Threat intelligence vs. threat hunting: Better together
Understanding and using threat intelligence and threat hunting together provides enterprises with a well-rounded security posture. Find out how to build your plan.
Threat intelligence and threat hunting are two components of the defensive cybersecurity space that help organizations proactively mitigate threats. Ultimately, these two methods serve as distinctly different yet complementary defensive strategies to protect digital infrastructure.
Let's dig into the differences between both approaches and explore how to use them together to build a stronger security posture against threats.
What is threat intelligence?
Threat intelligence relates to collecting, analyzing and using data from a range of sources to prevent and mitigate potential or current cyberthreats. The goal of threat intelligence is to provide actionable insights that can help security teams gain a better understanding of attackers' tactics, techniques and procedures (TTPs).
Key components of threat intelligence
Several key aspects of threat intelligence are used to collect data and insights into cybersecurity trends. The following components act as a roadmap to ensure the information collected is valuable and relevant to an organization and the emerging threats it faces:
Data collection. Researching and gathering raw data from various sources is the first step in threat intelligence. Sources can include open source intelligence, such as public web searches, online forums, social media, public online records and more, and more comprehensive sources, like dark web marketplaces, threat feeds, and reviewing recent CVEs, security incidents and internal system logs. When collecting data for threat intelligence, the goal is to gather relevant information to identify attack patterns, attack methods and other threats.
Data analysis. After the raw data has been collected, it needs to be reviewed and analyzed. The goal of this step is to filter out media noise about emerging threats, remove unnecessary information, and provide insights regarding active threats and vulnerabilities discovered, including zero-day threats. AI has helped automate this process by sorting through large data sets to more quickly and effectively recognize questionable activity and behavior.
Contextualization. Threat intelligence data that has been gathered is only valuable if it is relevant to the specific organization. The goal of contextualization is to map potential threats to an organization's digital infrastructure and assets. This is done by understanding what type of threats and which threats specifically are likely to target specific systems along with their impact.
Actionable insights. Once the data has been collected, analyzed and put into context, it should provide insights into proactive measures security teams can take. For example, these insights might enable teams to patch vulnerabilities, change and reconfigure firewall rules, adjust incident response procedures and plans and update employee security awareness training based on specific attack methods the organization faces.
What is threat hunting?
Threat hunting is the practice of actively searching for signs of compromise, suspicious behavior or vulnerabilities. It is a mix of manual and automated techniques that does not rely on traditional passive alerting and defense measures, such as firewalls, given that it focuses on undetectable threats.
The combination of threat hunting and intelligence enables organizations to have a responsive and proactive security posture.
Key threat hunting characteristics
Several key characteristics of threat hunting help security teams to gain more visibility into emerging threats and mitigate them successfully. The following steps focus on proactive measures that aim to dive deeper into the unseen threats to the organization:
Hypothesis-driven. Threat hunting begins with a hypothesis derived from intelligence, observed anomalies and other threat analytics. This enables threat hunters to conduct more targeted investigations. For example, hunters might investigate unusual or excessive network traffic that could indicate a cyberattack. This step also includes monitoring user behavior for possible signs of compromise.
Skilled analysis. Similar to threat intelligence, threat hunters must have a deep understanding of TTPs to understand the specific types of attacks the organization faces. Threat hunters use a variety of tools and measures that rely on skilled human analysis and spotting unusual user behavior.
Data analysis tools. Many threat hunters use a mix of manual and automated tools and tactics to identify patterns and correlations of emerging threats. These include analyzing system, network and user logs, plus the use of SIEM tools to examine anomalies.
Focus on advanced threats. Threat hunting aims to detect advanced persistent threats, complex cyberattacks and unique malware that traditional security controls and measures could miss. By focusing on more advanced threats, security teams can dive deeper into the stealth tactics malicious attackers use to evade detection.
How to use threat intelligence and threat hunting together
Threat intelligence and hunting both use proactive measures and data gathering to combat emerging cyberthreats and trends. While they have different approaches to addressing security threats, integrating the two can ensure better protection against threats.
Following are ways organizations can use threat intelligence and hunting together to optimize their security posture.
Use threat intelligence to build data-driven insights and hunting hypotheses
The goal of intelligence is to research the threats, trends and vulnerabilities in order to better understand what adversaries the organization is up against. This in turn helps security teams better plan and prioritize their threat hunting hypotheses.
Turn threat intelligence into proactive threat hunting and action
Threat intelligence data helps security teams hunt for specific threats throughout systems and networks. For example, data gathered through intelligence can enable threat hunters to use measures such as data mining and cross-referencing to investigate anomalies.
The combination of threat hunting and intelligence enables organizations to have a responsive and proactive security posture. As new threats emerge, this intelligence helps threat hunters maintain their focus on the most pressing cyberthreats. If real-time intelligence identifies a surge in phishing campaigns targeting an organization's industry, for example, threat hunters should look for possible signs of compromise with the goal of combating them before a successful attack can materialize.
Validate threat intelligence through threat hunting
Developing a reciprocal relationship between threat intelligence and hunting yields positive results, enabling threat hunters to generate intelligence by uncovering unknown threats. For example, after detecting a new threat, threat hunters should document the findings and report them back to the intelligence team. This enables teams to better defend and minimize the impact of emerging cyberthreats.
Foster cross-team collaboration and communication
For organizations to successfully execute threat hunting and intelligence, integration should rely heavily on collaboration. The threat intelligence and hunting teams must work closely to share discoveries, verify data and continuously update resources. When organizations establish a feedback culture where insights from threat hunting continuously inform threat intelligence, both processes can combat security threats more effectively.
Amanda Scheldt is a security content writer and former security research practitioner.
