Threat hunters are some of the most specialized and experienced workers in the SOC. They are incredibly valuable to the organization, but as the 2023 SANS Threat Hunting Survey finds, they’re continually being asked to multi-task and take on other duties. And that’s taking away from their primary job of hunting for threats.
How can we change this status quo and help threat hunters (and the organizations they work for) be successful? That’s the million-dollar question.
The latest SANS survey marks eight years of digging into these challenges and understanding how companies’ threat hunting efforts have gone in the previous year. This helps the cybersecurity industry understand what will be most effective in the year ahead.
The SANS Institute asked its standard battery of questions this year, but also included some new questions to get a more in-depth understanding of how organizations perform threat hunting. The organization also dug deeper into the role that leadership plays in an organization’s threat hunting process, while also providing insight into how businesses can create threat hunting methodologies.
Let’s take a look at what this year’s report has to offer. In terms of how today’s threat hunters spend their days:
While it may generally be a good idea for threat hunters to have a more comprehensive understanding of their organization’s security, multitasking may interfere with the quick and efficient execution of threat hunts.
That said, it’s important to note that threat hunters aren’t operating in a silo. In many situations, threat hunters may be conducting full analysis across one product in depth, which means they need to look at all of the various inputs and outputs to really understand what the landscape looks like. They might be looking at one product, but it may involve multiple threats at one time and this kind of focused analysis is important to their overall work.
How Threat Hunters Work
Many survey participants (43%) said that it usually takes one or two days to complete a hunting mission, while 15% of participants reported that it takes more than a month. This range is wide because there are so many different scenarios and resulting actions that can occur during a hunt.
A hunting hypothesis is typically produced before the stage at which you use solutions like SIEMs or endpoint detection and response (EDRs). More than 68% of respondents use such tools to deliver and manage intelligence, which marked a 2% increase over the previous year.
The only tool category to decrease was “artificial intelligence and machine learning to assist hunting.” Half of the respondents used that class of tools in the previous year, but this year it only received 45% of responses. This is not all that surprising because most companies react in a knee jerk way by blocking or limiting AL/ML use without fulling understanding the use cases associated with it.
As with previous years, the general preference for a winning set of tools would be a combination of those in the SIEM/EDR category and “third-party platforms that deliver threat intelligence.” Sixty-two percent of respondents were happy with third-party platforms, whereas the SIEM/EDR category yielded satisfaction or high satisfaction for 82% of respondents. Similar to prior years, 62% of respondents are also satisfied with homegrown tools, matching their satisfaction with third-party tools.
The Pros and Cons of Homegrown Tools
It’s also intriguing to learn how frequently threat hunters use homegrown and bespoke technologies. The theory is that the more areas manufacturers offer in their business tools, the fewer customized solutions a hunting organization will require. Use of “configurable, customizable, internally developed search tools” rose to 67% this year (a 5% gain from last year). The growth is strikingly similar to the rise in SIEM and EDR solution use.
Though they can be very effective and valuable, homespun tools are not free. These tools are frequently attended to by a single developer or a small group of staff. This lowers the cost of development but raises the amount of resources required for application management. For instance, you will need to create plans for maintaining the tool long after the lead developers leave the company.
What Role Does Leadership Play?
Experience tells us that the level of leadership involvement has a significant impact on how effective threat hunting is for a company. The additional questions SANS included this year revealed that leadership teams, including the C-suite, are getting more involved with methodology and aware of hunt missions.
SANS was trying to get a better understanding of which areas threat hunters want more support from leadership. Of course, they reasoned that this would directly correspond to the difficulties faced by threat hunters. Yet, they found that the area in which organizations require the most support from their leaders is planning and process development (73%). Staff development and training (72%) was a close second, and hiring (64%) came in third.
Threat hunters still identify a need for greater leadership assistance in staff development and more training, but SANS also observes that threat hunters are appealing to their leadership to offer strategies and processes to increase their success.
A More Mature Threat Hunting Program
This year’s SANS survey revealed that threat hunting as a whole is maturing, and that’s great news. The use of hypothesis-based hunting has spread throughout many organizations, for instance, and methodologies have gotten better. Improving threat hunting operations stands to deliver better detections with fewer false positives to the SOC.
However, it’s worrisome that so many threat hunters aren’t able to focus on their task single-mindedly but must take on other duties as well. Enabling them to work without distraction would serve them and the company’s cybersecurity posture as a whole. And it’s clear these employees, highly trained as they are, stand to benefit from leadership’s involvement.
To learn more about the latest SANS findings, read the full survey.
