Surveying the Threat Hunting Landscape, Part 1: The Current State of Threat Hunting
In April, the SANS Institute published the results of the first threat hunting survey to date. The results were gathered from 464 security practitioners in a variety of fields (including financial, cybersecurity, defense contracting, and government organizations) on threat hunting and the role it plays in their security infrastructure. The survey sought to determine if and how organizations are currently hunting, how they feel about their present hunting maturity, and what they have planned for increasing their hunting capabilities in the future. The survey results come at a critical time – today, companies are starting to realize what SANS calls the “three absolute facts” of security: 1) companies cannot prevent every attack; 2) an organization’s network will, at some point, be compromised; and 3) 100% security simply does not exist. It’s imperative, then, that companies try to ramp up their detection capabilities as much as possible to minimize the impact and severity of inevitable cyber attacks.
According to the results of the survey, rather positively, 86% of the companies surveyed claim to already be involved in threat hunting in some capacity. Within that majority, 52% say active hunting allowed them to find previously undetected threats, 74% of them said they’ve been able to reduce their attack surfaces as a result of threat hunting, and 59% of them said threat hunting allowed them to enhance their speed and accuracy in responding to threats. This is all promising news, and it indicates that companies are moving in the right direction with regard to leveraging proactive detection practices.
In practice, however, threat hunting today tends to be somewhat disorganized. 53% of the companies SANS surveyed stated that they don’t follow any set protocols for threat hunting. In other words, they hunt with approaches based on what they need at any given moment, in an ad hoc style. Additionally, 40% of companies lack any formal threat hunting program with assigned staff, meaning that the processes of detecting hidden adversaries are likely reactive and must be bootstrapped with each new threat, resulting in slower, less effective detection and mitigation.
28% of the companies surveyed claim to use some sort of organized methodology for removing threats, which is an indicator of a more mature hunting approach. Having a framework for organizing a hunt team and carrying out investigations, such as the Sqrrl threat hunting loop, saves time and increases efficiency, making an organization much more secure than it would be if the only security processes it used were reactive, ad hoc ones.
Ideally, a threat hunting program should be continuous in its iterative investigations. However, results from the SANS survey were mixed about organizations’ hunting frequency: 53% of companies hunt for threats constantly or at least on a regular schedule (once a week, for example), and the remaining 47% hunt infrequently or only on demand, once a threat has been discovered. Being reactive in your threat hunting tactics and only hunting when a threat has been found gives adversaries the time they need to act on their objectives until damage has already been done to your network, especially if such adversaries have the experience to know how to infiltrate a system without triggering any alerts. The ideal threat hunting process is continuous and proactive. Organizations should strive to detect adversaries before they can act on their objective.
Hunting practices must rely on effective technologies to automate investigations, but also require effective analysts to carry them out. When SANS presented a list of four main hunting components (technology, services, staffing, and training) to the companies it polled, respondents were split regarding which they placed as their highest spending priority between technology and staffing. This is hardly surprising considering that the two components are equally essential to the success of a hunting program. It should be noted, though, that a Threat Hunting Platform (THP) like Sqrrl Enterprise can help reduce the pressure to hire highly-skilled analysts, because it can provide effective and powerful automation to the hunting process on its own.
When it comes to the actual skills that organizations want in their threat hunters, most placed a strong focus on the detection of threats above other skills, such as endpoint management and penetration testing. The process of detection is where a THP like Sqrrl Enterprise really comes into play. SIEMs can still be incredibly effective in detecting possible incidents, but can also generate alerts at such high volume that analysts end up having too many to deal with. Sqrrl adds another layer of investigative power by taking in data provided by a SIEM and from around a network, and contextualizing the information associated with various entities (users, hosts, IPs, etc.) into more intuitive visualizations. It does this via a User and Entity Behavior Analytics (UEBA) process that utilizes machine learning to keep track of trends in your data, so that any anomalies reported are less likely to be false positives and more likely to be genuine threats. This increases the effectiveness and simplicity of detecting threats while conducting a hunt, so that you can spend less time finding problems and more time mitigating them.
|Survey Findings||How Sqrrl Helps|
|53% of companies lack a structured threat hunting process
28% of companies have an organized methodology
|Streamlined hunting workflows provide analysts with a framework for effectively and iteratively probing for threats on a network|
|47% hunt for threats infrequently or only on-demand||Risk scoring improves analyst situational awareness and can guide more effective, frequent hunting|
|88% want to improve their techniques
56% are unsatisfied with how long it takes them to hunt
|User and Entity Behavior Analytics can quickly isolate anomalies, adversary tactics, techniques, and procedures, complementing investigative techniques|
While most companies surveyed agree that the process of threat hunting is valuable to them in terms of reducing risk to their organization, a massive 88% say that they still need to improve their tools and capabilities. From their experiences, the three most useful approaches to lowering risk are reducing attack surfaces and hardening their systems, reducing exposure, and enhancing their response time to attacks. Gathering and utilizing friendly intelligence, i.e. information on one’s own network, is a critical part of hunting, and so can help organizations achieve these goals.
Companies know that their current implementations of hunting procedures aren’t perfect – 56% of companies surveyed, for example, said that they are unsatisfied with how long it takes them to carry out a hunt. A THP like Sqrrl can sharpen a company’s threat hunting capabilities by rapidly and automatically identifying where analysts should be focusing their investigative efforts, increasing hunting maturity with relative ease. With the right quantity and quality of data, you can rapidly identify vulnerabilities in your systems and threats hidden in your network. You can then start responding more efficiently to anything that comes your way.
In part 2 of this blog series, we will take a look at the second half of survey results, shedding light on how organizations are hunting today and what hunting practices will be growing into in the future.