ThreatQuotient-sponsored study SANS Threat Hunting 2019 shows the role of threat hunter often unclear
The study is based on data collected from 575 participating companies that either work with or operate their own threat hunting teams.
Unlike the Security Operations Center (SOC) and Incident Response (IR) teams, threat hunters not only respond to network threats, they proactively search for them. This involves making hypotheses on the existence of potential threats, which are then either confirmed or disproven on the basis of collected data.
“However, the reality within corporate IT is often different,” said Markus Auer, regional sales manager for Central Europe at ThreatQuotient. “In many teams, the distinction between SOC, IR and threat hunting is too blurred, and threat hunters are used for reactive processes contrary to their actual role.”
The SANS study data confirms that most threat hunters react to alerts (40 per cent) or data such as indicators of compromise from the SIEM (57 per cent). Only 35 per cent of participants say that they work with hypotheses during threat hunting – a process that should be part of the arsenal of every threat hunter. “Responding to threats is important for security, but it is not the main task of the threat hunter. They should be looking for threats that bypass defenses and never trigger an alert,” Auer emphasised.
“Many companies are still in the implementation phase and are more willing to spend money on tools than on qualified experts or training existing employees to be threat hunters,” commented Mathias Fuchs, certified instructor at SANS and co-author of the study. “When threat hunting is carried out, it is more of an ad hoc approach than a planned program with budget and resources.”
Due to the proactive nature of threat hunting, companies often find it difficult to accurately measure the economic benefits of these security measures. Ideally, the experts prevent threats from becoming a critical problem in the first place. However, 61 per cent of respondents said their overall IT security status has improved by at least 11 per cent due to threat hunting. These figures show that targeted threat discovery is important and that investing in dedicated threat hunting teams delivers measurable improvement in IT security for organisations.
