2020-06-22T10:43:00Z

Compromise Assessment vs Threat Hunting

Rony_Sklar - PeerSpot reviewer
  • 7
  • 409
PeerSpot user
5

5 Answers

GP
User
2020-06-23T04:36:46Z
Jun 23, 2020

A Compromise Assessment (CA) is an active and generally scheduled engagement that is looking for malicious activity, undiscovered breaches, and threats. It generally is performed with a DIFFERENT set of security tools/services than what is being used by the team day today. Often they encompass active scanning and/or vulnerability assessments in addition to network and system analysis. The goal is to identify bad actors and initiate incident response and forensic plans. A common mistake happens when teams try to use this process to be the main component of the identification, containment, and forensics processes. In my experience, they should be considered separate to be effective.


Threat Hunting (TH) is an ongoing process that leverages current datasets and tools to look at the data in a different way. TH comes in many forms, from manual searches looking for suspicious data to leveraging outlier and anomaly detection or other machine learning/advanced analytics. Really good threat hunting teams are able to take new Tactics, Techniques, and Procedures (TTPs) or Indicators of Compromise (IOCs) and specifically look for events, files, and/or behavior that would depict potential malicious activity specific to those TTPs or IOCs. 


Generally, TH is a jump-off point to dig deeper into a dataset or system based on a good hypothesis with supporting data. If EPP was installed then it missed it. Both of these activities are looking for failures in a security process or tool. If EPP wasn't installed then the question is why and how do we get something deployed in the future (probably as part of the remediation phase of the incident response process) that would have identified or stopped the compromise/malicious activity.

Search for a product comparison in EPP (Endpoint Protection for Business)
Nikki Webb - PeerSpot reviewer
Consultant
Top 20
2020-06-23T09:44:44Z
Jun 23, 2020

Threat hunting typically comes before a compromise assessment.


Threat Hunting is looking for IOC’s or TTP’s being used within an environment to identify a compromise or potential compromise. Once identified you can then move to assessing the compromise.

SG
Reseller
2021-12-07T19:07:02Z
Dec 7, 2021

Compromise Assessment is reactive while Threat Hunting is proactive.

SimonClark - PeerSpot reviewer
Real User
Top 5Leaderboard
2021-12-06T14:48:35Z
Dec 6, 2021

@Geoffrey Poer ​covers it well with his answer and the Cisco blog does too. 


Compromise Assessments should be performed frequently, weekly or at least monthly. Rather than a pen test, or at least in addition to pen tests, we recommend regular analysis of your entire environment to give you visibility of everything which includes where vulnerabilities lie. 


Endpoint protection (EPP or EDR) is one more layer to your antivirus security and is operational 24/7. EDR - endpoint detection and response, is typically finding and reporting on newer attacks that do yet have a signature in the AV as well as looking for unusual behaviour on the network and endpoint continuously. 


Threat hunting is expensive and complex too and goes a step further than EDR. Unless you are a large organisation with a specialist team it can be difficult to interpret the results of CA, EDR and TH effectively.  


Often outsourcing this whole capability is more effective and less expensive than doing it in-house and continues to work during weekends and public holidays and provides a properly structured (NIST or MITRE) approach to visibility, vulnerability scanning and remediation advice.

JB
User
2020-06-22T22:47:19Z
Jun 22, 2020

This is an excelent article dealing with it.



https://blogs.cisco.com/securi...

Find out what your peers are saying about Microsoft, SentinelOne, CrowdStrike and others in EPP (Endpoint Protection for Business). Updated: February 2024.
763,955 professionals have used our research since 2012.
ATP (Advanced Threat Protection)
What is advanced threat protection? Advanced Threat Protection (ATP) consists of the group of practices and tools used to prevent advanced cyber attacks. Usually, ATP solutions will combine network devices, web gateways, endpoint agents, malware protection systems, and a centralized management dashboard. The solutions can be delivered as software or as managed services. Advanced protection tools designed to defend against known and unknown attack vectors. Organizations use ATP to...
Download ATP (Advanced Threat Protection) ReportRead more

Related Q&As