If you work in cyber security it’s likely you’ve come across the terms threat intelligence and threat hunting before, but what is the actual difference?
These are common terms that seem to be used interchangeably in the world of cyber, however they are not the same and it is important to understand what they mean and the nuances of both. This understanding will help you navigate the cyber security landscape and take advantage of these domains to elevate your cyber security skills or company’s security posture. We will compare and contrast threat intelligence and threat hunting to gain a better idea of what each covers and how you can create a perfect pipeline.
Let’s start our journey by looking at the key features of threat intelligence.
Cyber Threat Intelligence
Threat Intelligence is the insights gained from analysing data related to potential and current cyber threats.
It’s the information about current tactics, techniques, and procedures (TTPs) used by threat actors. It is the Indicators of Compromise (IOCs) seen in recent ransomware campaigns. It is the latest vulnerability that has been disclosed. Threat intelligence is a combination of the latest data and trends related to cyber threats. It is this information that informs defenders about how to best protect themselves by directing them on threats to focus on.
It plays a critical role in helping government agencies, law enforcement, and private sector companies stay ahead of evolving threat landscape. It is all about identifying threats.
Threat Intelligence Involves Collecting and Analysing Data
Open-source intelligence (OSINT), social media, dark web forums, and information sharing platforms all contain threat intelligence that can be digested by cyber threat intelligence analysts. The job of the analysts is to determine if this data is relevant to their organisation or not. If it is, they need to decide how to distribute this data as information to the right people.
Turning data into information involves adding context to the data so it’s easier for the recipient to make a decision.
Distribution Depends on the Threat Intelligence Digested
There are three main types of threat intelligence:
- Strategic: This provides a high-level overview of the threat landscape and is used to inform broader security strategies (e.g. developing policies and procedures, allocating resources, and prioritising investments in security technologies). It includes the motivations, capabilities, and tactics of threat actors.
- Operational: this is focused on immediate and current risks that security teams need to prioritise their detection and response efforts on. It includes indicators of compromise (IOCs), malware signatures, and attack patterns.
- Tactical: this is information on the technical details of specific threats as it relates to vulnerabilities and exploits. Defenders use this to identify and mitigate specific threats using custom rules/policies for security tools and systems.
The type of intelligence gathered will effect how it is distributed within an organisation. Strategic intelligence should be presented to key stakeholders in a form that speaks to them (graphs and numbers).
Both operational and tactical intelligence need to reach analysts doing the day-to-day grunt work and needs to be relevant to them (IOCs, TTPs, CVEs). This information may go to your organisation’s Security Operations Centre (SOC) or dedicated threat hunting team. It may also go to your vulnerability management team (CVEs) who will then patch relevant vulnerabilities to mitigate these threats.
The ultimate goal of threat intelligence is to identify and direct
The intelligence distributed helps key stakeholders and analyst identify what to focus on. The key stakeholders will focus on high-level trends by looking at strategic intelligence. Whereas, analysts who are working closer to the ground will focus on operational and tactical intelligence. They will use this intelligence to direct their threat hunting efforts and combat current threats.
Cyber Threat Hunting
Threat hunting is the process of proactively searching for and identifying potential cyber threats or IOCs within an organisation’s network or systems.
It seeks out potential threats, rather than being reactive like traditional cyber security measures. It focuses on the real-time detection and response to threats in order to minimise damage and reduce the risk of a successful attack. Hunting takes the output of threat intelligence and uses this to find threats within an organisation that may evade traditional security measures.
It is a vital function of any comprehensive cyber security programme to detect and respond to advanced and persistent threats.
Threat Hunting Is All About Searching Through Data
Organisations maintain vast quantities of data about their systems’ (stored as logs) which are typically managed by a Security Incident & Event Management (SIEM) platform. Intelligence is ingested by a threat hunter and translated into queries that can search through this data to find IOCs or patterns of malicious behaviour. A variety of other data sources can also be searched, including cloud logs and Endpoint Detection Response (EDR) platforms.
Hunters Will Focus On Actionable Intelligence
A threat hunter creates queries to hunt for malicious activity by taking the operational and tactical intelligence provided to them and making it actionable. Some of this intelligence can be made actionable and then the hunting process automated.
For instance, IOCs or vulnerable software can be added to a list that is automatically searched for within the log data. However, other insights, such as adversary behaviour (TTPs), need to be translated into queries and the results of running these queries need to be analysed by a human.
You can see how to do this Lock & Load II: Arming Yourself with Threat Intelligence.
The ultimate goal of threat hunting is to catch bad guys
The queries created by a threat hunter are designed to catch bad guys lurking in the organisation’s network or systems. This is what makes threat hunting proactive. A threat hunter will assume an adversary managed to bypass traditional security mechanisms (firewall, anti-virus, etc.) and gained initial access. Now the hunter must find them in the log data using the intelligence collected and translated into queries.
At a high level threat intelligence and threat hunting can be seen as a pipeline:
- Ingest threat intelligence into the team — threat intelligence
- Analyse threat intelligence to see what is relevant — threat intelligence
- Distribute threat intelligence to relevant people — threat intelligence
- The operational team uses operational and tactical threat intelligence to create hunting queries — threat hunting
- Threat hunters use hunting queries to find bad guys within organisational environment — threat hunting
Some of this pipeline can be automated. For instance, you can automate the collection of IOCs by connecting to a TIP (Threat Intelligence Platform) that is tailored to your environment and then create an automation to search for these using your SIEM or EDR platform.
That said, most of the time you need analysts to pick apart the threat intelligence, analyse it, and distribute it appropriately. This means the right people get the right data so they can make efficient decisions that holistically improve the security of the organisation. Key stakeholders can make strategic decisions and operational teams can address current threats.
Building out a comprehensive cyber security programmes requires both a threat intelligence and a threat hunting function. You can have one team to do both or, ideally, split these functions among two teams. Whatever way you choose to go it’s important to remember that one feeds the other and to get the most out of intelligence and hunting you need an effective pipeline.