Detection Engineering vs Threat Hunting

Sharing is caring
This entry is part 4 of 23 in the series Threat Detection Engineering

Views: 23

Threat detection is the process of identifying threats in an organization that is actively trying to attack the endpoints, networks, devices and systems.

Unlike threat hunting, a threat detection is a reactive approach: threat mitigation mechanisms activate only when the organization’s security system receives alerts on potential security breaches. It uses automated network and system monitoring tools which can detect malicious activity and behavioral patterns related to malware.

Detection Engineering is the practice of augmenting existing threat detection mechanisms, such as Endpoint Detection and Response (EDR), Network Detection and Response (NDR), and Security Information and Event Management (SIEM). The primary purpose here is to combat known threats, which are thoroughly understood through analysis, sandboxing, and reverse engineering.

One form of cyber counterintelligence (CII), threat hunting refers to finding threats before they attack your networks, systems and devices. Some advanced threats, like file-less malware, can successfully penetrate security layers undetected.

Threat hunting is a proactive approach to threat prevention where threat hunters look for anomalies that can potentially be cyber threats lurking undetected in your systems. Combined with threat intelligence, hunting enables organizations to:

  • Better understand the attack surface.
  • Expose cyber criminals as early as possible — before they compromise the systems. 

Threat hunting content is inherently different from threat detection, employing existing security infrastructure, including SIEM, EDR, NDR, and Extended Detection and Response (XDR) toolsets. The key distinction here lies in the utilization of these toolsets; threat hunters use them to conduct time-bound hunts for unknown threats that have evaded detection.

Detection EngineeringThreat Hunting
 Focuses on known threatsTargets unknown threats
Centers on detecting specific artifacts or meta-characteristics Focuses on suspicious behaviors
 Detection content is designed for automationThreat Hunting content requires careful interpretation by skilled threat hunters
It’s more reactive, as you’ve likely already been alerted to anomalies It is a proactive approach to preventing threats

  • Proactively search for advanced threats that evade traditional security solutions
  • Use a variety of techniques, including behavioral analysis, Machine Learning, and data analysis, to identify patterns and anomalies that may indicate a potential threat
  • Collaborate with other cybersecurity professionals to investigate and respond to potential threats
  • Develop and maintain threat hunting playbooks and procedures
  • Stay up-to-date with the latest Threat intelligence and cybersecurity trends
  • Strong analytical and problem-solving skills
  • Knowledge of cybersecurity threats, techniques, and tools
  • Experience with threat hunting techniques and tools
  • Ability to work independently and in a team environment
  • Strong communication and collaboration skills
  • Experience with data analysis and visualization tools
  • Knowledge of programming languages such as Python and R
  • Endpoint detection and response (EDR) tools such as Carbon Black and CrowdStrike
  • Network traffic analysis tools such as Wireshark and Zeek
  • Security information and event management (SIEM) tools such as Splunk, QRadar and ELK Stack
  • Threat intelligence platforms such as ThreatConnect and Anomali
  • Data analysis and visualization tools such as Tableau and Kibana
  • Design, implement, and maintain detection systems that can identify and alert security teams to potential threats
  • Work closely with Threat Hunters to ensure that the detection systems are effective in identifying and stopping threats
  • Use a variety of tools and techniques, including Log analysis, network traffic analysis, and behavioral analysis, to create rules and alerts that can detect potential threats
  • Test and refine detection systems to improve their accuracy and effectiveness
  • Stay up-to-date with the latest Threat intelligence and cybersecurity trends
  • Strong analytical and problem-solving skills
  • Knowledge of cybersecurity threats, techniques, and tools
  • Experience with detection systems and tools
  • Ability to work independently and in a team environment
  • Strong communication and collaboration skills
  • Experience with log analysis, network traffic analysis, and behavioral analysis tools
  • Knowledge of programming languages such as Python and SQL
  • Log analysis tools such as LogRhythm and Graylog
  • Network traffic analysis tools such as Bro and Suricata
  • Behavioral analysis tools such as Darktrace and Vectra AI
  • SIEM tools such as Splunk, ELK Stack and QRadar
  • Threat intelligence platforms such as ThreatConnect and Recorded Future

Both approaches contain a variety of techniques which can be employed to isolate and neutralise threats. For threat hunting, this includes: 

  • Situation-based – threats are most likely to target high-value areas. 
  • Hypothesis-based – strategy based on recent tactics and techniques used by attackers.  
  • In consideration of IoCs and IoAs – indicators of attacks and indicators of compromise are used to gain an understanding of attackers’ actions. 
  • Data processing-based – large data sets are examined to reveal suspicious patterns.

Threat detectors typically use the following three methods to detect threats: 

  • Threat intelligence – approach informed by knowledge gained from previous cyber attacks. 
  • Behaviour analysis – systems analyse current user behaviour looking for irregularities. 
  • Machine learning-based – systems detect known attack patterns in real time and to a high level of accuracy.

Despite their differences, Detection Engineering and Threat Hunting aren’t isolated practices. In fact, they intersect in several areas. For instance, the output from threat hunting activities often informs the development of detection mechanisms. The insights gained from hunting unknown threats can guide detection engineers in refining their detection mechanisms against evolving threats.

In conclusion, while both Detection Engineering and Threat Hunting use similar security infrastructures and tools, they differ significantly in their approaches, focus, and application. Their interplay, however, is undeniable and crucial to a comprehensive cybersecurity strategy. Understanding and leveraging these practices in their distinct capacities can substantially fortify your defense against the ever-evolving landscape of cybersecurity threats.

Series Navigation<< Threat Intelligence for SOCYara 101 >>