ThreatQuotient has announced the results of the SANS Threat Hunting 2019 study. The most important result is the worldwide confusion about the role and tasks of a threat hunter.
The study, sponsored by ThreatQuotient and conducted by SANS is, based on data collected from 575 participating companies that either work with or operate their own threat hunting teams.
Unlike the Security Operations Center (SOC) and Incident Response (IR) teams, threat hunters not only respond to network threats, they proactively search for them. This involves making hypotheses on the existence of potential threats, which are then either confirmed or disproven on the basis of collected data.
“However, the reality within corporate IT is often different,” said Markus Auer, regional sales manager CE, ThreatQuotient. “In many teams, the distinction between SOC, IR and threat hunting is too blurred, and threat hunters are used for reactive processes contrary to their actual role.”
The SANS study data confirms that most threat hunters react to alerts (40 percent) or data such as indicators of compromise from the SIEM (57 percent). Only 35 percent of participants say that they work with hypotheses during threat hunting – a process that should be part of the arsenal of every threat hunter. “Responding to threats is important for security, but it is not the main task of the threat hunter. They should be looking for threats that bypass defenses and never trigger an alert,” said Auer.
The fact that threat hunting is still in its infancy is evident based on suboptimal prioritisation of resources.
“Many companies are still in the implementation phase and are more willing to spend money on tools than on qualified experts or training existing employees to be threat hunters,” says Mathias Fuchs, Certified Instructor at SANS and co-author of the study. “When threat hunting is carried out, it is more of an ad hoc approach than a planned program with budget and resources.”
In fact, 71 percent of participating companies consider technology to be first or second in terms of resource allocation for threat hunting. Only 47 percent of respondents focus on hiring new personnel and 41 percent on training employees.
Due to the proactive nature of threat hunting, companies often find it difficult to accurately measure the economic benefits of these security measures. Ideally, the experts prevent threats from becoming a critical problem in the first place. However, 61 percent of respondents said their overall IT security status has improved by at least 11 percent due to threat hunting. These figures show that targeted threat discovery is important and that investing in dedicated threat hunting teams delivers measurable improvement in IT security for organisations.
Threat hunting teams benefit from a single security architecture that integrates seamlessly with existing processes and technologies. The ThreatQ platform enables such an architecture. The solution accelerates and simplifies investigations and collaboration within and across teams and tools. It supports Incident Response and threat hunting and serves as a threat intelligence platform. Through automation, prioritisation and visualisation, disruptions can be minimised and high-priority threats can be identified to enable more targeted action and provide decision support for limited resources.