As all businesses are moving toward digitization in almost every business process, it’s essential to have a cybersecurity infrastructure in place. Rising digitization gives rise to cybersecurity crimes. It is estimated that cybercrime damages will cost $6 trillion annually for this year. It is essential to understand the different cybersecurity tactics available to ensure your company data and security systems are protected to avoid cybercrime damages for your company.
In past blogs, we have described what a penetration test is and why it’s essential to include this in your risk-based management strategy. Once a penetration test has been conducted and technical findings from the report are addressed, many of our clients seek additional services to stay on top of their security intelligence.
A common question clients ask us is: when it comes down to it – compromise assessment vs threat hunting – what is the better tactic? The answer lies in understanding the difference.
What is the difference between a compromise assessment and a threat hunt?
A compromise assessment is an objective survey of a network and its devices to discover unknown security breaches, malware, and signs of unauthorized access. More specifically, the assessment seeks to find attackers currently in the environment or who have been active in the recent past.
A compromise assessment aims to find evidence of potential threats by identifying indicators of compromise (IoC) and backing them up with hard data. For example, network applications might be using more bandwidth than normal to send and receive traffic and maybe sending it to an obfuscated, insecure server. Mobile and web applications may be running key loggers or credential-stealing malware intended to compromise networks from within.
A company comes to Packetlabs asking for a compromise assessment when they think their cyberinfrastructure has been compromised. Our ethical hackers check for bread crumbs that attackers leave behind after a potential breach. If you believe that someone has been in your network who shouldn’t be, it’s time to look into getting a compromise assessment done for your company.
Threat hunting is usually a phase 2 activity to be executed after a penetration test. While penetration tests could be conducted for compliance, threat hunting is a supplement activity that provides that added safeguarding component to give your company peace of mind. By applying threat hunting to your risk-based management strategy, you are finding possible threats that could lead to a breach. A threat hunt can include anything from checking the dark web to discovering whether specific bad actors are targeting your industry to identifying odd network behaviour that security controls do not alert on. This cybersecurity business intelligence helps proactively understand threats and implement procedures and protocols to ensure those threats are mitigated.
Threat hunting and compromise assessments are terms that are not quite in the news but are popular methods. They are sometimes used interchangeably, but they differ in scope and depth.
Let’s look at more differences.
Compromise assessment vs threat hunting factors
- A compromise assessment is a technical review of the organization’s security controls conducted when a company feels that there may be a possible breach or malicious activity conducted in their network. Threat hunting is a proactive hypothesis-driven process that organizations can employ that relies on the manual interaction with the data and looks for the unknown to discover threat actors. It is also an ongoing process and has a defensive approach.
- Threat hunting often comes before a compromise assessment. Threat hunting allows cybersecurity teams to detect threats before these become incidents. During compromise assessments, various tools are installed across a network, looking across the board for anything that might have been gotten through the defences put in place by the organization. In contrast, threat hunting begins with a very particular idea or scenario and focuses on that scope. After a compromise assessment, reports show known indicators of compromise and recommendations are made on what should be the proper action, highlighting the risk associated with a compromise. It prompts the start of incident response and forensic plan.
Disruption of services or unavailability of applications, or loss of application data can debilitate an organization’s financial consequences. When determining compromise assessment vs threat hunting, it comes down to what your objective is. If it’s to eliminate unknown breaches, then you’ll want a compromise assessment or if it’s to detect anomalies, then consider threat hunting.
If you have more questions about compromise assessments or threat hunting, contact us today!