Table 1 Compromise assessment versus threat hunting across goal, scope, cadence, analytic basis, data reviewed, program placement, and outcomes. Abbreviations: CA, compromise assessment; TH, threat hunting; TTPs, tactics-techniques-procedures; SOC, security operations center.
From: Proactive identification of cybersecurity compromises via the PROID compromise assessment framework
Attribute | Compromise Assessment | Threat Hunting |
|---|---|---|
Goal | Determine if any threats are or have been present in the environment | Identify if a specific threat is active or has been active in the environment |
Scope | Generally broad, covering a wide range of endpoints, data and TTPs | Narrower, focused on specific TTPs related to the threat being hunted |
Recurrence | Periodic | Continuous or ad-hoc |
Basis | Evidence-based | Hypothesis-driven |
Data Analysis | Extensive review of forensic artifacts from endpoints, domain-wide activities, user activities, network traffic information, and application logs to detect any signs of malicious activity or irregularities | Targeted analysis of data based on the hypothesis being tested |
Position in Cybersecurity Program | Integral to risk management | â—Ź Part of the proactive monitoring and within the SOC â—Ź Part of the CA â—Ź Part of the Incident Response |
Outcome | A comprehensive report detailing any findings, implications, and recommendations for security improvements | Summarized report upon the identification of findings |
