Seven hundred IT and security professionals were surveyed by McAfee to understand the current state and future development of threat hunting — the active search for existing network breaches.
For this purpose, a threat hunter is defined as an analyst who focuses on clues and hypotheses (rather than waiting for binary alerts from rule-based detections); is human-centric (rather than tool-centric); and works from the assumption of an existing breach. The hunting process is defined as the military OODA concept: observe, orient, decide, act.
To allow comparison of threat-hunting capabilities, the respondents rated the perception of their own maturity from level 1 to level 4. This ranges from hunters who primarily rely on automated alerting with some routine data collection (level 1) to hunters who automate the majority of successful data analysis (level 4).
One of the first insights from the survey and report (PDF) is that successful threat-hunting is a combination of art and science. Level 1 hunters operate largely on an ad hoc basis; for level 2 hunters it is an organized process; but for the most successful hunters at level 4, it is a mix of both.
Looking to improve their maturity, the top four strategies overall are better automation of threat hunting processes, increased use of data analytics, hiring of more experienced employees, and more precise diagnostic tools. Noticeably, and perhaps naturally, the lower level SOCs place hiring staff as the priority, followed by improved use of data analytics. Level 3, which is probably better staffed by definition, seeks first better automation and second increased analytics.
McAfee postulates that lower level SOCs seek to staff-up and chase “shiny new toys… trying to emulate leading
SOCs too soon”, while more advanced SOCs “shift their focus from building strong hunting and incident response teams to making them more effective.”
One clear differentiation between level 4 hunters and the lower levels is the degree of automation. “Respondents in levels 1 through 3 SOCs,” notes the report, “reported deploying automation extensively at an average of 23% compared with 75% of level 4 SOCs.”
This carries over into the next stage of cybersecurity — incident response. Extensive automation quite naturally supplies the greater context needed by incident responders to more accurately scope and triage incidents for rapid incident resolution. This is confirmed in the survey results: “71% of SOCs with a level 4 maturity closed investigations in an average of less than one week — the majority of which closed in less than 24 hours.” The average time for the lower levels is 25 days.
Similarly, says McAfee, “The more mature SOCs also determine the root cause of an attack 70% percent of the time, versus 43% percent of the time for the developing organizations.”
Another difference in the operational procedures between the different levels of maturity is the amount of time spent on researching and customizing threat hunting tools. Level 1 hunters spend, on average 10 hours per month. This rises consistently to 17 hours for level 4 hunters. “This,” suggests McAfee, “is a good example of both the power of human+machine teaming, and the importance of locally produced intelligence and personalization.”
Sandboxes are the most used hunting tool. Noticeably, the more advanced hunters have been using them for longer than the lower levels: four years, on average, for level 4; compared to 2 years for level 1. However, the use made of sandboxes also changes with the level of hunter maturity. Twice as many level 4 hunters use sandboxing for investigation and threat validation rather than just detection and alerting.
All data analysis relies on data. Sixty percent of all four maturity levels use public threat intelligence feeds; but as the maturity level increases, so the hunters begin to rely more on the TTPs they gather internally from their own research. Automated processes to feed threat intelligence into a correlation engine are used by 45% of level 1 hunters, but 77% of level 4 hunters. The nature of the feeds also changes with the levels: 80% of level 4s use ISACs and other private or paid-for feeds compared to 41% of level 1s.
“Threat hunting is here to stay, and is no longer an esoteric practice limited to a few of the edgier practitioners,” says McAfee. “Over the next few years, expect to see threat hunting as part of most organizations’ analytics driven security operations, backed by extensive automation and machine analytics.”
What is clear from this survey, however, is that threat hunting is not simply a case of buying systems to do it. Effective threat hunting leading to efficient incident response is a combination of man and machine, of art and science, with the man tailoring and automating the science to suit his own environment.
Related: Threat Hunters Analyze Trends in Destructive Cyber-Attacks
Related: Firms Unite to Hunt Threats From Network to Endpoint