Enhancing Threat Hunting: Strategies for Security Teams

Short Summary:

The “Voice of a Threat Hunter 2024” report highlights the need for security teams to evolve their threat hunting strategies to combat the increasing frequency and severity of cyber attacks. While many organizations have implemented threat hunting programs, challenges such as funding, historical data, and talent shortages hinder their effectiveness. The report emphasizes the importance of actionable threat intelligence, advanced technologies, and trained personnel to enhance proactive threat reconnaissance.

Key Points:

  • 49% of security practitioners experienced a major security breach in the past year.
  • 72% of those with a breach credited their threat hunting program with mitigating the impact.
  • 53% of respondents believe their threat hunting program is very effective, primarily due to tools like EDR and SIEM.
  • Major challenges include lack of funding, historical data, and trained threat hunters.
  • Priorities for the next year include expanding third-party monitoring and increasing visibility.
  • Respondents seek actionable threat intelligence and additional staff with specific threat hunting experience.
  • Proactive detection of unknown threats is the top objective for threat hunting programs.
  • With the right resources, security teams can evolve from reactive to proactive threat reconnaissance.

MITRE ATT&CK TTPs – created by AI

  • Initial Access – T1078
    • Use of valid accounts to gain access to systems.
  • Execution – T1203
    • Exploitation of software vulnerabilities to execute malicious code.
  • Persistence – T1547
    • Techniques to maintain access to systems after initial compromise.
  • Privilege Escalation – T1068
    • Exploitation of vulnerabilities to gain higher privileges.
  • Defense Evasion – T1027
    • Techniques to avoid detection by security tools.
  • Credential Access – T1003
    • Techniques to steal account credentials.
  • Discovery – T1083
    • Techniques to gather information about the system and network.
  • Exfiltration – T1041
    • Techniques to transfer data out of the network.
  • Impact – T1485
    • Techniques to disrupt or destroy systems and data.

According to "Voice of a Threat Hunter 2024"

Security teams need to keep evolving their strategies to protect their organizations against cyber attacks that are only growing in frequency and severity. According to our research, 49% of security practitioners surveyed said their organization experienced a major security breach in the past 12 months. While a shocking number, 72% of those who did experience a breach say their threat hunting program played a key role in mitigating it.

Having a threat hunting program in place is a great start, but to truly protect their organization, security teams need a more proactive approach in the form of threat reconnaissance. But security teams can’t achieve any of these successes without having the right tools, strategies, people, and budgets in place.

For this year's “Voice of a Threat Hunter 2024” report, we surveyed 293 security practitioners about the current state of their threat hunting program and what’s needed to evolve it into a more proactive program. Here are some of the insights they provided.

 

Improving Threat Hunting and Reconnaissance Processes

When it comes to feeling confident in how well they’re protecting their organization, about half (53%) believe their current threat hunting program is very effective. They attribute their effectiveness primarily to the tools they have in place, like endpoint detection and response (EDR) and security information and event management (SIEM). They also attribute their effectiveness to trained and experienced threat hunting analysts and having baseline data available to identify what host and network “normal” looks like.

But it's not an easy path to proactive threat reconnaissance. Security practitioners say the biggest challenges to creating an effective threat hunting program are a lack of appropriate funding and a lack of historical data to threat hunt against (which both tied for first). They’re also challenged by a lack of trained threat hunters who know what to look for and how to use the right technology. In other words, proactive threat hunting is hindered by a lack of budget, technology, and talent.

How will they address these challenges? Security practitioners' priority for their threat hunting program over the next year is expanding third-party monitoring for signals of compromise, especially given the recent rise in third-party and supply chain compromises. Their other priorities align with addressing the challenges they're facing today: increasing their host or network visibility, adding more threat hunters or contractors for external support, and increasing storage and retention of logs for use by threat hunters.

 

Addressing the Needs of Security Teams

Security teams can't proactively protect their organization unless they have the right tools, resources, and training to do so. One of the biggest challenges to creating an effective threat hunting program is a lack of trained threat hunters, as respondents said above, and their biggest worry about their threat hunting activities is failing to retain qualified personnel. How can security leaders better ensure their teams are prepared?

The biggest enhancement respondents would like to add to their existing threat hunting program is actionable threat intelligence, which will give their teams the knowledge they need to conduct more proactive threat reconnaissance. They would also add additional staff with specific threat hunting experience as well as network forensic detection, netflow telemetry, and/or full packet captures — more ways to give their teams the knowledge and resources needed for more proactive protection.

 

Having the Right Technology for Threat Hunting and Reconnaissance

Security teams also need the right technology to move from reactive threat hunting to proactive threat reconnaissance. Respondents said the top objective for their threat hunting program is the proactive detection of previously unknown threats, which requires the right intelligence and technologies to uncover. Other objectives include monitoring third parties for indicators of compromise or risk and reducing the attack surface by discovering and removing weaknesses — both of which also require advanced detection tools and technology.

 

Conclusion

Cyber attacks today happen with more frequency and severity. But with the right intelligence, technologies, and training, security teams can evolve their threat hunting program into a more proactive threat reconnaissance program, preventing breaches from happening or mitigating their severity if they do.

Read the “Voice of a Threat Hunter 2024” report today.

Source: Original Post