A Compromise Assessment (CA) is an active and generally scheduled engagement that is looking for malicious activity, undiscovered breaches, and threats. It generally is performed with a DIFFERENT set of security tools/services than what is being used by the team day today. Often they encompass active scanning and/or vulnerability assessments in addition to network and system analysis. The goal is to identify bad actors and initiate incident response and forensic plans. A common mistake happens when teams try to use this process to be the main component of the identification, containment, and forensics processes. In my experience, they should be considered separate to be effective.
Threat Hunting (TH) is an ongoing process that leverages current datasets and tools to look at the data in a different way. TH comes in many forms, from manual searches looking for suspicious data to leveraging outlier and anomaly detection or other machine learning/advanced analytics. Really good threat hunting teams are able to take new Tactics, Techniques, and Procedures (TTPs) or Indicators of Compromise (IOCs) and specifically look for events, files, and/or behavior that would depict potential malicious activity specific to those TTPs or IOCs.
Generally, TH is a jump-off point to dig deeper into a dataset or system based on a good hypothesis with supporting data. If EPP was installed then it missed it. Both of these activities are looking for failures in a security process or tool. If EPP wasn't installed then the question is why and how do we get something deployed in the future (probably as part of the remediation phase of the incident response process) that would have identified or stopped the compromise/malicious activity.
Search for a product comparison in Endpoint Protection Platform (EPP)
Threat hunting typically comes before a compromise assessment.
Threat Hunting is looking for IOC’s or TTP’s being used within an environment to identify a compromise or potential compromise. Once identified you can then move to assessing the compromise.
@Geoffrey Poer covers it well with his answer and the Cisco blog does too.
Compromise Assessments should be performed frequently, weekly or at least monthly. Rather than a pen test, or at least in addition to pen tests, we recommend regular analysis of your entire environment to give you visibility of everything which includes where vulnerabilities lie.
Endpoint protection (EPP or EDR) is one more layer to your antivirus security and is operational 24/7. EDR - endpoint detection and response, is typically finding and reporting on newer attacks that do yet have a signature in the AV as well as looking for unusual behaviour on the network and endpoint continuously.
Threat hunting is expensive and complex too and goes a step further than EDR. Unless you are a large organisation with a specialist team it can be difficult to interpret the results of CA, EDR and TH effectively.
Often outsourcing this whole capability is more effective and less expensive than doing it in-house and continues to work during weekends and public holidays and provides a properly structured (NIST or MITRE) approach to visibility, vulnerability scanning and remediation advice.
Find out what your peers are saying about Microsoft, SentinelOne, CrowdStrike and others in Endpoint Protection Platform (EPP). Updated: November 2024.
A business endpoint is any device (such as mobile phone, desktop, laptop, tablet, server, or any virtual environment) that is physically an endpoint on a business’s enterprise computer network.
A Compromise Assessment (CA) is an active and generally scheduled engagement that is looking for malicious activity, undiscovered breaches, and threats. It generally is performed with a DIFFERENT set of security tools/services than what is being used by the team day today. Often they encompass active scanning and/or vulnerability assessments in addition to network and system analysis. The goal is to identify bad actors and initiate incident response and forensic plans. A common mistake happens when teams try to use this process to be the main component of the identification, containment, and forensics processes. In my experience, they should be considered separate to be effective.
Threat Hunting (TH) is an ongoing process that leverages current datasets and tools to look at the data in a different way. TH comes in many forms, from manual searches looking for suspicious data to leveraging outlier and anomaly detection or other machine learning/advanced analytics. Really good threat hunting teams are able to take new Tactics, Techniques, and Procedures (TTPs) or Indicators of Compromise (IOCs) and specifically look for events, files, and/or behavior that would depict potential malicious activity specific to those TTPs or IOCs.
Generally, TH is a jump-off point to dig deeper into a dataset or system based on a good hypothesis with supporting data. If EPP was installed then it missed it. Both of these activities are looking for failures in a security process or tool. If EPP wasn't installed then the question is why and how do we get something deployed in the future (probably as part of the remediation phase of the incident response process) that would have identified or stopped the compromise/malicious activity.
Threat hunting typically comes before a compromise assessment.
Threat Hunting is looking for IOC’s or TTP’s being used within an environment to identify a compromise or potential compromise. Once identified you can then move to assessing the compromise.
Compromise Assessment is reactive while Threat Hunting is proactive.
@Geoffrey Poer covers it well with his answer and the Cisco blog does too.
Compromise Assessments should be performed frequently, weekly or at least monthly. Rather than a pen test, or at least in addition to pen tests, we recommend regular analysis of your entire environment to give you visibility of everything which includes where vulnerabilities lie.
Endpoint protection (EPP or EDR) is one more layer to your antivirus security and is operational 24/7. EDR - endpoint detection and response, is typically finding and reporting on newer attacks that do yet have a signature in the AV as well as looking for unusual behaviour on the network and endpoint continuously.
Threat hunting is expensive and complex too and goes a step further than EDR. Unless you are a large organisation with a specialist team it can be difficult to interpret the results of CA, EDR and TH effectively.
Often outsourcing this whole capability is more effective and less expensive than doing it in-house and continues to work during weekends and public holidays and provides a properly structured (NIST or MITRE) approach to visibility, vulnerability scanning and remediation advice.
This is an excelent article dealing with it.
https://blogs.cisco.com/securi...