Defensive Security

Threat Intelligence vs. Threat Hunting: Distinct Roles, Unified Defense

This blog aims to provide a clear and comprehensive understanding of threat intelligence and threat hunting, their differences and how they work together.

L0WK3Y
· 5 min read
Send by email
Infophreak 2024

What is Threat Intelligence?

Threat intelligence is the gathering of information to validate and share information concerning potential or existing threats that could disrupt an organization. This information enables an organization to make informed decisions regarding the security of its assets and minimize the risk. The concept of threat intelligence focuses on empowering an organization with relevant insights through which it can conceptualize, prepare, and respond to any threat effectively. This way of doing things helps organizations boost their defenses, focus on security measures, and use resources wisely. A few ways threat intel is gathered vary from sources, to name a few:

  • Open Source Intelligence (OSINT): Publicly available information, such as news articles, social media posts, and publicly accessible databases.
  • Human Intelligence (HUMINT): Information gathered through human sources, including security researchers, informants, and industry contacts.
  • Imagery Intelligence (IMINT): This form of intelligence is the collection and processing of imagery and other pictorial materials to deduce from them information about the target. Examples might be photographs, images derived from satellite systems, or obtained from sensors based on aircraft or drones.
  • Signals Intelligence (SIGINT): Signals intelligence consists of intercepting electronic signals to gather intelligence on chats between bad guys or of a command-and-control server and a hacked machine.

Types of Threat Intelligence

  1. Strategic Threat Intelligence: Strategic threat intelligence provides insight at a high level—a level at which the information influences decisions taken at the highest levels. Strategic threat intelligence develops long-range analyses related to trends and geopolitical considerations in general, as well as the threat landscape. This kind of intelligence would cover long-range or big-picture incidents that might be used to correlate strategic decisions but pose no immediate threat.
  2. Tactical Threat Intelligence: This type of threat intel focuses on Information about the threat actors, tactics, and techniques applied. Most often, such information is handed over to the security team so that they have a view of how the attackers are operating. This protects the network from such threats.
  3. Operational/Technical Threat Intelligence: Operational Threat Intel, sometimes referred to as “Technical Threat Intelligence”, provides detailed information about active threats, including indicators of compromise (IOCs) like IP addresses, domains, and malware hashes, and involves the analysis of specific technical details about how an attack is carried out, such as the tools, techniques, and procedures (TTPs) used by threat actors. This type of intelligence is crucial for day-to-day operations, helping security teams respond quickly to emerging threats, fine-tune security tools, and improve detection capabilities.

What is Threat Hunting?

Threat hunting is the proactive process of searching for IOCs and potential threats that have evaded traditional security measures. Unlike the largely reactive nature of threat intelligence, which focuses on gathering and analyzing information, threat hunting actively seeks out threats within an organization’s environment. The primary goal is to detect and mitigate threats that have bypassed existing security controls before they cause significant damage. As the last line of defense, threat hunting catches threats that automated systems may miss.

Types of Threat Hunting

  1. Hypothesis-Driven Hunt: A hypothesis-driven hunt is all about making guesses or having ideas about possible threats. Hunters make a theory of how they think an attacker might work and look for proof in order to substantiate or shoot it down. This will typically mean the use of advanced analytics and behavior checking.
  2. Threat Intelligence-Driven Hunting: This form of hunting is driven by utilizing information gathered during threat intelligence in search of signs of compromise within the environment.
  3. Entity-Driven Hunting: The main focus of an entity-driven hunt is to find occurrences happening with certain entities, such as users, devices, or applications. This approach often involves the use of user and entity behavior analytics (UEBA) to detect anomalies that may indicate a threat.

The Differences Between Threat Intelligence and Threat Hunting

Although they share a lot of similarities, there are a few key differences between the two:

  1. Proactivity vs. Reactivity: Threat intelligence is primarily reactive and focuses on gathering and analyzing information about existing threats. Threat hunting, on the other hand, is proactive, involving the active search for threats that may be lurking within an organization’s environment.
  2. Focus: Threat intelligence is concerned with understanding the broader threat landscape and providing actionable insights to inform decision-making. Threat hunting is focused on identifying and mitigating specific threats that have evaded detection.
  3. Tools and Techniques: Threat intelligence relies heavily on data collection, analysis, and dissemination. It often involves the use of threat feeds, intelligence platforms, and analytical tools. Threat hunting, meanwhile, consists of the use of advanced analytics, behavioral analysis, and manual investigation techniques to identify threats.
  4. Outcome: The primary outcome of threat intelligence is the production of actionable insights that inform security decisions. The outcome of threat hunting is the detection and mitigation of threats that have bypassed traditional security controls.

How Threat Intelligence and Threat Hunting Work Together

Despite their differences, threat intelligence and threat hunting are complementary processes that, when combined, provide a more comprehensive approach to cybersecurity.

Enriching Threat Hunting with Intelligence

Information gathered during the threat intel process can be a valuable resource for threat hunters such as TTPs used by threat actors. This information allows threat hunters to focus their efforts on the most relevant and high-priority threats.

Feeding Intelligence Back into the System

Threat hunting will provide further data that can be funneled into your threat intelligence pipeline. When new IOCs or TTPs are uncovered by threat hunters they can be included in the identified lists which will end up as a source for other organizations. This feedback loop elevates the standard of threat intelligence and makes security controls more effective.

Continuous Improvement

Together, threat intelligence and threat hunting allow businesses to strengthen their security proactively. While threat intelligence offers vital insight for organizations to know about how threats are evolving, it's by combining this with threat hunting that ensures organizations proactively search and address new security challenges ahead of detection. Integrated, these mechanisms provide the agility and malleability necessary to react to the inherent newness of cyber threats.

Written by L0WK3Y

Your friendly neighborhood malware analyst.

Keep reading