Threat detection is a process that, in most cases, is automated and aimed at detecting known threats, while the search for threats is a creative process with a flexible methodology that focuses on the hunter looking for the hacker. There are several different approaches to cyber defense. However, they can generally be classified into strategies based on prevention and detection. In a strategy based on prevention, an organization does everything possible to reinforce its systems against attacks.
. The search for cyber threats is a proactive security search through networks, connection points and data sets to detect malicious, suspicious or risky activities that have not been detected by existing tools. Therefore, there is a distinction between detecting cyber threats and hunting for cyber threats. Threat detection is a somewhat passive approach to monitoring data and systems for potential security problems, but it's still a necessity and can help threat hunters.
Proactive cyber threat search tactics have evolved to use new threat information in previously collected data to identify and classify potential threats before the attack. The hunter identifies threat actors based on the environment, domain and attack behaviors used to create a hypothesis aligned with the MITRE framework. They are qualified IT security professionals who search for, record, monitor and neutralize threats before they can cause serious problems. These hunting activities can be based on intelligence based hunting models and on hypotheses that use information from IoA and IoC.
Some threat detection techniques have been in practice for years, but threat hunting as a specific component of enterprise information security programs remains an emerging trend. Data collected from confirmed malicious activities can be introduced into automated security technology to respond to, resolve and mitigate threats. In general terms, these technologies are isolated and require the cyber threat hunter to manually bring the value to a decisive conclusion. Identify internal threats, track endpoint devices, protect the cloud and manage compliance with IBM Security.
Prevention and detection are two very different approaches to addressing potential cybersecurity threats. It is also important to develop baselines for normal network, data and user activity to allow for easier identification of anomalies when searching for threats. A hypothesis can act as a trigger when advanced detection tools target threat hunters to initiate an investigation of a particular system or a specific area of a network. Intel-based searches can use IOC, hash values, IP addresses, domain names, networks, or host artifacts provided by information exchange platforms, such as computer emergency response teams (CERT).
The addition of automation benefits cyber threat search processes and helps SoCs to better utilize their staff and resources. The average time it takes for companies to detect and contain a data breach is 280 days (research by the Ponemon Institute). When hunting for threats, an expert does not start from an alert or even from indicators of commitment (IOC), but rather from deeper forensic reasoning and analysis. In addition, 53 percent believed that their threat search process was not sufficiently hidden from their adversaries, and 56 percent reported that they were not satisfied with the time needed to search for threats.