Short Summary:

The “Voice of a Threat Hunter 2024” report reveals that 53% of security practitioners believe their threat hunting programs are very effective, up from 41% in 2023. Key factors for this effectiveness include the right tools, trained analysts, and baseline data. The report also highlights the top objectives, challenges, enhancements, and priorities for threat hunting programs, emphasizing the need for proactive measures and adequate funding.

Key Points:

  • 53% of practitioners find their threat hunting programs very effective in 2024.
  • Key contributors to effectiveness: right tools (EDR, SIEM), trained analysts, and baseline data.
  • Top objective: proactive detection of unknown threats.
  • Major challenges: lack of funding and historical data, and insufficient trained personnel.
  • Desired enhancements: actionable threat intelligence and additional staff with threat hunting experience.
  • 44% expect their budgets to increase in 2024.
  • Top priorities include expanding third-party monitoring and increasing host/network visibility.
  • Biggest worry: retaining qualified personnel and measuring program success.

MITRE ATT&CK TTPs – created by AI

  • Initial Access (TA0001)
    • Phishing: Using deceptive emails to gain access to systems.
  • Execution (TA0002)
    • Command and Scripting Interpreter: Utilizing scripts to execute commands.
  • Persistence (TA0003)
    • Registry Run Keys / Startup Folder: Adding entries to ensure malware runs at startup.
  • Privilege Escalation (TA0004)
    • Exploitation for Client Execution: Exploiting vulnerabilities to gain higher privileges.
  • Defense Evasion (TA0005)
    • Obfuscated Files or Information: Hiding malicious files to avoid detection.
  • Credential Access (TA0006)
    • Brute Force: Attempting to gain access by trying multiple passwords.
  • Discovery (TA0007)
    • Network Service Scanning: Scanning for active services on a network.
  • Lateral Movement (TA0008)
    • Remote Services: Using legitimate remote services to move across the network.
  • Impact (TA0009)
    • Data Encrypted for Impact: Encrypting files to disrupt access.

The Evolution of Threat Hunting

According to Nearly 300 Security Practitioners

One of the best ways to proactively protect your organization is through threat hunting. Then, with the right tools, training, and intelligence, security practitioners can take their threat hunting program one step further to conduct threat reconnaissance, where they track relevant threats to their organization and take action before a breach or attack can happen.

But are security teams today equipped with the right tools, people, and processes to make their threat hunting program effective? To learn more, we surveyed 293 security practitioners for this year’s “Voice of a Threat Hunter 2024.” They shared about the current state of their threat hunting program and what they need to make it more proactive and effective.

Here’s how this year’s responses show changes, improvements, and setbacks from last year’s responses.

 

Threat Hunting Program Effectiveness

In 2024, 53% believe their current threat hunting program is very effective — an increase from 41% in 2023. They’re putting in place tools, people, and processes that are increasing their effectiveness and increasing their confidence as well.

What made their threat hunting so effective in 2024 was having the right tools in place such as endpoint detection and response (EDR) and security information and event management (SIEM), which ranked second in 2023. Another contributor is having trained and experienced threat hunting analysts, which ranked first in 2023. The third contributor to effectiveness is having baseline data available to threat hunters to identify what host and network “normal” looks like, which ranked sixth last year. What ranked third last year? Having formalized processes and procedures for conducting threat hunts.

Overall, threat hunting is made effective by having the right tools, people, processes, and data in place — a comprehensive approach to threat hunting.

 

Top Objectives

In 2024, proactive detection of previously unknown threats is the top objective for their threat hunting program. This was followed by monitoring third parties for indicators of compromise or risk — likely due to the significant increase in third-party breaches worldwide — and reducing the attack surface by discovering and removing weaknesses.

These objectives are more proactive and outward-facing than last year’s more internal-focused objectives, which included creating detection rules based on threat hunt outputs, having the ability to identify threats before an attacker causes damage, and reducing attack surface by discovering and removing weaknesses.

 

Top Challenges

The biggest challenge slowing the success of a security team’s threat hunting program in 2024 is tied for a lack of appropriate funding and a lack of historical data to threat hunt against (historical data being one of the ways a program can be effective). An additional challenge is a lack of trained threat hunters — trained hunters being another way a program can be effective.

However, these are entirely different challenges than reported in 2023. Last year, the top challenges were a lack of tools to perform threat hunting with, poorly understood and/or undocumented baseline activity, and no executive-level support of the threat hunt program.

Ultimately, challenges from last year and this year can be summed up as a lack of internal support, a lack of tools, a lack of trained hunters, and a lack of data — all things that, when working well, contribute to a program’s effectiveness.

 

Top Program Enhancements

What enhancement do security practitioners want to add to improve their existing threat hunting program? At the top of the list is actionable threat intelligence, which can help them become more aware of the relevant threats to their organization, and help mitigate some of the challenges listed above. This enhancement rose from seventh place in 2023 to first this year.

They also wish for additional staff with specific threat hunting experience, something that contributes to effectiveness — which was in second in 2023. Third, they’re looking for network forensic detection, netflow telemetry, and/or full packet captures to give them the information they need to protect their organization — which was in first in 2023.

 

Budgets

One of the biggest challenges listed above was a lack of appropriate funding for their threat hunting programs. In 2024, 44% expect their budget to increase over the next year. Last year, only 38% expected it to increase, which is likely why the top challenge this year is a lack of funding.

 

Top Priorities

The top priorities for next year continue building on the objectives for this year. For their threat hunting program, security teams want to continue to expand their third-party monitoring for signals of compromise, followed by increasing their host/network visibility. Tied for third are adding more threat hunters or contracts for external support, and increasing storage and retaining logs for use by threat hunters.

Last year’s top priorities were to add more threat hunters or contract for external support, tied with increasing their host/network visibility. Ultimately, these priorities are ongoing.

 

Biggest Worries

As they prepare for the future, the biggest worry on the minds of security practitioners in 2024 is failing to retain qualified personnel — which rose from #7 in 2023, underscoring the importance of having the right members of the security team. They’re also worried about being unable to truly measure the success of the threat hunting program, which was the top worry last year. They also worry about failing to keep up with current trends and threat intelligence, which was the third biggest worry in 2023.

 

Conclusion

Making a threat hunting program effective relies on a number of contributing factors that include having the right tools, people, processes, and data in place. It’s certainly an ongoing process, but security teams can take steps in the right direction to move from reactive to proactive.

Read the “Voice of a Threat Hunter 2024” report today.

Source: Original Post