They're on the hunt, in companies around the world. Combining technology tools with detective skills, they are hunting for hidden adversaries on their networks. And their numbers are growing.
More than four in ten organizations responding to the SANS 2018 Threat Hunting Survey (PDF) say they conduct continuous threat hunts, up from 35% in information security training firm SANS Institute's 2017 study. More than one-third commence such hunts to look for underlying problems in response to a security event.
Their aim is to root out intruders, who can dwell on a network for an average of more than 90 days before they are detected. "Most of the organizations that are hunting tend to be larger enterprises or those that have been heavily targeted in the past," according to co-authors Robert M. Lee, a SANS instructor, and Rob Lee, curriculum lead at the institute. SANS surveyed 600 organizations for the report.
Threat hunting goes well beyond the intrusion detection most organizations rely on to discover security breaches. The SANS report defines it as an iterative approach for searching for and identifying adversaries on an organization's network. It's about combining threat intelligence and hypothesis generation to hone in on the most likely locations that intruders will target.
Threat hunting can be effective, the report notes. For example, 21% found four to 10 threats during threat hunts. Nearly 17% found as many as 50 such threats.
Intelligence Is Key
One reason for threat hunting's effectiveness is that hunters are harnessing better threat intelligence, the report finds. Most respondents (58%) say they rely on intelligence generated internally based on previous incidents. Moreover, 70% tap into intelligence from third-party sources such as anti-virus signatures.
"Nothing is more valuable than correctly self-generated intelligence to feed hunting operations," the authors say. However, organizations without such capabilities may need to turn to third parties. In fact, they recommend blending the two forms of intelligence as a way to reduce adversary dwell times.
People and Technology
Still, respondents depend most on alerts from network monitoring tools for their threat intelligence, which the authors point out isn't really threat hunting — a common misconception. This reliance on sensors may indicate that organizations still see threat hunting as a technology solution. The survey results bear this out, with more than 40% prioritizing technology investments for threat hunts versus 30% for qualified personnel.
The emphasis on technology is misplaced, the authors say. Yes, threat hunters depend on automation to do things faster, more accurately, and at greater scale. "However, by its definition, hunting is best suited for finding the threats that surpass what automation alone can uncover," they stress. Instead, technology and people must be intertwined.
The authors recommend that organizations prioritize recruiting and training skilled staff for threat hunts. In particular, they say such professionals are more likely to detect threats and create tools they will need to be effective.
Respondents say the baseline skills for threat hunters are network, endpoint, threat intelligence, and analytics. More advanced capabilities include digital forensics and incident response.
Hunters need weapons, and this is where technology tools come into use. Nine out of 10 respondents say their threat hunters use the organization's existing IT infrastructure tools, while 62% have developed customized tools.
However, the authors question whether these tools are providing the view of the network needed for successful hunts, noting that they often are detection-based. Such tools may not find all the intruders who have breached the network, they say.
Whatever their tools, the report notes that threat hunting can be resource-intensive and requires an emphasis on analysis and developing hypotheses about adversaries. Although growing percentages of respondents are basing hunts on continuous monitoring or incident response, it may be more effective to conduct scheduled hunts. "Even a few hunts per year, when done correctly, can be highly effective for the organization," the authors say.