Cybereason Blog | Cybersecurity News and Analysis

How threat hunting is different from an intrusion detection system

Written by Lital Asher-Dotan | Oct 13, 2016 3:50:44 PM

Is threat hunting just a fancy name for an intrusion detection system (IDS)? After all, both technologies detect vulnerabilities that have already infiltrated a company’s network. If you have an IDS, why would you need to hunt for threats?

Stop hoping to discover threats

To show the difference between the two, I’d like to invoke a gardening analogy. Using an IDS is equivalent to planting a bunch of tomato seeds, carrying for them and hoping some of those seeds yield red, ripe tomatoes in a few months. You set configuration strategies for your IDS (planting seeds), receive and react to threat alerts that the IDS generates (caring for the tomato plant) and hope that some alerts will reveal security incidents that can be remediated (you cross your fingers for a bumper crop).

Neither approach is effective for achieving their respective goals. If you’re growing tomatoes, you probably want to be more proactive about caring for the plant to ensure that it yields the best crop possible. Maybe you’d fertilize the plant’s soil or make sure it had optimal sunlight.

Take a proactive approach to detecting attacks

And if you’re trying to keep your company safe from advanced attackers, waiting to receive threat alerts is very reactive. Analysts in large companies receive hundreds of threat alerts daily, giving them tons of data to sort through. Plus analysts have to know what they’re looking for to figure out if an alert warrants action. That’s assuming your company has enough qualified security talent to handle alert detection. Pretty much every business is struggling to hire skilled information security workers.

Threat hunting is a much more proactive way to detect threats. Instead of waiting for something bad to happen, you’re actively searching your environment for malicious activity. Hunting will also pick up activities that an IDS is incapable of detecting, such as fileless malware attacks, lateral movement and targeted commodity attacks. Hackers are using attack mechanisms like these since traditional security tools can’t detect them. In those cases, threat hunting can reveal what an IDS failed to pick up.

Think about what happens after infiltration

There’s also a different mindset between IDS and threat hunting. With IDS, a company assumes that its defenses are strong enough to resist an attack. Threat hunting, on the other hand, requires an organization to admit that an adversary has defeated its defensive measures. But thinking about what a perpetrator might do following infiltration instead of focusing only on how to prevent a break-in can help a company discover the full attack. Ultimately, threat hunting can help make a company more secure by stopping entire attack campaigns.