Some 40% of cybersecurity organizations say they conduct threat hunting today, according to the 2018 Threat Hunting Report by Cybersecurity Insiders. While that’s just a 5% bump over the same survey conducted last year, the survey also found six out of every 10 respondents say their organizations have plans to build out threat hunting programs over the next three years.
While the concept of threat hunting is still relatively new, the survey this year suggests threat hunting has gained considerable traction. Indeed, 84 percent of those surveyed agreed “that threat hunting should be a top security initiative.”
We are keenly interested in the trends that are shaping threat hunting, so we’ve culled through data to surface the following three points we think our community will find interesting.
1) The purpose of a threat hunting program
Threat hunting is the process of seeking out adversaries on a network that are sophisticated enough to evade conventional detection techniques. This survey found that’s the top challenge facing the security operations center (SOC):
- 39% said emerging or advanced threats are missed by traditional security tools; and
- 55% said detecting advanced threats – known and unknown – is the top challenge.
That’s a straightforward case for establishing a threat hunting program and the study suggests clearly defined goals fall right into place. The top goals respondents identified for their threat hunting programs are as follows:
- 56% said “reducing exposure to external threats;”
- 52% said “improving speed and accuracy of threat response;” and
- 49% said “reducing the number of breaches.”
While it wasn’t part of this survey, credible threat hunting experts have noted that threat hunting programs serve additional purposes. For example, the knowledge of the technology environment that is gained in the process of threat hunting can be used to improve static detection and overall defenses.
In addition, threat hunting programs can also serve as a valuable professional development tool that doubles as a recruiting and retention benefit. While that’s an ancillary benefit to reducing threats, it’s worth highlighting given the cybersecurity talent shortage the industry is facing.
Watch this must-see webinar on-demand:
Introduction to Network Threat Hunting
How to look for indications of malicious activity missed
by automated detection methods
2) Process, team and task-organization for threat hunting
As threat hunting gains momentum, SOCs may look for ideas on how to best task-organize security teams for a threat hunting program. According to the study, most respondents (56%) said their organization keeps threat hunting in-house and it involves about 17% of the SOC staff.
About one-fifth (22%) of respondents indicated their threat hunting team is a combination that includes in-house staff augmented with help from a managed security service provider (MSSP). Just 11% outsource the entire function to an MSSP.
How much time is dedicated to threat hunting? On average, respondents said they spend about 40% of their time “proactively seeking threats.” When they are looking for threats, the indicators investigated most often are as follows:
- 67% said behavioral anomalies;
- 58% said IP addresses;
- 46% said domain names;
- 46% said denied or flagged connections; and
- 32% said file names.
A majority (76%) said that wasn’t enough time which may well be both a reason for – and a barrier to – adopting a threat hunting program. Respondents said some 60% of their time is spent on triaging a deluge of alerts and reacting to events.
The Bro open source software framework is a useful technology to mention here. First, it’s a network traffic analysis and classifications engine that can help security understand network traffic and interpret behavioral anomalies.
Second, the technology can do this because it captures metadata before, during and after identified anomalies that trigger alerts. This data can be used to enrich alerts and provide context for more effective triage – see What is Bro? for an easy-to-read primer.
3) The capabilities to look for in threat hunting platforms
The survey dedicated a significant number of questions to tools designed for threat hunting. Just 40% of respondents said they maintain a threat hunting platform for their security analysts. Interestingly, the report found those with the right tools were able to identify threats 2.5x faster.
Speed of detection was one of the benefits associated with threat hunting platforms. The survey surfaced both the benefits and capabilities respondents look in tools for the tradecraft.
When asked, “What are the benefits of a threat hunting platform?” nearly half of all respondents identified the following:
- 64% said “improving detection of advanced threats;”
- 63% said “reducing investigation time;”
- 59% said “saving time from manually correlating events;”
- 53% said “reducing time wasted on chasing false leads;”
- 50% said “discovering threats that could not be discovered otherwise;” and
- 49% said “creating new ways of finding threats.”
When asked, “What capabilities do you consider most important regarding the effectiveness of a threat hunting tool?” threat intelligence (69%) was top of the list and was followed by:
- 57% said “user and entity behavior analytics (UEBA);”
- 56% said “automatic detection;”
- 55% said “machine learning and automated analytics;”
- 55% said “full attack lifecycle coverage;”
- 47% said “vulnerability scanning;”
- 45% said “integration and normalization of multiple data sources;”
- 44% said “intuitive data visualization;”
- 43% said “automated workflows;” and
- 43% said “fast, intuitive search.”
Barriers to Threat Hunting
The most prominent barrier to threat hunting identified in the survey was budget (45%). It stood well above the next highest barrier – too many tools – which came in at 15%. If “a penny of offense can defeat a dollar’s worth of defense,” then the budget will be a constant challenge in security.
Constant is not the same as insurmountable. As four-time CEO Ben Levitan noted about managing security costs, “The way to lower cost in security is to become hyper-efficient at the basic stuff: firewalls, intrusion detection, access control, password management without being overly rigid.”
He added that an “option I have seen work well is to avoid proprietary and over-featured products in favor of open source software that addresses the 80% of the problem. I say spend the incremental dollars you save by not implementing proprietary solutions on the newer threats that you may not have had the budget for.”
* * *
The researchers polled 461 cybersecurity and IT professionals and the analysis is 33 pages long and examines nearly as many questions. The full report is freely available for download with registration here 2018 Threat Hunting Report.
If you enjoyed this post, you might also like:
13 Big Cybersecurity Ideas for the CISO by CISOs