Top Challenges and Benefits to Building a Threat Hunting Program

Fotolia_108647992_S.jpg

Threat hunting is gaining momentum in the industry as IT and security teams attempt to keep up with the constant barrage of new cyber threats and malware attacks. Organizations are quickly recognizing it is no longer enough to be reactive, but instead they must be proactive to stay ahead of hackers and those who look to steal data or wreak havoc on systems. While companies are increasingly acknowledging they need to adopt threat hunting practices, according to a recent survey published by the SANS Institute many are struggling to adapt. 

  1. Lack of public threat hunting methodologies
    The SANS survey revealed that organizations are struggling to define threat hunting programs, in large part due to the lack of information on hunting. Until now, threat hunting has largely been the domain of the most highly skilled security practitioners, and there are very few published guidelines and methodologies for proper threat hunting tactics and strategies. According to the survey, “even though 27% of the teams have defined methodologies for hunting, only 5% are using external guidance from published sources to create their methodologies, and 7% outsource that effort to a third party.”

    Forensic State Analysis (FSA) is a new methodology for threat hunting that is concerned primarily with assessing the health of an endpoint by validating what is running in memory at a given point in time. FSA does not rely on a host operating system to report real time events. It instead traverses the executable memory space in minutes to reconstruct what is happening, and collects anything of interest - such as injected memory, forensic artifacts, executable programs, modules, hooks and more. Because FSA operates independently of a host OS, the data used for analysis is independent of any potentially compromised system.
     
  2. No dedicated hunting staff
    The other challenge organizations are facing is where to find hunters. Of those surveyed, only 31% of respondents have staff dedicated to hunting, and some pull their hunt personnel from other staff (16%), others hunt in an ad-hoc manner (13%), and a small percentage use outsource services (6%). This raises concerns around how stretched staff with multiple responsibilities can effectively focus on hunting. 

    With threat hunting becoming a critical security function, larger organizations are creating dedicated hunt teams. But, those organizations who don’t have the resources to build a dedicated hunt team need to look at how to leverage their existing teams for hunting. By utilizing tools like Infocyte HUNT that automate part of the hunting process, internal teams can leverage automating scanning and reporting that identify threats, allowing them to focus on the incident response process.
     
  3. Existing infrastructures used
    Across the board, most respondents used their existing infrastructures (91%) for threat hunting. Existing infrastructure, such as log files, SIEM analytics and intrusion detection systems, are certainly useful to threat hunters, but most of these capabilities are rule-based and provide only reactive detection. Increasing numbers of vendors are also now claiming to offer solutions that hunt malware, but few are actually delivering. Whether the products work effectively or not - the growing high profile of solutions positioned to hunt malware attests to the increasing acceptance that enterprises require more than pure defense-in-depth. 

    To hunt effectively you need a solution truly built for hunting, not one that is trying to ride the market demand. Infocyte HUNT is built for hunting and only hunting. It combines forensic automation and volatile memory analysis techniques to detect malware, suspicious code and persistent threats that have breached existing defenses. The platform does not rely on the host OS for data, which may itself be compromised. It doesn’t replace the need for centralized logging or real-time behavior monitoring. On the contrary, they are highly complimentary – filling the gap in post-compromise detection. 

Despite Challenges, the Benefits of Threat Hunting are Significant

Finally, while many companies are grappling with the challenges of setting up a threat hunting program, those who are engaged in hunting are realizing tangible and significant benefits.  In the survey, 60% felt their use of threat hunting provided measurable improvement in the security of their organizations. Of those who realized improvement, there was improvement across each of the following areas for at least 74% of the participants in:

  • Speed and accuracy of response
  • Attack surface exposure / hardened network and endpoints
  • Reducing dwell time (infection to detection)
  • Time to containment (detect/prevent spread or lateral movement)
  • Amount of actual breaches based on the number of incidents detected
  • Exposure to external threats
  • Resources (e.g., staff hours, expenses) spent on response
  • Reducing frequency/Number of malware infections

The most significant areas of improvement were the speed and accuracy of response and an improvement in attack surface exposure, with 91% citing measurable improvement in both of these areas.

Ready to start hunting?

If you’re ready to start building a threat hunting program or have a mature program that can benefit from automation, then consider adding budget for a threat hunting platform to help improve the speed and efficacy of a program. 

Infocyte HUNT provides an easy-to-use, yet powerful solution to limit risk and eliminate attacker dwell time by enabling your organization’s own IT and security professionals to proactively discover malware and persistent threats, active or dormant, that have successfully evaded existing defenses and established a beachhead within your endpoints, including user devices and servers. It is designed to rapidly assess network endpoints for evidence of compromise – without the burden of complicated equipment or endpoint software installations, and up to 30 times faster than other methods. Reports identify and score the severity of identified issues for swift resolution and risk mitigation.

Request a demo to see how easy it is to turn your IT or security team into hunters. 

Only have 3 minutes? Watch the video to see how Infocyte HUNT allows you to proactively discover threats - without a forensics specialist.