The Tide is Turning for External Threat Hunting

(a.k.a Threat Reconnaissance)

Forrester has called out Team Cymru within two distinct categories in their newly published Tech Tide™: Threat Intelligence, Q2 2021Report, so what has changed?  In this blog, we’ll briefly explain why we feature in each category, and what advantages each of these has to your organization. The categories are Threat Intelligence Feeds and Internet Infrastructure Analysis.


How is this relevant in the face of today’s threat actors?


What we know from our Fortune 1000 customer base is that addressing cyber threats proactively has become a priority. They have realized that in the face of agile, sophisticated threat actors, failure to mature their threat hunting programs is not an option.  Our customers are typically at the highly risk averse end of the spectrum and have matured their internal threat intelligence consumers to include incident response teams, internal threat hunting (detection) teams, and now more critical than ever, external threat hunting teams.



The Tech Tide™: Threat Intelligence report acknowledges this is a growing and maturing area, and our experience informs us senior cyber executives are looking towards these areas to solve some of their most persistent cyber-risk-related challenges.


Why do we feature in the Internet Infrastructure Analysis category?


Firstly, what is internet infrastructure analysis?  Forrester comments that it is “…used by threat intelligence analysts and hunters to analyse and hunt for potentially malicious internet infrastructure.”.  We further describe our Internet infrastructure analysis methodology as “threat reconnaissance”— the act of tracing, mapping and monitoring threat actor activity at internet scale.


Forrester have recognised the business value around Internet infrastructure analysis as high, and our customer feedback aligns to this as the various use cases touch on….


  • Mapping the attack surface to include cloud and supply chain
  • Detecting threats across the supplu chain
  • Blocking attacks before they’re launched, which greatly reduces IR workload


All have significant ROI once programs are up and running – but getting to that point is a process, not a product.


Whilst Forrester notes the Lifecycle Cost is ‘low’, there is a path that leads to teams being able to leverage Internet infrastructure analysis data that emerges from employing external threat hunting or “threat reconnaissance”.  Our own Threat Hunting Maturity Model (Figure 1) explains that cyber teams that do not have dedicated threat hunters, are less likely to realise the full value of threat reconnaissance output data for their teams’ workflows and processes.  Whilst there is attraction around a high business value and low lifecycle cost, there are considerations required to building a team of professionals dedicated to external threat hunting, and when utilizing threat reconnaissance for incident response.


Why do we also feature in Threat Intelligence Feeds?


Threat feeds are a fully matured threat Intelligence segment, so whilst it’s not a surprise Forrester advises a ‘Divest’ approach, there are still merits in having a vendor agnostic strategy.  Due to the use cases and methods our customers use to integrate threat feeds into their defensive strategy, it enables more value to be extracted over a much longer lifecycle.  A threat feed that includes global internet-scale data can supply various defense teams to great effect.  Use cases vary across strengthening gateway entry points, regardless of vendor, in addition to gaining correlation between threat actor owned C2 infrastructure and the payloads they are launching.


The Forrester report validates that the tide is in our customers’ favour, and threat reconnaissance use cases flourish, as more Fortune 1000 organizations mature their external threat hunting capabilities.

Subscribe Now