1.4 Compare and Contrast Threat-Intelligence and Threat-Hunting Concepts
📘CompTIA CySA+ (CS0-003)
1. What Is Threat Hunting?
Threat hunting is a proactive security activity where security analysts actively search through systems and networks to find hidden threats that have bypassed security controls.
Unlike automated alerts from tools like SIEM or antivirus, threat hunting:
- Does not wait for alerts
- Assumes attackers may already be inside
- Uses human investigation and analytical thinking
- Focuses on discovering unknown or stealthy threats
For the exam, remember:
🔑 Threat hunting = Proactive + Hypothesis-driven + Human-led investigation
2. Indicators of Compromise (IoC)
An Indicator of Compromise (IoC) is a piece of evidence that suggests a system may have been breached.
IoCs help threat hunters detect suspicious activity.
Common Types of IoCs
- Malicious IP addresses
- Suspicious domain names
- File hashes (MD5, SHA-256)
- Registry changes
- Unusual processes
- New admin accounts
- Abnormal login times
- Unexpected outbound connections
IoC Lifecycle for the Exam
CySA+ expects you to understand the three stages:
2.1 IoC Collection
This is gathering data from multiple security sources.
Common Sources:
- SIEM logs
- Firewall logs
- IDS/IPS alerts
- Endpoint Detection and Response (EDR)
- DNS logs
- Web proxy logs
- Email security logs
- Cloud audit logs
- Threat intelligence feeds
Example in IT Environment:
A security analyst collects:
- VPN login logs
- Windows Event Logs
- EDR telemetry
- DNS query logs
All collected data becomes searchable for threat hunting.
2.2 IoC Analysis
This is reviewing collected data to determine if it indicates malicious activity.
The analyst looks for:
- Patterns
- Anomalies
- Suspicious correlations
- Known malicious hashes or IP addresses
Types of Analysis
- Behavioral analysis
- Log correlation
- Timeline analysis
- Threat intelligence matching
Example
- A file hash matches a known ransomware signature.
- A user account logs in from two different countries within 10 minutes.
- A server begins communicating with a suspicious external IP.
These findings suggest compromise.
2.3 IoC Application
This means using confirmed IoCs to:
- Improve detection rules
- Block malicious IPs
- Update firewall rules
- Update SIEM alerts
- Improve EDR detection policies
- Strengthen incident response processes
After hunting reveals malicious behavior:
- Add the IP to firewall block lists
- Create new SIEM alert rules
- Share IoCs with the SOC team
For the exam:
Collection = Gather evidence
Analysis = Investigate evidence
Application = Use evidence to improve defense
3. Threat Hunting Focus Areas
Threat hunting is not random. Analysts focus on high-risk areas.
3.1 Configurations / Misconfigurations
Misconfigurations are one of the biggest security risks.
Threat hunters check for:
- Open ports that should be closed
- Default credentials
- Weak password policies
- Public cloud storage exposure
- Disabled logging
- Excessive user privileges
- Insecure firewall rules
Example
- An internal database server exposed to the internet.
- A cloud storage bucket configured as public.
- An administrator account without MFA enabled.
Misconfigurations often allow attackers easy access.
For the exam:
Misconfigurations are low-hanging fruit for attackers.
3.2 Isolated Networks
Some networks are separated for security reasons.
Examples:
- OT networks
- SCADA environments
- Research networks
- Backup networks
Threat hunters focus on:
- Unauthorized connections into isolated segments
- Unexpected lateral movement
- Suspicious internal scanning
- Unusual traffic between VLANs
Why?
If attackers reach isolated networks, impact can be severe.
3.3 Business-Critical Assets and Processes
These include:
- Domain controllers
- Authentication servers
- Payment systems
- Databases
- ERP systems
- Cloud management consoles
- Backup systems
Threat hunters prioritize these assets because:
- They store sensitive data
- They control authentication
- They affect business operations
Example
Hunting for:
- Privilege escalation on a domain controller
- Suspicious changes to financial systems
- Unauthorized database queries
Exam Tip:
Always protect high-value targets first.
4. Active Defense
Active defense means taking proactive actions to:
- Detect attackers early
- Disrupt attacker activities
- Gather intelligence about threats
It goes beyond passive monitoring.
Examples of Active Defense
- Deploying honeypots
- Blocking malicious IPs dynamically
- Using deception technologies
- Threat hunting campaigns
- Sinkholing malicious domains
Active defense is still defensive — not hacking back.
Important for the exam:
Active defense ≠ offensive hacking
It means proactive internal protection.
5. Honeypots
A honeypot is a decoy system designed to attract attackers.
It looks like a real system but is monitored closely.
Purpose of Honeypots
- Detect attackers early
- Study attacker techniques
- Collect IoCs
- Divert attackers from real systems
- Generate alerts when accessed
Since no legitimate user should access it, any interaction is suspicious.
Types of Honeypots
1. Low-Interaction Honeypot
- Simulates services
- Limited functionality
- Easy to deploy
- Lower risk
2. High-Interaction Honeypot
- Real operating system
- Full services
- Allows deeper attacker interaction
- Provides more intelligence
- Higher risk
Honeynet
A network of multiple honeypots designed to simulate a real enterprise environment.
Example in IT Environment
A fake database server:
- Has fake employee data
- Is monitored by SIEM
- Generates alerts if accessed
- Records attacker commands
If someone logs into this system, it indicates malicious activity.
6. Threat Hunting vs Threat Intelligence (Exam Comparison)
CySA+ requires you to compare these.
| Threat Intelligence | Threat Hunting |
|---|---|
| Information about threats | Searching for threats inside environment |
| External + internal data | Primarily internal investigation |
| Strategic and tactical | Operational and investigative |
| Provides IoCs | Uses IoCs |
| Reactive and proactive | Mostly proactive |
Simple Way to Remember:
- Threat Intelligence = Knowledge
- Threat Hunting = Action
7. How Threat Hunting Works (Process Overview)
- Form hypothesis
Example: “Attackers may be using PowerShell for persistence.” - Collect relevant logs
- PowerShell logs
- Endpoint logs
- Analyze suspicious patterns
- Encoded commands
- Unusual execution times
- Identify IoCs
- File hashes
- Suspicious IP
- Contain and remediate
- Disable account
- Remove malware
- Improve detection rules
This cycle repeats continuously.
8. Key Exam Points to Remember
✔ Threat hunting is proactive
✔ IoCs are evidence of compromise
✔ IoC lifecycle = Collection → Analysis → Application
✔ Focus on misconfigurations and critical assets
✔ Honeypots are decoy systems
✔ Active defense improves visibility
✔ Hunting assumes attacker is already inside
✔ Intelligence informs hunting
9. Common Exam Scenario Clues
If a question says:
- “Proactively searching logs”
- “Hypothesis-driven investigation”
- “Looking for unknown threats”
- “Searching endpoints for abnormal behavior”
- “No alert triggered yet”
The answer is likely:
Threat Hunting
If it says:
- “Information from external feeds”
- “Data about attacker tactics”
- “Shared industry reports”
- “Known malicious IP lists”
The answer is:
Threat Intelligence
Final Summary (Easy Version)
Threat hunting means:
- Actively searching your network
- Assuming attackers may be hidden
- Using IoCs as clues
- Checking high-risk systems first
- Finding problems before damage spreads
It helps organizations:
- Detect advanced attacks
- Improve security controls
- Reduce dwell time
- Strengthen defenses
