The rise of threat hunting

85 percent of enterprises have already adopted some form of threat hunting to aggressively track and eliminate cyber adversaries as early as possible. This proactive model leverages existing tools combined with human intervention to strengthen the security posture of the organization.

According to new SANS/DomainTools research, adopters of this model reported positive results, with 74 percent citing reduced attack surfaces, 59 percent experiencing faster speed and accuracy of responses, and 52 percent finding previously undetected threats in their networks.

“As the findings note, successful threat hunting isn’t necessarily about overhauling an existing cybersecurity program, it’s about using the third-party data and technologies that most organizations already possess in order to maximize the chances of proactively finding, attributing and eliminating an adversary before the damage is done,” noted Tim Chen, CEO of DomainTools.

As the number of cyber threats continues to climb, understanding and managing cybersecurity risks has become top of mind for all organizations. Businesses are responding by taking action and implementing holistic technology initiatives, like threat hunting, to mitigate the overall risk to the organization instead of relying solely on traditional, siloed prevention like Firewalls or Intrusion Detection Systems (IDS).

The research corroborates the shift towards a threat hunting approach, with 62 percent of organizations planning to increase spending on threat hunting in the coming year and over 42 percent increasing it by 25 percent or more.

Additional key findings from the SANS report include:

• The top seven data sets that support threat hunting are: IP addresses, network artifacts and patterns, DNS activity, host artifacts and patterns, file monitoring, user behavior and analytics, and software baseline monitoring.
• 86 percent of respondents said the most common trigger for launching a hunt is an anomaly or anything that deviates from normal network behavior.
• Only 23 percent of businesses have hunting processes that are invisible to attackers, meaning the majority of organizations are at risk from exposing internal hunting TTPs in a way that benefits the attacker.