The Undeniable Connection between Detection Engineering and Threat Hunting

Written by Jasmine Tatter

Detection engineering and threat hunting rely on each other.

There are two ways to look for cyberthreats—detection engineering and threat hunting. In fact, one of the best ways to protect your organization against cyberattacks is to be aware of the threats before they have a chance to strike and do damage.

It’s becoming more common for companies to take a proactive approach to cybersecurity by looking for potential cyberthreats so they can protect against attacks before they happen. Let’s take a look at what these concepts are, how they differ from each other, and how they can help your organization.

Detection Engineering and Threat Hunting—What They Are and How They Differ

Detection engineering and threat hunting are both ways of looking for potential threats before a cyberattack happens. The difference between the two is evident in their definitions, which are as follows:

  • Detection engineering – This is the design and development of new and the augmentation of existing threat detection tools and techniques to identify known threats before they become an issue.
  • Threat hunting – This is the use of existing security tools and infrastructure to seek out unknown threats that are new or have otherwise escaped detection.

Let’s dig into each of these in more detail.

Detection Engineering

Detection engineering has been around in some form since the 1980s, with the launch of the Intrusion Detection System (IDS). Since then, this technology has advanced to include automation and to incorporate indicators that are based on the tools and behavior of cybercriminals.

The detection engineer focuses on known threats. They will alter existing threat detection systems and processes, such as Endpoint Detection and Response (EDR), Security Information and Event Management (SIEM), and Network Detection and Response (NDR), where possible to ensure the detection of threats. To accomplish this, detection engineers:

  • Collect and analyze data
  • Update threat detection rules and models and create new ones to aid automated threat detection
  • Perform behavior analytics and heuristics that allows them to recognize patterns over time
  • Validate and continuously improve the rules and models for threat detection
  • Create a cohesive threat detection infrastructure through the integration of a variety of tools and technologies

The result is a set of cybersecurity tools that are honed to identify patterns and behaviors that are known to represent a cyberthreat. Detection engineering also provides the following benefits:

  • Ensures a proactive defense approach to cybersecurity
  • Minimizes the occurrence of false positives
  • Reduced incident response time
  • Increased ability to keep up with the evolving threat landscape
  • Improved ability to maintain regulatory and legal compliance
  • Preserved trust and company reputation

The primary goal of detection engineering is to safeguard the network endpoints, which are the entryways into the network that can be exploited by a threat actor. These include points such as applications, email, and browsers.

Threat Hunting

Threat hunting is the act of looking for previously unidentified threats by:

  • Demonstrating a high level of curiosity and the desire to become a detective
  • Developing in-depth knowledge of the threat landscape
  • Learning the techniques, tactics, and procedures that attackers use

The goal here is to learn as much as possible about the threat landscape and identify cybercriminals as early as possible, before they can launch an attack and gain access to systems and sensitive data.

Threat hunting also locates and identifies an attacker that has already managed to slip past an organization’s defenses and is present in the network or system. This attacker poses an advanced persistent threat that can go undetected for weeks or months.

Threat hunters use a variety of methods to detect threat actors, including:

  • Hypothesis-driven investigation – This is when a new threat has been identified and crowd-sourced information is used to provide insight into the threat. This information can then be used to determine whether the behaviors identified can be found in the organization’s network or systems.
  • Known Indicators of Compromise (IOC) – Also known as known Indicators of Attack (IOA), this is the use of tactical threat intelligence to match know IOCs that are associated with new threats. This allows threat hunters to leverage this intelligence to detect hidden or ongoing attacks on their own network.
  • Machine learning and advanced analytics – This uses robust data analysis and machine learning (ML) to detect anomalies that could point to malicious activity that can then be investigated.

The Connection between Detection Engineering and Threat Hunting

Detection engineering and threat hunting rely on each other.

Detection engineering and threat hunting don’t exist in isolation. Instead, they are interconnected practices that support each other to help an organization proactively defend themselves against cyberthreats and greatly reduce their risk of falling victim to a cyberattack.

In fact, these two practices rely on each other. Information gathered from threat hunting is used to inform the development of detection engineering tools and techniques. Likewise, threat hunters are required to have a deep understanding of how detection tools and techniques are structured to help detect threats that have managed to slip past them.

At Platinum Technologies, we offer a full security assessment and security consulting services. We will help you develop your detection engineering methodology and enhance your threat hunting capabilities to better protect your organization from cyberthreats.

You May Also Like…

Share via
Copy link
Powered by Social Snap