We changed our name from IT Central Station: Here's why
2020-06-22T10:43:00Z

Compromise Assessment vs Threat Hunting


Hi peers,

What is the difference between a compromise assessment and threat hunting? 

How do each contribute to Endpoint Protection?

ITCS user
Guest
55 Answers

author avatar
User

A Compromise Assessment (CA) is an active and generally scheduled engagement that is looking for malicious activity, undiscovered breaches, and threats. It generally is performed with a DIFFERENT set of security tools/services than what is being used by the team day today. Often they encompass active scanning and/or vulnerability assessments in addition to network and system analysis. The goal is to identify bad actors and initiate incident response and forensic plans. A common mistake happens when teams try to use this process to be the main component of the identification, containment, and forensics processes. In my experience, they should be considered separate to be effective.


Threat Hunting (TH) is an ongoing process that leverages current datasets and tools to look at the data in a different way. TH comes in many forms, from manual searches looking for suspicious data to leveraging outlier and anomaly detection or other machine learning/advanced analytics. Really good threat hunting teams are able to take new Tactics, Techniques, and Procedures (TTPs) or Indicators of Compromise (IOCs) and specifically look for events, files, and/or behavior that would depict potential malicious activity specific to those TTPs or IOCs. 


Generally, TH is a jump-off point to dig deeper into a dataset or system based on a good hypothesis with supporting data. If EPP was installed then it missed it. Both of these activities are looking for failures in a security process or tool. If EPP wasn't installed then the question is why and how do we get something deployed in the future (probably as part of the remediation phase of the incident response process) that would have identified or stopped the compromise/malicious activity.

2020-06-23T04:36:46Z
author avatar
User

Threat hunting typically comes before a compromise assessment.


Threat Hunting is looking for IOC’s or TTP’s being used within an environment to identify a compromise or potential compromise. Once identified you can then move to assessing the compromise.

2020-06-23T09:44:44Z
author avatar
Top 20Reseller

Compromise Assessment is reactive while Threat Hunting is proactive.

2021-12-07T19:07:02Z
author avatar
Top 5LeaderboardReseller

@Geoffrey Poer ​covers it well with his answer and the Cisco blog does too. 


Compromise Assessments should be performed frequently, weekly or at least monthly. Rather than a pen test, or at least in addition to pen tests, we recommend regular analysis of your entire environment to give you visibility of everything which includes where vulnerabilities lie. 


Endpoint protection (EPP or EDR) is one more layer to your antivirus security and is operational 24/7. EDR - endpoint detection and response, is typically finding and reporting on newer attacks that do yet have a signature in the AV as well as looking for unusual behaviour on the network and endpoint continuously. 


Threat hunting is expensive and complex too and goes a step further than EDR. Unless you are a large organisation with a specialist team it can be difficult to interpret the results of CA, EDR and TH effectively.  


Often outsourcing this whole capability is more effective and less expensive than doing it in-house and continues to work during weekends and public holidays and provides a properly structured (NIST or MITRE) approach to visibility, vulnerability scanning and remediation advice.

2021-12-06T14:48:35Z
author avatar
User

This is an excelent article dealing with it.



https://blogs.cisco.com/securi...

2020-06-22T22:47:19Z
Find out what your peers are saying about CrowdStrike, SentinelOne, Microsoft and others in Endpoint Protection for Business (EPP). Updated: January 2022.
563,327 professionals have used our research since 2012.