SANS Institute has released the SANS 2019 Threat Hunting Report, which shows that threat hunting is still in its infancy with few dedicated teams in existence and differing views on what constitutes threat hunting and how to hunt.
Most respondents report using a variety of reactive approaches to threat hunting, including alerts, 40%, or IoCs via a SIEM or other alerting system to find adversary tools or artefacts, 57%. Such approaches are excellent supplements, but should not take the place of using proactive hunting techniques. Surprisingly, only 35% of respondents create hypotheses to guide their hunting activities.
Organisations continue to require threat hunters to work in multiple roles. Hunters report having major responsibilities for managing SOC alerts, 34%, or incident response and forensics of breaches, 26%. Very few organisations have moved to a dedicated hunt team over the past three surveys, indicating that threat hunting, and threat hunting teams, are still in their infancy.
While 24% of respondents were unable to determine whether they had measurable improvements as a result of threat hunting, 61% reported having at least an 11% improvement in their overall security posture. Organisations have seen a marked improvement in more robust detections and better coverage across the environment, with 36% claiming significant improvement and another 53% realising some improvement. Other key improvements are attack surface exposure/hardened networks and endpoints, with 35% seeing significant improvement and 58% seeing some improvement, and more accurate detections and fewer false positives, at 32% significant improvement and 51% some improvement.
“Many organisations use an alert-driven approach to threat hunting or use indicators of compromise to guide their hunts,” says Mathias Fuchs, SANS Instructor and co-author of the survey. “It seems that fewer organisations are using hypothesis-driven hunting, and that could leave them vulnerable to dangerous visibility gaps.”
“One reason we aren’t seeing more growth in dedicated threat hunting teams may be that organisations have difficulty measuring the benefits or organisational impact of threat hunting,” posits Josh Lemon, survey co-author and SANS Instructor. “Being able to measure and show the performance abilities of a threat hunting team is critical to the life of a team and its engagement by the rest of the business; it’s a metric that can make or break a team, its funding or its objectives.”