Cyber Solutions Fest: Level Threat Hunting & Intelligence

Every year at major security conferences, you can tell the trends in security because seemingly every product and service is being positioned as look at how we make things easier/cheaper/better. A few years ago, that was cyber threat intelligence (CTI). Then, it inexplicably changed to threat hunting. But practitioners know that you cant really separate threat hunting and threat intelligence any more than you can separate logs from a SIEM. Just as a SIEM is useless without log sources, threat hunting without threat intelligence suffers the same fate maximum value is not achieved for the org and practitioners are left high and dry.

Of course, threat intelligence is useful for so much more than threat hunting, from enabling organizations to understand trends in threat groups, to creating real-time detections, to helping an organizations analysts contextualize incidents and attempted attacks for stakeholders. But far too often, purchasing threat intelligence platforms and feeds doesnt provide the organization with the desired value. In part thats because the value of intelligence is hard to quantify how do you quantify the return on investment of knowing the tradecraft or indicators used by an attacker before they target your organization? This problem is further complicated by the fact that many orgs struggle to operationalize the intelligence that they buy sure the list of IOCs sounded great and you heard some use cases, but how will YOU use it?

Similar problems exist in the threat hunting space, even when fed with high quality intelligence. When threat hunting operations uncover intrusions, the value-add is obvious. But when they dont, orgs struggle to differentiate between we looked and didnt find anything and there was nothing to find. As technicians struggle to differentiate these situations in their reports, the task is much more difficult for leadership who bankroll the threat hunting budgets.