Class 33 - birlzhimself/401-Reading-Notes GitHub Wiki
How are Threat Hunting and Pentesting different?
Threat Hunting and Pentesting are two distinct activities within the field of cybersecurity, although they both aim to improve the security posture of an organization. Here are the differences between the two:
Objective: The primary objective of threat hunting is to proactively search for and identify potential threats and security incidents that may have evaded traditional security controls. Threat hunting involves actively exploring the network, systems, and logs to uncover signs of malicious activity, unknown threats, or indicators of compromise. On the other hand, the primary objective of penetration testing (pentesting) is to assess the security of a system, network, or application by simulating real-world attacks. Pentesting aims to identify vulnerabilities and weaknesses that could be exploited by attackers.
Timing: Threat hunting is an ongoing and continuous process. It involves regular and proactive analysis of data, logs, and network traffic to detect any abnormal or suspicious behavior. In contrast, pentesting is typically conducted at specific intervals or during specific phases of a system's development lifecycle, such as before deploying a new application or after making significant changes to the infrastructure.
Approach: Threat hunting relies on data analysis, threat intelligence, and behavioral analytics to identify potential threats and indicators of compromise. It involves a hypothesis-driven approach, where security analysts actively investigate and search for unknown threats or anomalous activities. Pentesting, on the other hand, follows a more systematic and structured approach. It involves a series of predefined steps, including reconnaissance, vulnerability scanning, exploitation, and post-exploitation, to assess the security controls and identify vulnerabilities.
What is the primary objective of Threat Hunting?
Complementing existing security measures: Highlight that threat hunting is not meant to replace your organization's functioning Security Operations Center (SOC), but rather to complement it. While the SOC focuses on real-time incident response, threat hunting proactively seeks out threats that may have bypassed existing security controls.
Enhanced threat detection capabilities: Explain that threat hunting can improve your organization's overall threat detection capabilities by identifying advanced or persistent threats that automated security tools may not detect. By taking a proactive stance, you can stay one step ahead of potential adversaries.
Mitigating the impact of undetected breaches: Emphasize that threat hunting aims to detect threats that may have gone undetected, minimizing the impact of potential breaches and reducing the time between compromise and containment. This can potentially save your organization from significant financial and reputational damage.
Leveraging threat intelligence: Highlight the value of integrating threat intelligence into the threat hunting process. By leveraging external and internal threat intelligence sources, your organization can gain insights into emerging threats, TTPs (Tactics, Techniques, and Procedures), and indicators of compromise, which can inform your hunting activities.
Collaboration and knowledge sharing: Promote the idea of cross-team collaboration between the SOC, incident response, and threat hunting teams. Encourage the sharing of information, insights, and lessons learned to foster a more comprehensive and effective security posture.
Your organization has a fully functioning SOC but not active Threat Hunting. How would you advocate for your security organization to start Threat Hunting activities?
By presenting these points and demonstrating the potential benefits of implementing threat hunting activities, this builds a strong case for any security organization to start incorporating threat hunting into its existing security practices.
Source
What Is Threat Hunting and Why Is It so Important? – Video Blog