Threat Hunting vs Threat Modeling

In cybersecurity there are many terms, phrases and acronyms. Some of which are similar or sound alike which can make it confusing when comparing techniques or tools to spend your time and budget on. This blog takes a look at threat hunting as a technique, what it is used for, and when the time may call for threat modeling over threat hunting. 

What is threat hunting?

Our partner and companions over at IBM have this description of threat hunting that we think fits the bill perfectly: Threat hunting, also known as cyberthreat hunting, is a proactive approach to identifying previously unknown, or ongoing non-remediated threats, within an organization's network. Although automated security tools and analysts should be able to deal with roughly 80% of threats, you still need to worry about the remaining 20%.

Threat hunting differs from reactive techniques as it is a proactive method actively searching for indicators of compromise (IoCs) as well as tactics, techniques and procedures (TTPS) that could be employed by hackers and cyber attackers. It is possible for these attackers to remain undetected for weeks or even months, all the while they are gradually stealing your private data and information. It is effective for catching threats that may be able to bypass other methods.

Tools to augment threat hunting 

Threat hunting uses threat intelligence as well as many other datapoints to search for these potential threats within a system, network or application. Tools can be utilized to support threat hunting, or experts can do it manually to identify suspicious activity. Of course tools can expedite this work, and also increase the breadth of threat hunting being carried out. There are several tools or software that can be considered within the threat hunting umbrella, here are three common ones: 

1. Endpoint Detection and Response (EDR) some text
   1. EDR is an integrated, layered approach to endpoint protection that combines real-time continuous monitoring and endpoint data analytics with rule-based automated response - Checkpoint 
2. Managed Detection and Response (MDR)some text
   1. MDR is a cybersecurity service that combines technology with human expertise to rapidly identify and limit the impact of threats by performing threat hunting, monitoring, and response. The main benefit of MDR is that it quickly helps in limiting the impact of threats without the need for additional staffing, which can be costly. - Crowdstrike
3. Security Information and Event Management (SIEM) some text
   1. SIEM is a solution that helps organizations detect, analyze, and respond to security threats before they harm business operations - Microsoft 

What is threat modeling? 

We can provide our own definition for threat modeling, but we like this one from the National Cyber Security Centre; Threat modelling is a term applied to the techniques that are used to model and analyse technology systems and services to better understand how that system or service might be attacked or otherwise fail, and the measures or controls needed to manage the risk posed by such attacks or failings. Threat modelling techniques are best applied to inform the design and development phases of a technology system or service life cycle.

Threat Modeling can help by doubling down on security and identifying new or additional ways to secure your architecture. Making the likelihood of an attacker accessing your systems much less likely. This goes back to the principle of making your applications and products secure by design, threat modeling is one technique which enables this approach. 

What are some key differences between the two?

Typically, threat modeling is done in the design-phase (though it is worth noting it can provide benefits at multiple stages of the SDLC - find out more in this blog). Whereas threat hunting is usually done later on as a post-deployment activity, or even in real-time to see current threats. 

Threat modeling is a proactive approach looking to increase the security of what you are working on, building or iterating, to identify threats and provide ways to mitigate them. It is also deemed strategic, whereas threat hunting is a tactical technique, and is reacting to live or ‘after-the-fact’ investigations to uncover threats or attacks. 

Conclusion  

Both techniques compliment each other well. Implementing both will provide multiple benefits, instead of choosing one over the other. Most organizations have some form of threat hunting tools in place, such as MDR, which can be utilized alongside other data points to uncover threats or for post-incident evaluations for example. Think of threat modeling as the compass for your strategic journey, while threat hunting is covering your tracks for where you have been. 

‍

Sources 

1. https://www.ibm.com/topics/threat-hunting#:~:text=Threat%20hunting%2C%20also%20known%20as,threats%2C%20within%20an%20organization's%20network 
2. https://www.splunk.com/en_us/resources/sans-2024-threat-hunting-survey.html 
3. https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-endpoint-detection-and-response/#:~:text=Endpoint%20Detection%20and%20Response%20(EDR)%20is%20an%20integrated%2C%20layered,Free%20Trial%20Schedule%20a%20Demo 
4. https://www.crowdstrike.com/en-us/cybersecurity-101/managed-security/managed-detection-and-response-mdr/ 
5. https://www.microsoft.com/en-gb/security/business/security-101/what-is-siem#:~:text=Security%20information%20and%20event%20management%2C%20SIEM%20for%20short%2C%20is%20a,before%20they%20harm%20business%20operations. 
6. https://www.ncsc.gov.uk/collection/risk-management/threat-modelling