In Part 2 of this series we talked about common methodologies for threat hunting. Now, let’s look at how organizations are executing threat hunting – specifically the investments they’re making and the tools and data they find most useful.

The eternal question when making technology investment decisions is whether to invest in people, process or technology. Respondents tell SANS that they are slowly increasing their spending on staffing while still focusing their overall spending on technology – with 71% making technology their first or second highest spending priority area. Most organizations still rely on SIEM alerts for threat hunting – which actually has limited value for threat hunters since by definition they should be searching for threats that haven’t triggered an alert. Another area that has limited value to threat hunting, and here respondents were in strong agreement, is security orchestration, automation and response (SOAR). Threat hunters and security managers told SANS that SOAR alerts are not applicable to the threat hunting mission and are best handled by automation, the IR team or a SOC.

A snapshot of organizations’ threat hunting investments
Looking at other data needed to conduct a hunt, respondents rated endpoint data just behind SIEM data as being important. This aligns well with the Verizon 2019 Data Breach Investigation Report that finds the majority of breaches are due to phishing, endpoints are data-rich sources of information for threat hunters. Unfortunately, respondents say that gathering data from endpoints is still a time-consuming and manual process. They also struggle with full packet capture – another highly desirable data source for threat hunting but hard to attain. 

While not include in the SANS report, another very useful data source for hunting is the MITRE ATT&CK framework – a knowledge base for intelligence on techniques, tactics and adversaries. We expect this may surface in future survey results as our work with clients points to an increasing interest in using MITRE ATT&CK for hypothesis-based, proactive threat hunting. For example, if threat hunters are interested in malware currently being used to target their industry, they can leverage MITRE ATT&CK data to hunt for potential indicators of compromise or possible related system events within their environment.

When it comes to threat hunting, time is of the essence. SANS encourages organizations to incorporate automation to maximize the efficiency and effectiveness of threat hunting teams. Using automation to collect and normalize data and ensure its freshness helps teams to overcome the challenge of gathering and making effective use of internal threat and event data, for example endpoint and network metadata, as well as data from the numerous threat feeds and other external sources like MITRE. The ThreatQ platform accelerates this process, automatically performing intelligence consolidation, including prioritization, scoring and expiration management, based on parameters you set. 

While technology is important, you also need skilled hunters who are adept at using the tools and analyzing data, so investing in knowledge development for threat hunters must be a priority. Currently only 15% report they are making training their top priority, however 25% are making it their second-highest priority which is a positive sign. 

Finally, with respect to process – the third leg in the technology investment stool – organizations plan to increase the amount of resources allocated to this area. Over the next 12 months, organizations indicate their top priority to prepare for threat hunting is to baseline and assess their current IT and business operations in order to develop a formal threat hunting methodology. 

A path forward
Ultimately, the success of threat hunting relies on the quality of threat intelligence available and hunters’ capabilities to use that intelligence to execute proven threat hunting methodologies. Most organizations already have much of the data they need to conduct effective hunts. What they need is a way to identify and use the right data faster. A few highly skilled resources with knowledge of how to use internal and external threat and event data to develop hypothesis-based hunting operations are essential for threat hunting success. As organizations mature their threat hunting capabilities, those that will be able to show measurable improvement in their security posture will: 

• master the use of automation to accelerate and focus proactive threat hunting 
• work collaboratively with SOC and incident response teams
• continue to develop threat hunting talent

If you haven’t already, download the SANS 2019 Threat Hunting Survey: The Differing Needs of New and Experienced Hunters, for a deeper dive into the research and analysis. If you’re ready to take your threat hunting capabilities to the next level, spend two minutes to watch this video and see how ThreatQ can help.