According to "Voice of a Threat Hunter 2024"
Security teams need to keep evolving their strategies to protect their organizations against cyber attacks that are only growing in frequency and severity. According to our research, 49% of security practitioners surveyed said their organization experienced a major security breach in the past 12 months. While a shocking number, 72% of those who did experience a breach say their threat hunting program played a key role in mitigating it.
Having a threat hunting program in place is a great start, but to truly protect their organization, security teams need a more proactive approach in the form of threat reconnaissance. But security teams can’t achieve any of these successes without having the right tools, strategies, people, and budgets in place.
For this year's “Voice of a Threat Hunter 2024” report, we surveyed 293 security practitioners about the current state of their threat hunting program and what’s needed to evolve it into a more proactive program. Here are some of the insights they provided.
Improving Threat Hunting and Reconnaissance Processes
When it comes to feeling confident in how well they’re protecting their organization, about half (53%) believe their current threat hunting program is very effective. They attribute their effectiveness primarily to the tools they have in place, like endpoint detection and response (EDR) and security information and event management (SIEM). They also attribute their effectiveness to trained and experienced threat hunting analysts and having baseline data available to identify what host and network “normal” looks like.
But it's not an easy path to proactive threat reconnaissance. Security practitioners say the biggest challenges to creating an effective threat hunting program are a lack of appropriate funding and a lack of historical data to threat hunt against (which both tied for first). They’re also challenged by a lack of trained threat hunters who know what to look for and how to use the right technology. In other words, proactive threat hunting is hindered by a lack of budget, technology, and talent.
How will they address these challenges? Security practitioners' priority for their threat hunting program over the next year is expanding third-party monitoring for signals of compromise, especially given the recent rise in third-party and supply chain compromises. Their other priorities align with addressing the challenges they're facing today: increasing their host or network visibility, adding more threat hunters or contractors for external support, and increasing storage and retention of logs for use by threat hunters.
Addressing the Needs of Security Teams
Security teams can't proactively protect their organization unless they have the right tools, resources, and training to do so. One of the biggest challenges to creating an effective threat hunting program is a lack of trained threat hunters, as respondents said above, and their biggest worry about their threat hunting activities is failing to retain qualified personnel. How can security leaders better ensure their teams are prepared?
The biggest enhancement respondents would like to add to their existing threat hunting program is actionable threat intelligence, which will give their teams the knowledge they need to conduct more proactive threat reconnaissance. They would also add additional staff with specific threat hunting experience as well as network forensic detection, netflow telemetry, and/or full packet captures — more ways to give their teams the knowledge and resources needed for more proactive protection.
Having the Right Technology for Threat Hunting and Reconnaissance
Security teams also need the right technology to move from reactive threat hunting to proactive threat reconnaissance. Respondents said the top objective for their threat hunting program is the proactive detection of previously unknown threats, which requires the right intelligence and technologies to uncover. Other objectives include monitoring third parties for indicators of compromise or risk and reducing the attack surface by discovering and removing weaknesses — both of which also require advanced detection tools and technology.
Conclusion
Cyber attacks today happen with more frequency and severity. But with the right intelligence, technologies, and training, security teams can evolve their threat hunting program into a more proactive threat reconnaissance program, preventing breaches from happening or mitigating their severity if they do.
Read the “Voice of a Threat Hunter 2024” report today.