Pentesting vs. threat hunting: What’s the difference?
Traditional cybersecurity practices relied on the age-old maxim, an ounce of prevention is better than a pound of cure. But here’s the biggest truth about modern cybersecurity: There’s no such thing as foolproof security, and bug-free software is an oxymoron. From the ’90’s script kiddies to present-day state-sponsored actors and cybercrime syndicates, attacks have grown in cost and sophistication.
Today, the practice of cybersecurity is not just about building defenses to prevent intrusion; it’s as much about detecting the ever-so-subtle presence of a silent intruder to dislodge the threat in its tracks.
With all the security strategies, architectures, automation tools and activities present, it can be mind-boggling to distinguish one from the other. Like many other security processes, penetration testing and threat hunting are often incorrectly equated. However, the difference between the two is that between prevention and detection.
Pentesting Reveals Existing Vulnerabilities
Penetration testing (or pentesting) is a detailed examination of the network, computer systems, and applications to find exposed weaknesses. It includes attempts to exploit those weaknesses and post-exploitation activities to determine their threat level. Based on the findings, pen testers also recommend a plan of action for remediation. The goal is to identify hidden vulnerabilities in an environment so they can be fixed before malicious actors exploit them.
Pentesting can reveal security misconfigurations and unpatched, publicly known vulnerabilities. The infamous Capital One breach is one of the many examples where legitimate pen-testing could have averted the disaster by revealing the WAF (Web Application Firewall) vulnerability that led to the successful SSRF (Server Side Request Forgery) attack.
Pentesting involves a mixture of automated tools and manual techniques to scan the environment and identify and verify vulnerabilities. Pentesters also incorporate commonly used exploits to test the impact of the security loopholes. The final report highlights the identified weak points along with a remediation roadmap.
Pentesting goes beyond automated vulnerability assessments to exploit and prioritize security risks and provide actionable advice for strengthening the security posture of the organization.
Pentesting should be performed regularly, at least once a year, and after every significant change or addition in the network infrastructure or applications. It ensures that newly found vulnerabilities are patched, and updates or changes haven’t introduced new flaws.
Threat Hunting (Or Red Team Exercise)
Those who believe their security perimeter is impermeable are in denial. In any case, organizations should prepare for the failure of preventative measures. Their preparedness will ultimately determine if they can bounce back from potential security incidents. To combat, contain and eliminate a threat, victims must first detect it through active threat hunting.
Threat hunting means looking for the enemy that has already made it past the preventative security controls and arresting it from progressing further. The goal is to catch an attack in progress before the end-user, or a third-party partner does.
Essentially, threat hunting is based on the assumption that a breach has already occurred; the earlier it’s detected, the earlier it can be mitigated. A great example of what happens in the absence of proactive threat hunting is the massive Marriott data breach that resulted in a whopping £18.4 million fine. The attackers were lurking in the systems for about four years before being discovered.
Red Teaming Is Acting Like A Bad Actor
Threat hunting involves proactively searching for threats instead of passively waiting for security alerts. Security analysts typically conduct threat hunting manually but with the help of technologies such as endpoint detection and response, automation, artificial intelligence, and behavioral analytics. Analysts looking for threats in an environment must have a deep understanding of the expected user and entity behaviors, the environment itself, and the known behaviors of threat actors. Threat hunters can detect anomalous behavior in the network through monitoring and data collected by intrusion detection tools and investigate to determine if the threat is benign or malicious. If malicious, security teams can devise a plan of action to mitigate the threat and prevent similar attacks from happening in the future.
So, One Or The Other?
The short answer is both. Trying to catch each and every potential entry point is arduous and nearly impossible. Pentesting cannot guarantee that organized cybercriminals, or even amateur attackers with good luck on their side, won’t ever find a loophole. Bad actors can outnumber security teams and outsmart end users. When prevention fails, threat hunting can reveal an attack before it becomes catastrophic.
As organizations understand where the exploit is, the threat surface is minimized through patching.
Comprehensive cybersecurity can be expensive, but modern organizations have little choice. They must mix and match cybersecurity tools and techniques to prepare a cocktail that best suits them.
Cybersecurity teams are doing all in their power to subvert an attack while proactively preparing for inevitable security incidents.
It can also be unrealistic for organizations to allocate a sizable portion of their budgets for cybersecurity when it isn’t their core competency. Such organizations should consider outsourcing their risk and vulnerability management to qualified cybersecurity experts instead of leaving out essential protocols, regulatory mandates and processes, and dealing with consequences when it’s too late.