Threat Hunting vs Incident Response for Cyber Resilience

Protecting data and protecting business continuity are both similar and different. In a data driven world, your mission as a security analyst is to prevent threat actors from gaining unauthorized access to sensitive data and systems. Simultaneously, you also need to investigate incidents rapidly, ensuring that critical services experience as little downtime as possible. As cyber resilience and cybersecurity inch ever closer to one another, you need comprehensive proactive and reactive practices to protect data.

When discussing threat hunting versus incident response, you should understand their similarities and differences so that you can build a cyber resilient data protection program.

What is threat hunting?

Threat hunting is a process that security analysts use for proactively searching through systems and networks to find malicious activity that indicates a potential ongoing attack where adversaries evaded detection. Threat hunters use cyber threat intelligence, like Indicators of Compromise (IoCs), for a proactive response to security.

Four threat-hunting methodologies exist:

  • Structured hunting: Combining attacker tactics, techniques, and procedures (TTPs) with Indicators of Attack (IoA) often aligned to a known framework, like MITRE ATT&CK
  • Unstructured hunting: Using a trigger event, like an IoC, to search logs for pre-detection and post-detection patterns
  • Intel-based hunting: Initiating reactive hunting with inputs from IoCs, like hash values, domain names and networks, host artifacts, and IP addresses
  • Hybrid hunting: Designing customized searches based on situational awareness that use structured, unstructured, and intel-based methodologies

What are the steps of threat hunting?

Threat hunting follows a set of repeatable steps, even unstructured threat hunting.

When you engage in threat hunting you need to:

  • Determine what to look for: Decide what undetected malicious activity could be lurking in your systems
  • Develop and test a hypothesis: Consider your current environment to determine potential risks, like vulnerabilities that attackers can exploit
  • Collect and process data: Identify the log sources that you think will have data to prove or disprove your hypothesis
  • Investigate: Look for the the IoCs or follow the potential attack path to prove or disprove the hypothesis
  • Respond and Resolve: Contain any identified threats and restore systems to pre-attack state

Often, security analysts are so busy trying to respond to alerts that they don’t have the time to do additional work. However, if you’re using threat intelligence and can build Sigma rules, you can automate the process, giving you a way to get all the benefits of threat hunting without the burdens associated with it.


What is the difference between incident response and threat hunting?

If you look at the threat hunting process, you might see some similarities to incident response. The final stages of both threat hunting and incident response require you to investigate an issue and recover systems to the pre-issue or pre-incident state. The primary differences between the two are how you use the techniques to protect systems.

Known vs. Unknown

Incident response is the process for responding to known incidents. Your detections fired an alert and now you need to find the threat actor in your systems. Your alert is the first clue on your investigation path.

Threat hunting arises from the premise that threat actors compromised your systems, but you don’t know that they have. Without the initial detection “clue,” you start your investigation with events that you know have happened to other people, then look for the same issues in your own environment.

Reactive vs. Proactive

Incident response is a reaction to an alert, meaning that malicious actors are already in your systems. Your goal is to find them as quickly as possible, limiting the amount of time they spend in systems.

Threat hunting is proactive, meaning that you’re looking for malicious actors who might be in your systems. Your goal is to reduce the amount of damage they can do because if they’re in your systems without your knowledge, they may have already stolen sensitive information.

How does threat hunting complement incident response?

Threat hunting is the peas to your incident response carrots, the peanut butter to its jelly. Since threat hunters look at your systems the way that attackers do, their process makes it easier for incident response teams to investigate attacks.

Reduce the Attack Surface

When you engage in threat hunting, you engage in the same reconnaissance that an attacker would use. When you do this, you can visibility into:

  • Hosts visible from an endpoint
  • Critical assets accessible on the network
  • Lateral movement across networks and systems

As your threat hunting identifies these attack vectors, you can implement controls that limit an attacker’s ability to exploit them. For example, if you know that an operating system vulnerability can be used during an attack, your threat hunting might find an unpatched device. By patching the device, you reduce the number of devices that the incident response team needs to investigate when an alert fires.

Generate High-Fidelity Alerts

With threat hunting, you get a continuous feedback loop that helps you reduce false negatives and false positives. If your threat hunting activities locate previously undetected malicious activity, the investigation process can trace it back to the origin point. In doing so, they can help you figure out why your cybersecurity technologies didn’t detect the activity.

Simultaneously, your threat hunting activities can help you reduce the number of false positives. When you go looking for IoCs in your unique environment, you build context around a technical issue. For example, high data download volumes can be a sign that malicious actors are stealing information. However, if your finance team runs a job every day at 11pm, then this would be a normal activity in your environment. By threat hunting, you can better define the rules for your alerts, eliminating false positives that become overwhelming for your security team.

With high-fidelity alerts, your incident response team knows that their tools are detecting as much abnormal activity as possible without getting detections that send them on a wild event log chase.

Why are threat hunting and incident response important to cyber resilience?

Cyber resiliency is about the ability to:

  • Anticipate adverse conditions, like stresses, attacks, or compromises
  • Withstand adversity by maintaining essential mission or business functions
  • Recover from threat events or conditions
  • Adapt to tactical or strategic changes by modifying processes, procedures, and technologies

Your threat hunting activities enable you to anticipate potential adverse conditions so that you can modify processes, procedures, and technologies. Your incident response enables you to build the supporting processes that enable you to withstand an incident and rapidly recover from an event.

By building a comprehensive program that combines threat hunting with robust incident response processes, you can mature your cyber resilient posture.

Graylog Security: Automate Threat Hunting and Incorporate Rapid Investigation

With Graylog Security, you get the SIEM functionality you need to automate threat hunting with intuitive user interface and lightning fast search capabilities for rapid incident investigations. By leveraging our out-of-the-box content and cloud native capabilities, you gain immediate value from your logs. Combining these capabilities with our anomaly detection machine learning (ML), you get the comprehensive technology stack necessary to achieve the high-fidelity alerts that save your security team time and minimize alert fatigue.

To learn how Graylog Security can help you become cyber resilient, contact us today.


Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.