How can IT security threat hunters measure success? That is one of the core questions raised by the new SANS 2019 Threat Hunting Survey, which was co-sponsored by Authentic8.
The answer may lie in a strategy and tool selection that avoids mission and cost creep, and results in measurable effects - and savings - to prove it.
That’s our main takeaway from this year’s Threat Hunting Survey. Co-authors Mathias Fuchs and Joshua Lemon capture the different needs and challenges within organizations that are just starting their cyber threat hunting program, versus those who are honing their skills and programs.
Definitions of Threat Hunting
What is threat hunting? The SANS survey results document a wide variety of methodologies, spending priorities, tools deployed, training needs - and opinions about what constitutes effective threat hunting practices.
"Many organizations use an alert-driven approach to threat hunting or use indicators of compromise [IoCs] to guide their hunts," says Mathias Fuchs, a SANS instructor and threat hunting expert. "It seems that fewer organizations are using hypothesis-driven hunting—and that could leave them vulnerable to dangerous visibility gaps."
Most respondents report using a variety of reactive approaches to threat hunting, including alerts (40%) or IoCs via a SIEM or other alerting system to find adversary tools or artifacts (57%).
The SANS security professionals label such approaches as “excellent supplements [that] should not take the place of using proactive hunting techniques.” Only 35% of respondents create hypotheses to guide their hunting activities, they point out.
One reason may well be that threat hunters have (too) much on their plate already. Organizations continue to require threat hunters to work in multiple cybersecurity roles. Cybersecurity professionals conducting threat intelligence report having major responsibilities for managing SOC alerts (34%) or IR and forensics of breaches (26%).
Threat Hunters Under Pressure
Another challenge threat hunters are facing, says report co-author Josh Lemon, is that organizations have difficulty measuring the benefits or organizational impact of threat hunting. Being able to measure and show the performance abilities of a threat hunting team, concludes Lemon, “can make or break a team, its funding or its objectives."
That’s why more threat hunting teams of all sizes are relying on Silo Research Toolbox, a cloud-based web isolation and research platform built for the rigors of threat research across the open, deep, and dark web.
Source (excerpt): Economics of Silo Research Toolbox
Silo saves money and resources over the “DIY approach” of creating a threat hunting platform from off-the-shelf and open source solutions. Many threat hunters face questions in their organizations over the cost creep and configuration, maintenance, and post-mission clean-up burden resulting from the old approach.
Threat hunting teams that deploy Silo Research Toolbox save on average 89% annually over those who operate a custom-made solution, as an itemized comparison shows.