Threat Intelligence and Threat Hunting: Why You Need Both

What is threat intelligence?

Threat intelligence is the knowledge an organization uses to understand the risks that have targeted, will target, or are currently attacking them. It involves collecting, analyzing, and using data from a range of sources to prevent and mitigate potential or current cyber threats.

Its primary purpose is to give security teams insight into the threat landscape and understand the tactics, techniques, and procedures (TTPs) of threat actors to prepare and defend against specific threats. They can then share intelligence throughout the organization.

Threat intelligence focuses on mitigating risks based on gathered intelligence and responding to existing alerts and information. It provides evidence-based information about actual or developing threats or hazards to assets. These can include context, processes, indicators, consequences, and actionable recommendations.

Threat intelligence can be based on:

• Open source intelligence (OSINT)

• Social media intelligence (SOCMINT)

• Human intelligence (HUMINT)

• Analyzing technical data (malware samples, logs, attacked IPs)

• Dark web marketplaces

• Threat feeds

• Recent CVEs

• Security incidents

• Internal system logs

Threat intelligence also involves data analysis (filtering noise and identifying insights); contextualization (mapping threats to organizational assets); and providing actionable insights (patching vulnerabilities, updating defenses, training).

Different types of threat intelligence are used for various decision-making purposes:

• Strategic (long-term threats)

• Tactical (specific threats/incidents, actor methods)

• Operational (guiding containment processes)

• Technical (malware analysis, exploitation techniques)

What is threat hunting?

Threat hunting is a proactive security practice where trained incident response teams actively search for and identify previously unknown threats or attacks in progress that have evaded existing security solutions.

It moves beyond traditional alert-driven investigations, using hypothesis-driven approaches to uncover stealthy attack methods and malicious activity. Threat hunters assume adversaries may already be inside the system and initiate investigations based on this premise.

The goal is to detect and contain threats before they cause significant damage. Threat hunting seeks to find malicious actors who have already infiltrated the network's defenses.

It relies heavily on human ingenuity, intuition, and in-depth knowledge of threat behavior to delve deep into network traffic and uncover latent threats that traditional systems might miss.

The process often involves:

• A trigger (such as unusual behavior or a new threat idea)

• An investigation (deep dive into potential compromise)

• Resolution (communicating findings and mitigating threats)

Common methods include hypothesis-driven investigations, using known indicators of compromise (IOCs) and indicators of attack (IOAs). Behavioral analysis, machine learning, big data processing, and situational-based hunting focusing on high-priority targets also play a role.

Key differences between threat intelligence and threat hunting

Table 1 summarizes how threat intelligence and threat hunting differ.

Table 1. Key differences between threat intelligence and threat hunting.

How threat hunting and threat intelligence work together

Threat intelligence and threat hunting are most effective when integrated, creating a stronger, more effective security strategy. Let’s examine how.

• Threat Intelligence Informs Hunting: Threat intelligence provides the context around current and emerging threats, helping threat hunters understand behavioral patterns and details about threat actors. This allows hunters to develop more focused and effective hypotheses and investigations.

Threat intelligence reports, insights about recently observed tactics, methods, or intent of advanced persistent threat (APT) groups, and information about sector-specific attacks are crucial sources for developing these hypotheses. Real-time threat intelligence can also update hunters on pressing threats to investigate.

• Hunting Validates and Enhances Threat Intelligence: Threat hunting can validate existing threat intelligence by confirming the presence of specific TTPs or IOCs in the environment.

More importantly, when threat hunters uncover new, previously unknown threats or attack techniques, their findings contribute to improving threat intelligence. This newly generated intelligence can then be fed back into automated systems or shared across teams to strengthen future detection capabilities.

• Improved Detection and Response: Combining threat intelligence and threat hunting leads to faster and more effective threat detection and response. Threat intelligence helps tailor security controls and predict attacks, while hunting proactively finds threats that bypassed defenses. This reduces the time adversaries remain undetected (dwell time).

• Enhanced Security Posture: By integrating both practices, organizations build a more complete and resilient defense against evolving threats. It allows them to proactively mitigate risks and reduce the chance of successful cyberattacks.

• Collaboration: Effective integration requires close collaboration and communication between threat intelligence and threat hunting teams to share discoveries, verify data, and continuously update resources and detection logic.

Establishing a feedback culture where insights from threat hunting continuously inform threat intelligence is key to combating security threats more effectively.

In summary, threat intelligence provides the “what, who, and how'” of potential threats from external and historical sources, enabling organizations to prepare and inform their defenses. Threat hunting takes this information, combined with internal data and human expertise, to actively search for threats that may already be present but undetected, thereby validating intelligence and discovering new threats.

Together, they form a powerful defense mechanism against increasingly sophisticated cyber threats.

Trellix tools and services

Trellix integrates powerful threat intelligence throughout the Trellix Security Platform. It enables you to proactively anticipate and defend against potential cyberattacks and adversaries, delivering actionable insights into cyberthreats and the entities behind them based on data from hundreds of millions of connected sensors globally.

Coupled with comprehensive threat hunting capabilities for your endpoints, email, networks, and data, Trellix tools and services enable faster and more effective threat detection and response, resulting in a stronger cyber defense.