Understanding Threat Hunting vs. Pen Testing
What each covers and where they sit in a mature security posture.
Aaron Mog runs the Novacoast Threat Hunting practice. One of the newer strategies in protecting against breaches and vulnerability, Threat Hunting involves tracking down the malicious agents who are already in a network. And if it sounds alarmist to assume someone’s already broken in, you should know that Mog and his team have never failed to find something in any network they’ve tested. Not once.
But this practice is misunderstood. And it’s regularly confused with Penetration Testing. David Parker runs Penetration Testing at Novacoast. We thought it would be helpful to ask both these guys to clear up the confusion and explain where each practice fits into a mature security posture.
So Threat Hunting & Pen Testing—what’s the difference?
Aaron Mog: I think the mixup can boil down to this: Modern security methods mostly fall into the categories of either prevention or detection.
Prevention—Keeping people out: firewalls, architecture, software solutions. Penetration Testing, all about pinpointing vulnerability, is a means of prevention.
Detection—Catching anyone who gets in: data monitoring, automatic alerts, putting eyes on your network. Threat Hunting, all about tracking down and isolating threats in progress, is a means of detection.
David Parker: Exactly. Penetration Testing reveals vulnerability, but it’s pretty rare we reveal attacks in progress. It’s happened, but a Pen Tester’s job to tell you how it can happen, not whether anything is happening already.
So is Threat Hunting only for when you’re suspicious of a current breach?
AM: We’ve reached the point where everyone has “something going on” at all times—your network is compromised. It’s just a matter of whether it’s minor stuff, stuff in progress, or something catastrophic.
Now, this isn’t incident response. But the biggest gap in most companies’ IR plan is that they don’t know when to call for help. And you don’t want the FBI or somebody to call you to tell you that something is happening or has happened. You want to be in control of the information yourself. A Threat Hunting assessment preempts Incident Response and is much much cheaper.
DP: I think of it this way: If a Pen Test helps catch mistaken assumptions—about your posture, about the software you may be expecting too much of—that put you at risk, Threat Hunting catches the people exploiting your assumptions, blind spots and gaps. And it’s usually a fair bet that if you have these blind spots, someone has taken advantage of them by now.
What are the biggest misconceptions about what you guys do?
DP: One I get a lot is a confusion between Pen Tests and full audits—a Pen test is not an audit. Audits take up a lot more time and money, and are undertaken with full cooperation of the client.
The two things try to answer a lot of the same questions but come at it from very different angles. The Pen Test tends to uncover a lot more about the gaps in your thinking and planning, but won’t have the comprehensive mapping of your entire posture.
AM: What I see often is a balance problem. As I said before, most sophisticated shops are looking at the security world in two buckets—prevention and detection—into which you can, and have to, put your time and money.
Before, all our time and effort went into prevention: Firewalls, Pen Tests, etc. Now the popular mantra has become “no matter what you do, you’re going to get hacked.” Basically, prevention is going to fail. But the point is, if you skimp on prevention, you’re guaranteed to fail disastrously. If you skimp on detection, you’ll be completely defenseless when prevention fails.
For us, that’s the beauty of being able to work side by side in the same security team. We’re there to help customers from failing, and if something happens, we’re there to pick it up, respond and quickly recover. We are there to make sure you’re posture is balanced, and that you’re doing enough on both ends that you’re set up for reaction and protection.