Introduction
In the quest for robust cybersecurity, the notion of "vulnerability hunting" has been recently touted as the "proactive" cousin of "threat hunting". Brian Cantos, in his article published on Forbes.com, goes so far as to challenge the proactive nature of threat hunting, arguing that the real proactive hero in our cyber defense should be vulnerability hunting. As a company that believes strongly in threat hunting, we respectfully disagree. Here's why.
The Complexity of Today's Digital Landscape
In today's complex and increasingly interconnected digital world, vulnerability hunting is no small task. It's equivalent to hunting for a needle in an ever-expanding haystack, especially considering the growing prevalence of vulnerabilities like Log4j. To illustrate, the Log4j vulnerability disclosed in late 2021 highlighted the complexity of the digital supply chain and the embedded vulnerabilities that are often "baked in" into code. It's safe to say that hunting for such vulnerabilities can be extremely labor-intensive, demanding resources that many security teams simply do not have.
While we agree that vulnerability management is important and companies should play an active role in it, expecting organizations with limited resources and budgets to focus heavily on vulnerability hunting seems unrealistic and potentially counterproductive.
What Makes Threat Hunting Proactive?
Threat hunting may be defined as the act of "looking for and rooting out threat actors that have slipped past defenses," but this does not make it a reactive approach. Rather, it's an active, ongoing process where security teams continuously search for, identify, and neutralize threats before they can cause damage.
While threat hunting is part of the cyber incident response process, its primary goal is not to respond to already occurred damage but to prevent such damage from happening in the first place. Thus, threat hunting has always been a proactive form of cyber defense, contrary to what Cantos suggests.
The Misleading Shift to Vulnerability Hunting
The shift from threat hunting to vulnerability hunting might seem appealing. After all, who doesn't want to find issues before nefarious actors do? However, it's important to remember that the adversary, in most cases, has time and resources on their side. As Cantos himself quoted, "attackers spend time knowing the network and the devices better than the defenders". With that advantage, focusing on vulnerability hunting alone is like playing a never-ending game of catch-up.
The Claim of Reduced Resources and Time
Cantos' argument that vulnerability hunting requires fewer resources and less time compared to threat hunting is contentious. While it is true that preventing an attack before it happens saves resources and time, the complexity of today's interconnected systems makes vulnerability hunting a daunting task. The assertion that vulnerability hunting will prevent all attacks before they happen is also overly optimistic.
Rather than diminishing the importance of threat hunting in favor of vulnerability hunting, organizations should strive for a balanced approach that incorporates both strategies into their security protocols. This holistic approach ensures the best possible defense against the constantly evolving landscape of cyber threats.
Conclusion
In conclusion, while vulnerability hunting is an essential part of any robust cybersecurity strategy, it should not overshadow the equally important role of threat hunting. The assertion that threat hunting is reactive in nature is a myth that undermines the crucial role it plays in proactively detecting and neutralizing threats. Instead of viewing vulnerability hunting as the successor to threat hunting, we should consider it as an integral part of a comprehensive, proactive cybersecurity strategy.
We stand by our belief in threat hunting and its proactive nature, as it continues to play a crucial role in detecting and mitigating threats in today's increasingly complex digital environment. Let's continue the hunt, shall we?