The SANS 2020 Threat Hunting Survey is now available and includes responses from IT and security professionals representing a mix of company sizes, industries and regions. Now in its fifth year, the survey has built a solid foundation of historical data which SANS certified instructors Mathias Fuchs and Joshua Lemon analyzed to present key trends and areas for improvement. 

Here are just a few of their findings:

1. Adoption of threat hunting has jumped from 75% of organizations in 2018 to 85% of organizations in 2020. And although the remaining 15% surveyed say they don’t have any type of threat hunting in place, of that group, 12% say they plan to implement it in the foreseeable future.
   
2. While some organizations take a clean slate approach – defining how their threat hunting operations need to work and building teams to meet those goals – there is still a sizeable contingent that is compliance-driven and takes a check-box approach. They stand up a threat hunting function using what they already have simply to meet certain standards and, as a result, have greater difficulty realizing tangible results and improving security posture.
3. Of organizations that perform threat hunting, only 19% have full-time threat hunters. The remainder are using staff that also fulfill other roles within the organization. Staffing a team this way can be beneficial depending on the size of the network and the other functions the staff performs. For example, if an individual is also part of the incident response (IR) team or security operations center (SOC) their deep institutional knowledge can enable them to identify suspicious activity more quickly. However, the switch between IR and threat hunting is likely easier and more fruitful, as explained in the next point.
4. For the past two years, the survey has found that IR analysts frequently double as threat hunters. This can be particularly synergistic because the tools and techniques used in both disciplines have significant overlap. For example, over 60% use threat intelligence, such as adversary tactics, techniques and procedures (TTPs) to gain knowledge about attack paths and to find new, unknown threats. 

This year, given the growth and increasing maturity of threat hunting within organizations, SANS determined the time was right to expand the survey to delve even deeper into operational aspects. Researchers added questions to learn more about how threat hunting teams perform their work, specifically:

• How do hunters conduct searches for signs of a threat or indicators of compromise (IoCs) not yet detected by other security systems?
• How are threat hunting teams using automation and enrichment? 
• How are threat hunting teams approaching hunting – what tools and sources are they using?
• How is threat hunting measured, has this matured and what methods are organizations using?

In our next blog, we’ll explore these topics and discuss how the ThreatQ platform plays a pivotal role. We’ll take a particularly close look at automation and enrichment, the synergies between threat intelligence and SOAR platforms, and how ThreatQuotient’s approach to SOAR platforms helps accelerate threat hunting and improve effectiveness.

It’s exciting to see that threat hunting is maturing and gaining greater traction in a cross-section of organizations. 

How does your organization stack up?

Download your complimentary copy of the SANS 2020 Threat Hunting Survey for additional key learnings and details that can help your organization reap greater value from threat hunting operations. 

And in case you missed the SANS survey results webcast, you can view it here on demand.