As far as security disciplines go, threat hunting is a comparatively young specialty. Given this, there are overlaps with other security-related practices.
As far as security disciplines go, threat hunting is a comparatively young specialty. Given this, there are overlaps with other security-related practices. In fact, many folks currently involved in threat hunting have experience with these other roles within their careers. The following are some quick comparisons to other disciplines.
This role is perhaps the most similar to threat hunting. Both disciplines deal directly with threats in your environment. The primary difference is that incident response is reactive—you know something is on the network, or at least has tried to access the network, due to security alerts, network or endpoint behavior, or other evidence. In contrast, in threat hunting, there isn’t necessarily any evidence of a threat. Instead, you’re actively looking for something instead of trying to contain and remediate what you know is there.
Threat hunting and penetration testing also share some similarities. At their heart, both attempt to seek out weaknesses in a network. However, penetration tests generally look for configuration problems or known vulnerabilities in order to gain access to a network or sensitive information. The goal of threat hunting isn’t necessarily to gain access to anything, but rather identify hidden threats present in an environment, eradicate them, and set up policies to prevent them in the future.
The idea with risk management is to determine weaknesses within the network or on systems, determine their severity, prioritize, and then take appropriate steps to correct them. This may involve identifying threat sources, and threat hunting may help to inform a risk assessment. However, such assessments generally cover far more ground than threat hunting, looking at all potential risks, both known and unknown.
Also similar to threat hunting, compromise assessment is about finding out if your network has been breached by unknown, bad actors. However, it is a much broader exercise than threat hunting. During compromise assessments various tools are installed across a network, looking across the board for anything out of the ordinary. In contrast, threat hunting begins with a very particular idea or scenario and maintains focus on that scope.