Threat Hunting is the New Black in Security: Report

Monday, May 09, 2016

Ionut Arghire


Allowing organizations to identify and mitigate network vulnerabilities as early as possible, threat hunting is a new trend in enterprise security, recently released SANS Institute research reveals.

Commissioned by DomainTools, the survey revealed that almost 86 percent of organizations are involved in threat hunting, and they find real value in this emerging area. Of the 494 participants to the survey, 74 percent said that threat hunting helped them reduce attack surfaces.

According to the research, 52 percent of the respondents using threat hunting said that it helped them find previously undetected threats on their enterprise. Furthermore, 59 percent said that the use of this security technique has increased the speed and accuracy of their response.

However, although a large number of organizations are already using threat hunting, more than 40 percent of them don’t have a formal program in place, and the research suggests that companies are still figuring out what such a program should look like. At the moment, respondents rely on known indicators of compromise (IOCs), manual analysis, and on using existing tools and augmenting them with customizable utilities to perform threat hunting.

The survey reveals that 86 percent of organizations believe that anomalies are the biggest trigger driving threat hunting, while 41 percent say hypothesis is a trigger. Moreover, 51 percent of respondents say that threat hunting is also triggered by third-party sources, including threat intelligence.

In the context of traditional security solutions no longer effective at keeping enterprise networks safe, more and more companies are taking the threat hunting approach. According to the survey, 62 percent of respondents revealed plans to increase spending on threat hunting in the coming year, and over 42 percent admitted plans to increase spending by over 25 percent.

Being an emerging area, threat hunting has its shortcomings, and 88 percent of the survey’s respondents admitted that their programs in the segment need improvements. Additionally, 53 percent of respondents say that their hunting is visible to the adversaries, while 56 percent said they not happy with how long it takes them to hunt for threats.

While only 2.2 percent of respondents follow a formal, published, external methodology for threat hunting, 53 percent of organizations admit they perform ad hoc hunting. This means that most organizations don’t have clear metrics to track their overall success and don’t employ a documented process for hunting.

When deploying a threat hunting program, organizations should track their success based on three key indicators, namely dwell time, lateral movement, and reinfection. They should also update their process as soon as new threats are discovered, should use automated methods of hunting as much as possible, and should augment these methods with manual intelligence, the research reveals.

SANS Institute’s survey reveals that IP addresses, network artifacts and patterns, DNS activity, host artifacts and patterns, file monitoring, user behavior and analytics, and software baseline monitoring are the top 7 data sets that support threat hunting. Moreover, the report provides details on hunting methods that organizations should use to ensure the effectiveness of a threat hunting program and also discusses the purpose and benefits of threat hunting.

The survey received responses from organizations from different industries and of different sizes: 22 percent had 1,001 to 5,000 employees, 20 percent had more than 50,000 employees, 18 percent had 100 to 1,000 employees, 17 percent had 10,001 to 50,000 employees, and 12 percent had 5,001 to 10,000 employees, and contractors.

“With cyberattacks increasing exponentially each year, it’s no surprise enterprises are attracted to Threat Hunting as a proactive multi-layered approach to discovering and mitigating cyber threats as early as possible. As the findings note, successful Threat Hunting isn’t necessarily about overhauling an existing cybersecurity program, it’s about using the third-party data and technologies that most organizations already possess in order to maximize the chances of proactively finding, attributing and eliminating an adversary before the damage is done,” Tim Chen, CEO of DomainTools, said.

Related: Microsoft Unveils Advanced Threat Protection Service

Related: Threat Intelligence: Putting the Horse Before the Cart

Threat Hunting
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.