A survey conducted by global cyber security training company SANS Institute, has revealed that most organisations are still simply reacting to alerts and incidents, instead of proactively seeking out intruders.
The 2018 Threat Hunting Survey report found that while organisations are broadening the scope of their threat hunting – a focused and iterative approach to searching out, identifying and understanding adversaries who have entered a network or system – the practice is still relatively poorly defined amongst IT professionals.
SANS’ third annual Threat Hunting survey questioned 600 IT professionals globally on the maturity of threat hunting programs within their organisations. This year’s findings reflect a change in mindset to the 2017 survey, in which many respondents indicated that their threat hunting methods centred completely on reactive indicators, instead of proactively seeking out threats, and identifying and counteracting adversaries who may already be in their environment.
The 2018 survey found that 43% of respondents now perform continuous and more accurate threat hunting operations, compared to just 35% in 2017. According to SANS authors Rob M Lee and Rob T. Lee, this is a strong indicator that threat hunting is growing in scope and need. However, the survey also reveals that most organisations that are hunting tend to be larger enterprises or those that have been heavily targeted in the past. What is more, 37% of respondents are still only performing threat hunting if triggered by an event or an alarm.
“Threat hunting is part of nonstandard security operations. It’s a good combination of threat intelligence and hypothesis generation based on likely and probable locations of intrusions into a network. Once an organisation begins consuming threat intelligence, natural hunting begins to take place,” commented Robert M. Lee, SANS certified instructor and co-author of the report.
Rob T. Lee, co-author and curriculum lead for digital forensic and incident response training, SANS Institute added, “One of the most notable highlights of the 2018 survey is that it demonstrates a more accurate use of threat hunting in many organisations. This change in threat hunting practices has increased since the last survey in 2017, which showed many organisations typically were hunting incorrectly through traditional intrusion detection.
“In this year’s survey, many more organisations were using proper threat intelligence to help identify the best locations inside an organisation’s network to look for anomalistic behaviours that are direct indicators of threats.”
The authors express hope that, as more organisations perform threat hunting, dwell time will shorten even more in the coming years. They indicate that dwell time currently averages above 90 days but, “as recently as 2013, the average dwell time was over six months. The decline since then shows that the adoption of threat hunting and stronger analytical techniques have had a significant impact on reducing the overall dwell time of adversaries across most networks.”
Other findings include:
Tech versus people
Organisations are prioritising buying tools over developing a well-versed staff with the analytical skills to run effective threat hunting programs. 41% of respondents said technology was the most important area for threat hunting spend; just 30% said staff. Automated threat hunting doesn’t exist, so while technology can help identify mistakes and achieve speed, it’s the skills of the human that will be able to minimise disruption and damage to the network.
Weapon of choice
The top three skills valued in threat hunting team members included log analysis (83%), threat analysis and the use of threat intelligence (73%), and a knowledge of baseline network activity (72%). Threat intelligence and hunting must go hand in hand to work effectively. Intelligence is key to effective threat hunting and focusing on people and training is paramount for that effectiveness.
Looking to the future
When asked what improvements would be required to improve threat hunting tools and capabilities, the most frequent responses were better investigative functions (59%), and more staff with investigative skills (also 59%). Both of the top options relate to the effectiveness and efficiency of staff, as well as an increasing need for skilled personnel.
To view the full results of the survey please visit: https://bit.ly/2NevvD7