news-details

Latest SANS Threat Hunting Report: shows threat hunters still disagree on what constitutes threat hunting and few dedicated teams exist

SANS Institute, the international leader in cyber security training and certifications, has launched the SANS 2019 Threat Hunting Report, which indicates that threat hunting is still in its infancy with few dedicated groups in existence and differing views on what constitutes threat hunting and how to hunt.

Many firms use an alert-driven strategy to risk hunting or use indicators of compromise [IoCs] to guide their hunts, says Mathias Fuchs, a SANS instructor and co-author of the survey. It seems that fewer organizations are using hypothesis-driven huntingand that ought to leave them inclined to hazardous visibility gaps.

Most respondents report using a variety of reactive methods to threat hunting, consisting of alerts(40%) or IoCs through a SIEM or different alerting device to find adversary equipment or artefacts (57%). Such methods are great supplements, but should not take the place of using proactive hunting techniques. Surprisingly, only 35% of respondents create hypotheses to guide their hunting activities.

Organizations proceed to require danger hunters to work in multiple roles. Hunters report having essential duties for managing SOC signals (34%) or incident response and forensics of breaches (26%). Very few corporations have moved to a dedicated hunt team over the previous three surveys, indicating that threat huntingand threat hunting teamsare still in their infancy.

One reason we arent seeing more growth in devoted threat hunting groups can also be that organizations have problem measuring the advantages or organizational impact of threat hunting, posits Josh Lemon, survey co-author and SANS instructor. Being able to measure and show the performance abilities of a threat hunting team is fundamental to the life of a group and its engagement by the rest of the business; it is a metric that can make or smash a team, its funding or its objectives.

While 24% of respondents were unable to decide whether they had measurable upgrades as a result of threat hunting, 61% reported having at least an 11% enhancement in their overall security posture. Organizations have seen a marked development in more robust detections and better coverage throughout the environment, with 36% claiming significant enhancement and another 53% realizing some improvement. Other key upgrades are attack surface exposure/hardened networks and endpoints, with 35% seeing great improvement and 58% seeing some improvement, and more correct detections and fewer false positives, at 32% massive improvement and 51% some improvement.

Related News Post