According to a recent survey, cyber threats are rising dramatically, and threat hunting can help speed the time to detect, investigate, and remediate threats.
What is Threat Hunting?
To put it broadly, cyber threat hunting is the process of security professionals looking for cyber threats in their organization’s IT environment.
In recent years cyber attackers have become more sophisticated, finding ways to bypass even the most secure networks in the world.
The truth is most companies are hacked and don’t even know it – until it’s too late. With time to discovery taking 5 months on average, their attackers have ample time to inflict damage on systems and make off with their most critical data. Crowd Research Partners today released the results of its 2017 Threat Hunting Report, revealing critical insights into the new practice of cyber threat hunting as an emerging line of defense to combat advanced cybersecurity threats.
Threat Hunting Survey
Based on a comprehensive survey of cybersecurity professionals in the 350,000 member Information Security Community on LinkedIn, the Infocyte co-sponsored research report reveals that threats are rising dramatically and that deployment of sophisticated threat hunting platforms can significantly accelerate the time spent to detect, investigate and remediate these threats.
“Following the unprecedented wave of cybersecurity attacks, threat hunting is emerging as a new line of defense and the latest innovation for security operations centers (SOCs) to combat advanced security threats,” said Holger Schulze, founder of the 350,000-member Information Security Community on LinkedIn. “By pairing human intelligence with next-generation threat hunting platforms, SOC teams are empowered to proactively identify and mitigate threats faster and more reliably.”
Key threat hunting trends revealed in the study include:
- Threats are increasing 2x – Over 80% of survey respondents said threats have increased at the rate of 2x or greater in the past year. Based on current market conditions, the number of advanced and emerging threats will continue to outpace the capabilities and staffing equipped to handle those threats.
- Resource limits prevent better threat management – Detection of advanced threats and the inability of organizations to find expert security staff to assist with threat mitigation are the top two challenges security operations centers are facing.
- SOCs not well equipped – Confidence in the industry’s ability to uncover advanced threats is low. For example, data breaches still have an average dwell time of 5 months. Only about 6% of respondents stated their SOC is cutting-edge in relation to handling emerging threats.
Threat hunting delivers strong benefits – The main benefits of threat hunting platforms include improving detection of advanced threats, creating new ways of finding threats and reducing investigation time. The average time spent to detect a threat improved by 61%, and the average time to investigate a threat improved by 42% with a threat hunting platform.
With technologies like Infocyte, it’s possible to automate the hunt cyber threats. According to Infocyte’s article, “4 Steps to Automating the Hunt for Cyber Threats,” it’s clear that security pros have begun to recognize that detection tools and monitoring are not sufficient to do battle against today’s cyber threats.
Here are 4 key steps you need to put in place to get a threat hunting program jump started.
- Find Your Hunters – they may be closer than you think. There’s been a lot of talk about who fits the profile of a threat hunter. Some argue that it’s limited to highly skilled security one percenters and consultants. While that may have been true in the past, it is possible to empower your existing internal security and IT teams to hunt. You just need to provide them with the right tools for the job. Which leads us to the next step.
- Automate the Hunt – According to the Threat Hunting Survey, it takes teams 38 days to detect and another 26 days to investigate threats without any automation. Enterprises that have some type of threat hunting platform employed saw a 2.5X and 2X improvement respectively.
While threat hunting includes some activities that defenders have historically used such as log analysis and incident response techniques, there are new threat hunting platforms built for the job. Tools like Infocyte Hunt can assist you with the hunting process to improve the speed and efficacy of your threat hunting program. These tools automate the search for threats and empower your internal security teams to hunt without esoteric knowledge. And the faster you can identify a threat, the less harm it can do.
For the mature enterprise SOC already hunting, Infocyte HUNT enables you to do away with the custom scripts and other one-host-at-a-time DFIR processes you use to validate any suspicious behaviors that your team detects. Now you can iteratively and effectively sweep all endpoints to find entrenched threats and beachheads hiding on any of your endpoints. Some SOCs are probably already doing a lighter, less scalable version of this now using a custom toolset or scripting out an endpoint querying tool.
- Respond to Found Threats – Now that you’ve put automation in place, what do you do when you find a threat? A good threat hunting platform should give you detailed information on what has been discovered and the severity of the threat so it can be investigated further. Think of it as incident response triage. Infocyte HUNT gives malware and threat analysis drill-down that can easily be pivoted on, as well as isolation actions from a click of the mouse.
- Repeat – Threat hunting is not an annual or quarterly activity – cyberthreats are constant. Hackers don’t take days off and your threat hunting program can’t afford to either. Automation is the key to ensuring you can regularly hunt for any compromises that have bypassed other defenses, without exhausting your resources.