dynamic IP addresses or co-hosted systems. So there may be legitimate sites using the same IP address or IP addresses may change hands frequently within the target environment. This can cause false positives which can fool a site into thinking the process is effective and detecting/blocking threats.
Further, the worst attacks being carried out today are customized for the target environment. This means that the code used in the initial exploit, the command and control (C2) channel being used to maintain control, etc. will get changed for each organization being attacked. So knowing what happened at other sites does not directly translate into being able to protect your own environment.
When to Use Threat Intelligence
Even with the above limitation, threat intelligence can be useful. Detailed reports can help identify trends in the industry. For example, a few years ago TCP/80 (HTTP) was a popular C2 channel. This has moved on to TCP/443 (HTTPS) and UDP/53 (DNS). Being aware of these trends in the industry can help you improve your overall security posture. Think of threat intel as a single brick in your security defenses, not the entire wall.
What Is Threat Hunting?
Threat hunting is the process of actively looking for bad actors on the network. Many people approach threat hunting with the assumption that one or more systems are compromised, with the intent of gathering the evidence needed to identify the specific endpoints that have been impacted. Threat hunting prioritizes process over pattern matching. For example, it may focus on identifying C2 communications based on their behavioural traits, versus trying to match a specific static pattern. This allows C2 traffic to be detected even when it has not yet been seen in the wild.
Threat Hunting Challenges
As an emerging technology, one of the biggest challenges with threat hunting is identifying a common language and set of processes. As identified in the SANS 2019 Threat Hunting Survey, there is a lot of confusion around what “threat hunting” actually means, and how to execute it as a process. This directly translates into a lack of education in this vertical. This is one of the reasons Active Countermeasures offers free threat hunter training.
When to Use Threat Hunting
As identified in the 2019 Verizon Breach Report, it still takes us over six months (on average) to identify when one or more internal systems have been compromised. Further, a majority of the time we learn of the compromise through some outside third party, not our own internal processes. This leaves plenty of time for an attacker to do their worst and maximize damage to the target network. So threat hunting is needed to reduce the time between when our protections fail and a response to the incident can be initiated.
Threat intelligence and threat hunting are two distinct security disciplines that can be complimentary. For example, threat intelligence can make up a small portion of the threat hunting process. However, subscribing to a threat intelligence feed does not automatically satisfy the need to threat hunt your network. A proper threat hunt can identify threats even when they have not yet been seen in the wild.
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.