Detection Engineering and Threat Hunting: 🤝🏼
Recently, I wrote about Threat Hunting and what it entails for a practitioner.
Many times, Detection Engineering and Threat Hunting can blend together and be talked about interchangeably.
Although there are a lot of similarities, this post we’ll go over the key differences, strengths, and how they go together.
Detection Engineering
Unlike a lot of domains within the field, detection engineering has actually been around for a long time, for example with Intrusion Detection Systems (IDS). Once focused on analyzing logs to create network traffic signatures, this field has evolved significantly over time.
However, Detection engineering concepts have matured with time.
Besides automated detections for atomic indicators, (IP addresses, domains), modern detection engineering incorporates indicators based on threat actors’ behaviors and tools. These are known as Tactics, Techniques, and Procedures (TTPs). Detections undergo multiple phases before they finally end in signals of malicious activity, aka rules or alerts.
The detection engineering process also differs from threat hunting. Let’s discuss some of these that form that process.
Managing False Positives: One of the most challenging or time-consuming aspects of the job.
Continuous analysis and tuning: Regularly reviewing and adjusting existing rules based on their performance.
Testing and development: Similarly to software development, detection rules undergo testing before deployment.
CI/CD pipelines: Many teams are moving towards this approach for streamlined implementation.
All of these aspects can be the biggest undertakings but also the funnest challenges.
Threat Hunting
While Detection Engineering focuses on identifying and responding to known threats or behaviors, Threat Hunting is a proactive process aimed at uncovering hidden, unknown threats that have not been caught by your existing security measures.
Threat Hunters actively look for anomalies that could signal a security threat. This is independent of alerts configured. This requires a deep understanding of the organization's network, systems, and normal user behavior, allowing them to spot deviations that might indicate a security breach.
Aside from finding something that discovers an incident, Threat Hunting could result in discovering policy violations or bad practices. This is also worthy of the time investment.
Threat hunting takes a different approach when it comes to querying and analyzing the data
Approach to data analysis: broader queries are often used that tolerate more noise in initial results.
Focus on anomalies: Emphasis is placed on identifying deviations from normal behavior.
Flexibility: Hunting allows for more creative and ad-hoc approaches to threat discovery.
Since threat hunting aims to identify threats that might have evaded detections, an understanding of how current detections are structured is required (knowing what normal looks like).
Depending on the initial hypothesis, the focus can be spent on techniques that are not covered by current detections or techniques too difficult to detect due to high false positive rates.
An example can be searching and analyzing the usage of the least commonly used applications during the past month.
This was just one example, but here is a good article from CyborgSecurity that goes over many other examples in a simplistic manner.
Detection Engineering and Threat Hunting: 🤝🏼
While Detection Engineering and Threat Hunting are distinct disciplines, they share common ground.
Both fields require a deep understanding of the cyber threat landscape, strong analytical skills, and proficiency in various security technologies and tools.
There could be different areas of focus, for example NDR (Network Detection & Response), EDR (Endpoint Detection & Response), SIEM (Security information and event management) detection content, and so forth.
In the end, they require a deep understanding of a tool and how to leverage it to prove/disprove a bad thing has happened.
(Bit of an oversimplification, but you get the point)
Detection Engineering is typically a more planned and repeatable process, while Threat Hunting is usually more ad hoc.
Working In Tandem
Detection engineering provides a baseline of security, allowing threat hunters to focus on more subtle or complex threats.
Threat hunting findings can inform and improve detection engineering efforts, leading to better rules and alerts.
Both practices contribute to a comprehensive understanding of an organization's security landscape.
Eventually, Threat Hunts could end up resulting in Detections themselves.
A post that also talks about this topic in detail is Threat Hunting and Detection Engineering.
And a flow chart from that same post
We can see how they go hand in hand resulting in being able to create a robust security posture.
What I Read This Week
CISA’s Advisory on Iran-based actors enabling Ransomware on US companies
First they infiltrate, then they broker the access
YubiKeys can be cloned due to a newly discovered side channel.
(Remember, a well funded attacker needs physical access to the YubiKey.)
Wrapping Up
In the end, both Detection Engineering and Threat Hunting are very important aspects to a company's Cybersecurity program. Let’s remember that it’s not Detection Engineering vs Threat Hunting, but how you can implement the best of both practices.
By understanding the nuances of each, we can better appreciate how they work together to create a comprehensive defense against threats.
I hope this helps you understand these two important domains within Cybersecurity.