Threat hunting and digital forensics are just two of the cogs in a robust and multifaceted security machine. However, there is often confusion regarding exactly what each is, what it involves, and the subtle differences between it and similar security practices. In this article, we’ll not only clear up any lingering confusion regarding Threat Hunting and Digital forensics, but also show why they are both crucial to maintain watertight security.
What is Threat Hunting?
Threat Hunting may seem fairly self-explanatory in that it obviously involves searching for potential threats on your network or systems. However, where the confusion often comes in is when one has to distinguish between Threat Hunting and Threat Detection.
In the guide, The Endgame Guide to Threat Hunting, Paul Ewing and Devon Kerr define threat hunting as “a proactive approach to securing your organization’s systems. It is the process of actively looking for signs of malicious activity within enterprise networks, without prior knowledge of those signs. It allows you to uncover threats on your network without signatures or known indicators of compromise (IOCs).”
If we follow this definition, we can infer the following about Threat Hunting:
- It must involve proactively searching for threats/malicious activity
- You must not yet be aware of a threat or indicator of compromise (IoC)
- You must be able to use it to detect threats without using signatures or known IoCs
If you do use commonly known malware/threat signatures or IoCs, you’re involved in match-making which is a form of detection. Most organizations should already make use of advanced threat detection using security solutions, such as antivirus for systems or networks.
Threat hunting, on the other hand, is a much more involved process aimed at identifying (hunting) threats based on TTPs (tactics, techniques, and procedures) associated with malicious activity. MITRE, for instance, refers to the practice as TTP-based hunting.
As threats have become more numerous and adaptable, threat detection has become less effective because threat-actors have become so proficient and hiding or regularly altering their attack signatures. However, TTPs are much slower to change because they rely on the underlying technologies we use. Frameworks like the MITRE ATT&CK framework can be used as a guide to help security professionals look for and act on the common TTPs of the day.
For example, here are some TTPs you might look out for in an enterprise environment:
- Reconnaissance: Active scanning and information gathering of your systems.
- Initial Access: Obtaining access to your network via drive-by compromise or exploiting public-facing applications.
- Persistence: Achieving persistence via account manipulation, BITS jobs, or account creation.
LIFAR’s Cyber Threat Hunting is an essential service to proactively investigate potential compromises, detect advanced threats, and improve cyber defenses. Our experts orchestrate an exhaustive and iterative process with purpose-built tools to conduct manual and semi-automated series of searches for Indicators of Compromise (IOC) and Initial Vectors of Compromise (IVOC).
What is Digital Forensics?
On the other hand, digital forensics usually takes place once an IoC has been detected or an event/alert has been triggered on your systems that an attack is taking place or has already taken place. Therefore, digital forensics often forms part of your incident response (IR) plan and process. Combined, the two are referred to as DFIR.
An IR plan is usually aimed at reducing the time it takes to respond to security incidents, contain the threat, minimize the damage, and recover as soon as possible. Digital forensics should form part of this process and help you establish a thorough understanding of exactly what happened.
A digital forensics analyst usually takes static data such as memory scrapes, PCAP of the traffic, HDD images, and logs to reconstruct the event. Through a thorough auditing process, the hope is to establish:
- How the initial access/infection/breach took place
- How lateral spread or persistence was achieved
- Which systems were affected and what the attackers where after
- A complete perspective on the scope of the damage (e.g. data loss/theft in the case of a data breach)
With this information, organizations can better manage the short, medium, and long-term effects of an incident and its broader ramifications. It can also help organizations better protect their network or systems against similar future attempts.
Digital forensics is a crucial aspect of eDiscovery as well where the incident may lead to legal proceedings (both for sueing/claiming damages and protecting yourself in terms of regulatory compliance).
LIFAR’s digital forensics service helps you gather information and evidence to pursue legal action in the wake of an attack. Our Digital Forensics Services specialize in getting to the bottom of every case with deep science and industry experience.
Threat Hunting vs. Digital Forensics – Which one Should You Use?
As you can see, these are two distinct practices that lie at opposite ends of the entire timeline of a potential cyber incident. Threat hunting is a proactive technique to try and identify hard-to-detect emerging or active threats. When done correctly, it should help you detect threats sooner so that you can start remedial action. On the other hand, digital forensics forms part of your response once an incident has occurred and is crucial for limiting damages, launching remedial action, and strengthening your systems for the future. As such, both are an integral part of any organization’s security operations.
Threat Hunting: What it is, and what it is not