Threat hunting and detection are two major prevention strategies in modern cybersecurity systems. Both strategies help identify potential threats to the organizations — though they take different approaches to threat identification.
This article explains the difference between threat hunting and detection, so you know what to focus on for your organization’s cybersecurity strategy.
TLDR: Hunting vs detecting threats
We’ll sum up the differences here. Keep reading to get more details on each area:
- Threating hunting enables organizations to detect threats that go undetected from today’s modern threat detection tools. It is a proactive approach to preventing threats.
- Threat detection identifies threats actively trying to attack the endpoints, networks, devices, and systems. It’s more reactive, as you’ve likely already been alerted to anomalies.
- The key differences in hunting vs. detecting = threat identification approaches, the differences in tools, the required experience, and the level of creativity both approaches bring to your cybersecurity strategies.
Free threat resources
- Threat Hunting with Splunk, with 24+ tutorials
- Our Threat Research Team offers timely, complete research for threat detections
- Threat Hunting with Splunk Enterprise Security
What is Threat Hunting?
One form of cyber counterintelligence (CII), threat hunting refers to finding threats before they attack your networks, systems and devices. Some advanced threats, like file-less malware, can successfully penetrate security layers undetected.
Threat hunting is a proactive approach to threat prevention where threat hunters look for anomalies that can potentially be cyber threats lurking undetected in your systems. Combined with threat intelligence, hunting enables organizations to:
- Better understand the attack surface.
- Expose cyber criminals as early as possible — before they compromise the systems.
Today there are several threat-hunting approaches: hypothesis-based, machine learning, AI-based and IoC and IoA-based approaches. (We’ll cover these later in the article.) Threat hunting usually starts with malicious activity triggers and proceeds with the investigation and resolution phases. These steps use several tools and technologies, like:
- Advanced detection tools indicating malicious activity
- Endpoint Detection and Response (EDR) tools
(Read our complete Threat Hunting Guide.)
What is Threat Detection?
Threat detection is the process of identifying threats in an organization that is actively trying to attack the endpoints, networks, devices and systems.
Unlike threat hunting, a threat detection is a reactive approach: threat mitigation mechanisms activate only when the organization's security system receives alerts on potential security breaches. It uses automated network and system monitoring tools which can detect malicious activity and behavioral patterns related to malware.
Once a threat is detected, security teams can further analyze them to find its impact on the organization and take necessary security measures to remove them. Like threat hunting, there are several techniques for threat detection, such as:
- Threat intelligence
- Antivirus software
- Endpoint detection and response (EDR) systems
- Intrusion detection systems (IDS)
- Intrusion prevention systems (IPS)
(See how continuous monitoring supports these tools.)
Hunting for threats vs detecting threats: Key differences
Although both approaches can seem the same, there are major differences that help distinguish these approaches. Let’s get to know these differences.
Approaches for threat identification
Threat hunting is a proactive approach, while threat detection is an active approach. That means threat hunters do not rely on already-known attack patterns or wait until a security alert on a potential data breach occurs. Rather, they seek out threat patterns not usually caught by normal security tools. This proactive approach to threat identification allows threat hunters to detect threats before they attack your systems.
Threat detection, on the other hand, relies upon previously known attack patterns and user behaviors. For example:
- Antivirus software may use malware signatures and heuristics to discover potential threats while actively monitoring the system.
- Threat detection with User Behavior Analytics (UBA) can analyze logs and find abnormal traffic patterns deviate from known traffic patterns.
(Check out Splunk UBA or take a free, interactive tour.)
Compared with threat hunting, threat detection uses automated security tools like IDS, IPS, EDR, automated security scanning of antivirus software, etc. This software compares known malware types with potential malicious behavior or incoming network traffic. More sophisticated threat detection tools also can use AI and ML models to identify new threats.
On the other hand, hunters do use some of the same tools, but they’re often armed with more in their arsenal. Threat hunters can use data from specialized tools, like:
- Security Information and Event Management (SIEM) software
- Managed Detection and Response (MDR) tools
- Packet analyzers, etc.
Hunters may also try AI and ML techniques and manual investigation techniques. While using automated tools, threat hunters use manual and custom techniques like log and network traffic analysis and manual vulnerability scanning to find suspicious activity.
Experience, skills, knowledge required
Threat detectors typically require less experience because they usually monitor security alerts generated by different monitoring systems software. They are required to be trained to identify the most common attack patterns. When it comes to threat hunting, specialized knowledge and skills will be required to identify threat patterns that have bypassed security mechanisms. They cannot just perform analysis on known threat patterns — they won’t find anything new this way.
Threat hunters need to know how to analyze various logs, such as access logs, error servers, security appliances and network logs. They may need to think like hackers to identify emerging attacks that can invade even modern security systems and tactics, techniques, and procedures (TTP) of attackers. Such specialized knowledge and skills make threat hunters irreplaceable for any company — and thus, in higher demand.
The creative approach
While the basis of threat detection is deviations from known attack behaviors, inspiration for threat hunting stems from suspicious activities and generating hypotheses around them. In general, we can say that threat hunting is more creative and forward-thinking — conjuring up different potential scenarios and reverse engineering them to identifying potential threats that can harm organizations.
Methods: threat hunting vs. threat detection
Today, both threat hunting and detection leverage ML and AI techniques to improve identification accuracy and detect new threats. Threat hunting uses other unique methodologies to detect potential threats. This section provides some different and similar methods used in both approaches.
Common threat hunting methods
Threat hunting is often categorized into three main investigation types: structured, unstructured and ad-hoc. See how these common methods blend the different types.
1. Hypothesis-based methods
Hypothesis-based threat hunting uses insights from attackers’ latest tactics, techniques, and procedures (TTP) sourced from crowdsourced threat data. Threat hunters can identify attackers well before they attack their organization's attack surface. When there is a new TTP threat, hunters can…
- Formulate hypotheses.
- Test to identify the presence of their behaviors in their own systems.
It starts by formulating a testable and focused hypothesis that defines the existence of a threat to the organization based on the existing TTPs of threat actors. Threat hunters then try to find evidence using log analysis and other threat-hunting techniques to reject or accept the hypothesis.
If they find evidence of this existence, the hunters can quickly provide remedies.
2. Using known IoCs and IoAs
Indicators of attack (IOAs) are the indicators that show what the attacker is trying to do. Indicators of compromise (IOCs) are the evidence that shows breaches in computer systems and networks.
Using this threat intelligence, threat hunters can actively check for the existence of those known indicators — which could then become trigger points to activate threat prevention mechanisms.
(Check out the MITRE ATT&CK Framework, the go-to repository for known cyberattack behaviors.)
3. Big data processing & ML-based threat hunting
When there is a large amount of data logs for analysis, threat hunters can use big data processing techniques and clustering methods to find patterns indicating possible cyber threats. Machine Learning models can help to quickly identify known attack patterns.
4. Situational-based threat hunting
Situational-based threat hunting focuses on high-priority targets like:
- CISOs, IT managers, administrators, domain controllers, etc.
- Critical computing resources
Attacking these high-value targets can benefit the attackers. The behavior of such attackers can differ based on these high-value individuals and computing resources.
Threat Detection Methods
Now let’s look at some common ways to detect threats.
1. Threat detection using behavior analysis
Threat detection tools described throughout this article relies heavily on behavioral analysis. Unlike attackers' activities in threat hunting, this user behavior analytics software monitors the systems and networks, analyzing the existing user activity.
Using reference data points, such threat detectors can find user behaviors that deviate from normal — for example, when a user visits an unusual website or downloads unusual software.
2. Threat intelligence
Threat intelligence is the knowledge you gather via past cyber incidents. Such knowledge helps to quickly isolate the known attacks and identify attack-specific prevention methods. Threat detectors use such collected signature data to compare the suspicious attack behaviors with known data to verify their existence and quickly mitigate the threat.
(Read our complete threat intelligence guide.)
3. ML-based threat detection
As with threat-hunting methods, ML is also integrated into threat-detection tools and technologies. For example, intrusion detection systems use ML models — Random Forest, Decision Trees, and support vector machines — which can detect known attack patterns with high accuracy in real-time and stream data like network traffic logs.
4. Using intruder traps
Another technique threat detectors leverage is intruder traps. These are like baits that attackers will be attracted to, not knowing their true purpose. For example, the traps would contain false credentials, typically known as ‘honey credentials,’ which are critical for attackers to access a system and compromise sensitive data. If attackers use these credentials to tap into a system, threat detection systems trigger alerts so that security teams know a potential attacker has been found.
(Check out our honeypot explainer.)
The goal is mitigating threats
Threat hunting and detection are critical for any organization that aims to achieve a thorough defense mechanism against existing and emerging cybersecurity threats.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.