In a typical week, a security operations center (SOC) might miss 28% of threats that come across their systems. That’s according to a survey of security professionals used to develop the “2019 Threat Hunting Report” by Cybersecurity Insiders.
While that number might seem alarming, the report suggests it’s just part of the natural arms race in cybersecurity. Every time the defender invents a way to ward off a threat, malicious actors look for ways around it. For example, the survey found “42% of advanced threats are missed by traditional [detection] tools.”
For many SOCs, that’s the rationale for building a threat hunting program. As the report notes, “threat hunting can reduce the risk and impact of threats while improving defenses against new attacks.” Still, while threat hunting has enjoyed growing recognition, it remains a relatively new discipline within cybersecurity.
To that end, the report provides some benchmarks for evaluating a threat hunting program. Some of the benchmarks that stood out for us follow below.
1) What are the goals security organizations establish for threat hunting?
A majority of security professionals surveyed identified the following as the top goals for threat hunting:
- 58% said reducing exposure to external threats;
- 53% said improving the speed and accuracy of a response threat; and
- 52% said reducing breaches and infections.
Additional goals listed in the report did not glean a majority of the votes, but are noteworthy because they demonstrate a breadth of the goals threat hunting supports:
- 47% said it can reduce time to containment (prevent spread);
- 45% said it can reduce the attack surface area;
- 41% said it can reduce exposure to internal threats; and
- 41% said it can optimize resources spent on threat response.
On a separate, but related note, leading experts have pointed out threat hunting can help improve overall security:
“Since you are hunting for adversarial activity, the process of threat hunting will give you the chance to examine your IT environment from the perspective of a threat actor. You may not always find a threat over the course of your hunts, but you will almost assuredly find misconfigurations, network anomalies and potential weaknesses by virtue of the exercise. The knowledge gleaned through threat hunting holds value because you can use it to strengthen your overall cybersecurity defenses.”
2) Who is responsible for doing the threat hunting?
About half (48%) of respondents say threat hunting is conducted by small in-house security teams. On the other end of the spectrum, 14% of respondents indicated their security team completely outsources threat hunting to a third-party.
Then there’s the middle ground – with 26% splitting the difference. Those respondents reported using a “hybrid” model where threat hunting is performed by a combination of managed security service providers (MSSPs) and an internal team.
According to the survey, just 15% of SOC staff overall are involved in the threat hunting; on average. “A majority of organizations have less than 5 security professionals dedicated to threat hunting,” the report says.
While that’s just a handful of people, there may be an opening for security teams to obtain even greater value by combining threat hunts with professional development programs. Threat hunting exercises are an opportunity to pair level 1 or level 2 analysts with level 3 analysts in productive mentoring sessions.
3) What do threat hunters look for?
What is it exactly are threat hunters looking for? According to the report, 69% said they look for behavioral anomalies.
In a presentation for the 2019 RSA conference, the lead for the hunt team at Walmart illustrated this concept. He demonstrated how his team filters out routine traffic in order to focus on the things that are out of place. In an environment that large, it’s a practical way to search for the proverbial needle in the haystack.
Anomalies aren’t the only characteristic threat hunters seek out. Some of the others, which are perhaps more closely associated with indications of compromise (IoC), are as follows:
- 66% said IP addresses;
- 50% said denied or flagged connections;
- 48% said domain names; and
- 33% said file names.
4) Where are these threat hunts taking place?
Most large enterprises have a combination of cloud and on-premises environments – which adds complexity. As such, 52% of respondents say they are conducting threat hunts over multiple IT environments. The remainder of the answers trail off fairly quickly:
- 26% said on-premises (collocated);
- 13% said managed service (hosted);
- 7% said the public cloud; and
- 2% said other.
5) How much time is dedicated to threat hunting?
The survey found threat hunters spend about 38% of their time dedicated to proactive detection. A clear majority (70%) do not believe it’s enough time.
Yet, the time dedicated clearly influences how often threat hunts are conducted. Most respondents (40%) indicated threat hunting was an ad-hoc process conducted when the need arose. About one-third (32%) said this was a continuous process – and 18% said they schedule threat hunts at intervals, be that daily, weekly or monthly.
6) How much budget is allocated to threat hunting?
While the survey didn’t identify specific dollar figures, it did produce some useful gauges for understanding threat hunting budgets. For example, the report says 21% of the overall security budget will be dedicated to threat hunting over the next 12 months. In addition, about half (51%) expect that to rise over the same period of time.
7) What are the benefits ROI of threat hunting?
The top benefit of threat hunting according to the survey, was improving the detection of advanced threats (62%). There were several other interrelated benefits that surfaced and among those that stood out included:
- 51% said finding new ways of finding threats;
- 47% said reducing time wasted on chasing false leads; and
- 47% said discovering threats that could not be discovered otherwise.
In terms of ROI, the answers were more widely distributed. Some said they experienced ROI immediately (10%), other within days (19%) and still others within weeks (11%). A considerable percentage of respondents were far more conservative – indicating they saw tangible gains within months (23%) or a year (16%). About one-fifth (21%) said it could take two or more years.
From our perspective, the choice of tools can have an impact. While many tools promise to provide threat hunting, many only provide one piece of an overall solution. The difference is what we call a distinction between threat hunting and true threat hunting.
* * *
The full report runs a little more than 20 pages full of statistics on threat hunting. It is freely available from Cybersecurity Insiders with registration: 2019 Threat Hunting Report.
>>> Are you headed to the 2019 Threat Hunting & Incident Response Summit by the SANS Institute in New Orleans? If so, please do stop by the expo floor on September 30th and October 1st and let us show you how we’ve simplified network threat hunting.
If you enjoyed this post, you might also like:
This Independent Cybersecurity Product Review Doubles as an Outline for How to Start Threat Hunting with Existing Tools and Skills