49% have experienced a major security breach in the past 12 months, according to respondents to our new “Voice of a Threat Hunter 2024” report. However, of those that did experience a breach, 72% say their threat hunting program played a key role in preventing or mitigating the breach. So how can security teams take steps to improve their threat hunting program today?
What Creates an Effective Threat Hunting Program
For this year's “Voice of a Threat Hunter 2024” report, we surveyed 293 security practitioners about the current state of their threat hunting program. 53% of respondents say that their current threat hunting program is very effective. This is an increase from only 41% believing the same thing last year, meaning that security teams are putting initiatives in place that are increasing their confidence and lowering their risk.
What makes their threat hunting program so effective? The factor making the most impact is having the right tools in place such as endpoint detection and response (EDR) and security information and event management (SIEM). This can increase visibility into their systems, networks, and assets to help them more proactively protect against threat or breach.
A second factor making their threat hunting program effective is having trained and experienced threat hunting analysts. Threat hunting is an acquired skill, and having members of the security team who know how to root out threats can boost effectiveness.
Another contributor to effectiveness is having baseline data available to threat hunters to identify what host and network “normal” looks like. This way, security analysts can more easily see where compromises have happened, or where vulnerabilities are leaving their systems exposed.
Challenges to Overcome
Having an effective threat hunting program also means overcoming the challenges that threaten to derail it. According to our survey, the biggest challenge impacting security teams today is a lack of historical data to threat hunt against. This is why security teams say they need baseline data to know how to identify something that's not normal.
Tied for the top challenge is a lack of appropriate funding to support threat hunting initiatives, like purchasing new tools or hiring new staff.
Finally, another challenge is a lack of trained threat hunters. Having trained analysts is a major contributor to their effectiveness, so a lack of them would be detrimental to effective threat hunting.
Actionable Next Steps
While 53% said their threat hunting program is effective, 25% believe it’s somewhat effective, and 23% believe it’s not very effective at all. Based on what makes it effective, here are three steps security teams can take today to improve their threat hunting program.
Tools
The top factor that makes a threat hunting program effective is having the right tools in place. For better threat hunting, look for tools that facilitate increased visibility into your networks and environments, and that can map your attack surface to help identify vulnerabilities. These are tools like the aforementioned EDRs that can help alert and SIEMs that can track events. Additionally, invest in tools that deliver actionable threat intelligence that’s relevant to your organization. This can not only help your threat hunting become more proactive, but can increase your ability to perform threat reconnaissance, or find threats outside your organization that are targeting you.
Training
Having security team members who are capable of threat hunting makes security more effective. But making that a reality includes training security team members on threat hunting — which can be a challenge when there’s a talent shortage and teams are stretched thin as it is. Having the right tools and technology to help with threat hunting can shortcut the learning curve. By adopting more automation to take care of manual, repetitive tasks, you can free up your security team for more high-impact activities like threat hunting.
Baseline data
Respondents attribute their successes to having baseline data available to threat hunters to identify what host and network “normal” looks like. By having the right tools in place, security teams can gather more data and the right data needed to understand what their baseline looks like. Create a comprehensive inventory of the assets, systems, and environments that need to be protected, and map your attack surface so you know your perimeter. Create a strategy for log retention so that you can use it for future threat hunting, and document your past processes and procedures as well.
Conclusion
Increasing your threat hunting capabilities should focus on three key areas: having the right tools, getting the people trained, and having the right data to set a baseline to compare against. By starting here, you’ll soon see your threat hunting turn from reactive to proactive, and will help you mitigate or even prevent the next breach.
Read the “Voice of a Threat Hunter 2024” report today.