Jeff Darrington:
Welcome to the final session of our three-part webinar series, The Other Side of Security. In this series, we’ve been discussing the fine line between threat hunting and detection. Today, we’ll continue our conversation on security hygiene, with a focus on threat hunting and detection.
I’m Jeff Darrington, Senior Technical Marketing Manager here at Greylog. Joining me again is Joe Gross, Director of Solution Engineering at Greylog, and Simon Huber, Greylog Solution Engineer. Today, we’re also joined by Abe Abernathy, our Greylog Training Engineer. Hello, Abe!
I’ll be passing the baton to Abe, as I’ll be a participant in today’s panel. Abe, take it away!
Abe Abernathy:
Thanks, Jeff! I’m really excited about today’s panel. We’ve got a variety of perspectives: one from large-scale and government enterprise, another from the logging and security analytics field, and one focused on strategy and management. And then there’s me—just trying to keep up with the big kids here!
I’m excited to lead this discussion. One of the first topics we’re diving into today is the key differences between threat hunting and threat detection. These two often get confused, and I think it comes down to perspective. Let’s get some insights from the panel.
So, panel—what’s the big difference between threat hunting and threat detection? Who wants to go first?
Joe Gross:
I’ll take it.
I like to think of detection as being like a commercial fishing boat, dragging nets through the water. You’re using nets designed to catch certain types of fish, but you’ll let other things pass through. Detection is broad—it’s about setting up alerts and waiting for something to trip them.
Threat hunting, on the other hand, is like spearfishing. You’re in the water, targeting specific fish one at a time. It’s much more proactive. You’re searching for very specific needles in the haystack based on hypotheses you’ve created, rather than waiting for automated alerts.
So, in a way, detection is more passive, while threat hunting is active and focused.
Abe Abernathy:
Thanks, Joe! So, we have one perspective—threat detection is reactive, and threat hunting is proactive. I’m curious to hear what others think. Simon, Jeff—who wants to go next?
Jeff Darrington:
I’ll go next.
From my perspective, detection is automated—it’s whatever product you’ve implemented to handle that. Threat hunting, however, involves specialized skills. Organizations often train people in tools like Kali Linux to handle this manually. These hunters are experts in seeking out hidden threats—whereas detection systems only catch what they’re programmed to see.
That’s my broad take on it.
Abe Abernathy:
Awesome, thanks, Jeff! Simon, what’s your take?
Simon Huber:
I look at it a bit differently. Threat detection is what you’ve already set up to automate the known risks in your environment. Threat hunting, on the other hand, is looking for gaps—those things your automated tools don’t cover yet. Over time, the things you hunt for today can turn into your detection rules tomorrow. It’s a cycle where hunting evolves into better detection.
Abe Abernathy:
Great points from all of you! It’s clear that while threat detection and hunting are different, they work together over time, building a stronger overall security posture.
Let’s move on to another common topic: “Thinking like an attacker.” What does that phrase really mean, and how useful is it? Simon, I’m going to put you on the spot here.
Simon Huber:
I think “thinking like an attacker” is often more of a marketing term. There’s a difference between someone employed 9-to-5 for red team work and someone with real-world motivations like financial gain or political reasons. However, there’s value in testing your controls. Tools like penetration testing or phishing campaigns simulate real-world scenarios and help test your defenses.
So, while “thinking like an attacker” can be a bit vague, there’s value in emulating those kinds of behaviors to strengthen your security posture.
Abe Abernathy:
Well said, Simon! Jeff, what’s your take on this?
Jeff Darrington:
For me, thinking like an attacker is more of a skill set and mindset. Attackers have all the time in the world to exploit vulnerabilities, but your internal team is limited in resources. Training your staff in ethical hacking can help them see your system’s weaknesses more clearly. It’s about taking a step back and asking, “If I were an attacker, how would I exploit this?”
But yes, it’s a highly sought-after skill, and it can be hard to retain talent once they’ve mastered it.
Abe Abernathy:
Joe, what are your thoughts on this?
Joe Gross:
I see a difference between “thinking like a hacker” and “thinking like an attacker.” Thinking like a hacker is something red teams can do—it’s about understanding the logic behind breaking into a system. But thinking like an attacker is harder to replicate because you can’t simulate the real-world motivations behind it—be it financial gain, patriotism, or something else.
Instead, I think the focus should be on risk. It’s important for security teams to prioritize risk and make decisions based on their organization’s risk appetite. Thinking like a hacker is helpful, but ultimately, security decisions need to be made based on business risk.
Abe Abernathy:
That’s a great distinction, Joe. Thinking like a hacker might help technically, but ultimately, it’s about understanding and managing risk.
Finally, let’s talk about the top techniques for monitoring for cyberattacks or conducting threat hunting. Let’s hear your top three. Jeff, you want to start?
Jeff Darrington:
Sure! My first one is about being honest with yourself as an organization. You know where your vulnerabilities are, but you have to acknowledge them. If you’re aware of a Windows XP machine running critical services, don’t ignore it. Address it, plan for it, and work on reducing risk.
Simon Huber:
I’d extend on what Jeff said—knowing your assets is critical. You need a proper asset inventory, and you need to keep it up to date. Many organizations fail because they don’t know what they have.
My second point would be the value of purple teaming—bringing together red and blue teams to work together, test your environment, and learn from each other.
Joe Gross:
I agree with everything that’s been said. I’d add that organizations should embrace the security community. There’s a wealth of knowledge and resources out there, like Sigma rules, Yara rules, and organizations like ISSA or ISACA. Use these to build your threat intelligence and improve your controls.
Abe Abernathy:
Great insights from everyone! To summarize, we discussed threat hunting vs. detection, the idea of thinking like an attacker, and key techniques for monitoring and hunting threats. Thank you to the panel for your great perspectives.
Jeff, back to you to wrap us up.
Jeff Darrington:
Thanks, Abe! That wraps up the final session of The Other Side of Security webinar series. Thanks to everyone who joined us, and let’s get the conversation going in the Q&A!