Mitiga Appoints Charlie Thomas as CEO READ THE RELEASE

Mitiga Announces $30M Series B Led by SYN Ventures READ THE NEWS

Customers
Why Mitiga
Request a DemoEmergency Assistance
Home
»
Blog Main

Demystifying the Distinction Between Detection and Hunting

In cloud security—as in all of cyber—detection focuses on identifying malicious activities and events in real-time and generating alerts. The aim is blocking threats and attacks before they cause damage. Detection is like a security guard standing watch over a bridge to catch suspicious persons as they pass by.

In contrast, hunting involves an analyst proactively investigating historical data to uncover evidence of compromise. Think of a detective scouring the forest behind the bridge to find traces of intruders who already slipped by unseen.

Metaphors aside, critical technical and operational differences exist:

  • Detection relies on streaming live event data and analyzing known threat patterns and behaviors. Hunting leverages comprehensive historical data sets across cloud environments.
  • Detection aims to identify known malicious events and generate alerts for SOC analysts. Hunting uncovers previously undetected threats by searching for anomalous behaviors and activity clusters.
  • Detection systems operate automatically using rules and analytics. Hunting can often also involve automated tools as well as tool-assisted investigation by human analysts.

Cloud Threat Hunting is about Investigation

Not all threats can be blocked or detected in real time for any number of different reasons. In the modern era, attackers often use multi-stage attacks that are designed specifically to evade detection.

For example, something bad may have happened, but it's unclear on the surface what the impact might be. The bad thing could be that somehow a threat adversary was able to gaining an initial level of access into a system. At that point the investigation isn't about what bad things the attacker executed, but rather about how the attacker abused legitimate processes. After all, once an attacker is inside a system with some form of credentials, they are at least from a system perspective, using legitimate privileges that the credentials have been granted.

With that in mind, the goal of a cloud hunting investigation is to answer some important questions such as, what did the attackers do? What was the scope of the attack? and how did they gain access in the first place?

As the attacker is already inside the system, threat prevention tools are not going to be enough as the security team is looking at legitimate actions. That means there is a need for a different level and detail on data than what a SIEM would typically ever consider collecting. It also means a very large amount of user behavior data needs to be accessible, correlated and searchable to enable a forensic investigation.

Effective cloud hunting is about having the right data and being able to sift through it to identify Indicators of Attack (IoAs), that is some form of bad activity that was missed by detection.

Why Cloud Threat Hunting Matters for Modern Enterprises

Cloud threat hunting plays several indispensable roles for today’s cloud- and SaaS-driven enterprises:

Increases visibility. Cloud hunting identifies threats missed by real-time detection controls due to avoidance tactics, false negatives, or evolving attacker tradecraft.

Uncovers attacks. Proactively discovers adversaries already present in cloud environments by looking for indicators of compromise across data sources.

Improves detection. Derive and refine detections rules based on new insights uncovered during hunts.

Builds team knowledge.  Teams learn by studying how attacks impact the organization and how they were remediated.

For these reasons—along with increasing strengthening cloud security posture and organizational resilience over all, cloud threat hunting has become a mandatory capability, not a discretionary line item. Doing it effectively at cloud speed and scale takes specialized capabilities.

Requirements for Effective Cloud Hunting

Attempting threat hunting across modern multi-cloud and SaaS environments quickly exposes daunting complexity. Useful data exists across dozens of APIs, audit logs, third-party services, and custom applications. Making sense of this requires specialized skills, including:

  • Broad forensic data collection from all cloud data sources.
  • Scalable cloud-based data lake architecture to retain and aggregate large historical data sets in one place.
  • Data normalization and enrichment to ensure consistency across sources and add context.
  • Sophisticated query tools and analytics to uncover suspicious patterns and event correlations across terabytes of data.
  • Workflow automation and orchestration to execute complex cross-cloud hunts efficiently.

Absent these elements, hunting efforts will lack sufficient data or produce excessive noise and false positives.

There is only so much that can be effectively blocked by prevention technologies. With comprehensive data-driven visibility, organizations can monitor effectively, hunt aggressively, and respond decisively across today’s complex cloud environments.

LAST UPDATED:

June 24, 2024

Need to level-up cloud hunting capabilities? Learn more about Mitiga's Managed Threat Hunting.

Don't miss these stories:

Customer Advisory Kaseya VSA Ransomware Incident

Kaseya, an IT management software provider, notified its customers of a possible security breach in the Kaseya Virtual System Administrator Product. Kaseya has indicated that the number of victims is around 1000s, though the number may increase, at least 36,000 Kaseya customers took their servers offline.

Hunting Conditional Access Policy Bypass in the Wild: Leveraging Malicious Browser Extensions for Seamless Initial Access

Mitiga’s threat detection and investigation experts conduct a threat hunt showing how attackers can bypass credential collection techniques to gain access to further information.

Is Your CDR Vision Cloudy? Why Complete, Panoramic Visibility Across SaaS, Identity, and Infrastructure is a Must

Security teams need to recognize the shortcomings of traditional cloud security approaches and learn why agentless panoramic visibility is a must for effective CDR.

Understanding the Sisense Breach: A Guide to Cloud Threat Hunting for Sisense Customers

On April 11, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) announced its collaboration with private industry partners to address a significant security breach affecting Sisense, a prominent provider of data analytics services. This compromise, unearthed by independent security researchers, raised alarms within the cybersecurity community, prompting swift action from both government agencies and affected organizations.

The Rising Threat of AI-Enabled Adversaries: Preparing for the Next Wave of Cloud and SaaS Attacks

Learn how adversaries weaponize AI technology and strategies to defend against AI-enabled threats.

Cyber Trends for 2024: What Security Leaders Should be Executing Next

As we hurtle into this new year, it’s already clear that there is an evolving set of cyber risks that organizations will need to contend with successfully to manage threats and grow their organizational resilience in 2024. Below, I’ll outline three of the biggest ones, sharing recommendations and execution checklists that can help enterprises enhance their threat readiness and elevate security postures as the threat landscape continues to evolve.