SANS recently published their 2019 Threat Hunting Survey in which they explore the differing needs of new and experienced threat hunters. In this three-part blog series, I provide an overview of some of the key findings from the data gathered from the 575 respondents who represent organizations of all sizes and either work in the field of threat hunting or alongside threat hunters. We’ll explore the how and who of threat hunting, the methodologies and effectiveness, and conclude with spending, tools and a recommended path forward.

Before we get started, let’s set the stage by defining threat hunting since there are many misconceptions about what constitutes threat hunting. Threat hunting is a proactive approach to identifying signs of an attack, as opposed to the more reactive approach security operations center (SOC) analysts follow. Threat hunting provides organizations with a better chance of catching an attack early. This may sound straightforward, but the SANS survey found that a large segment of respondents had a hard time distinguishing between threat hunting, incident response and SOC activities. 

How threat hunting is different
While threat hunting, incident response and SOC activities are intertwined, there are big differences. The SOC team monitors, validates and prioritizes alerts and triages them. The incident response team comes in after the SOC team finds something malicious and handles the aftermath of an attack or breach with the goal of limiting damage and reducing recovery time. The threat hunting team covers the areas the SOC isn’t watching and the sensor grid hasn’t detected. They are the only team that takes proactive steps to uncover a threat before an alert is sounded, or in the absence of an alert occurring.

The SANS report likens threat hunters to “human, extremely intelligent SIEM solutions that search for evil.” To drive their threat hunting efforts, 35% create hypotheses to guide their hunts and 56% use threat intelligence to hypothesize where attackers may be found. Rather than leveraging only data that’s already available in the form of alerts, hypothesis-based threat hunting uncovers blind spots in an organization’s security and investigative capabilities.

Processes that don’t include proactive steps to search for potential threats, and instead rely on alerts from tools or third parties to detect attacks or breaches, are valuable to mitigate risk but really don’t qualify as threat hunting.

Who comprises a threat hunting team
While 61% of the respondents report at least an 11% measurable improvement in their overall security posture, few organizations have dedicated threat hunting teams. Most threat hunters have additional responsibilities in the SOC, performing incident response or designing security infrastructure. Less than a third of the organizations surveyed conduct threat hunting as a formal program with specifically assigned staff, and 43% perform threat hunting on an ad hoc basis, many using their SOC analysts for the job. The challenge here is that given the nature of threats, threat hunting must be iterative and continuous and requires skill sets that are different from SOC analysts. For example, threat hunters must be adept at quickly identifying indicators that might reveal adversaries that are staying below the radar and they also must know how to connect historical attacks with other resources to understand an attacker’s tactics, techniques and procedures (TTPs) and how they might move laterally when inside the environment. 

When it comes to team sizes, it’s important to remember quality versus quantity is what matters. Most threat hunting teams consist of one to four dedicated hunters and the vast majority of organizations have no plans to increase staff significantly. When asked about the skills they believe to be most important for threat hunters, knowledge in baseline network communication and activity topped the list, followed closely by incident response, threat intelligence and analysis, and knowledge of baseline endpoint applications, users and access. 

Given that threat hunting is still in its early stages for most companies and teams are relatively small, organizations need to think creatively about how to structure security operations teams and processes to help threat hunters work efficiently. One important way is to encourage your threat hunters to collaborate with SOC teams and incident responders. Sharing information benefits all three groups and strengthens your overall security posture. For example, threat hunting may trigger an incident response investigation and the results of an investigation may provide valuable intelligence for SOC analysts as well as insights into methodologies that may inform future hunts. 

For additional details, download the SANS 2019 Threat Hunting Survey and stay tuned for Part 2 of this blog series where I’ll talk about threat hunting methodologies and how to measure effectiveness.