INTELLIGENT BRANDS // Enterprise Security
Threat hunting – art or science?
Over the next few years we should expect to see threat
hunting as part of most organisations’ analytics-driven
security operations, says McAfee’s Head of Strategic
Intelligence, Raj Samani. To help threat hunting
organisations enhance their capabilities, McAfee
conducted a survey to identify the approaches and tools
used by the least and the most sophisticated hunters.
S
ecurity professionals are in a
fight every day to track down
criminals who would disrupt their
organisation. Attackers nearly always
have the element of surprise in their
favour, but threat hunting can throw the
attackers off their footing.
So, what are the characteristics of
good threat hunters? We recently
surveyed more than 700 IT and
security professionals, to identify
insights and lessons for organisations
looking to understand and enhance
their threat hunting capabilities. One
of the key questions was the level of
maturity of the organisation’s threat
hunting activity. Ranging from Level
0 – where the organisations rely
primarily on automated alerting (i.e.
little or no routine data collection)
and typical tools include IDS, SIEM
and anti-virus – to Level 4, where
organisations automate the majority
of successful data analysis procedures
and use high or very high levels of
routine data collection. These self-
reported assessments provide useful
insight into the current nature of the
threat hunt and reveal some surprises
about how organisations are investing
for future improvement. Some of the
key findings include:
54
INTELLIGENTCIO
• The most mature threat hunting
organisations are twice as likely to
automate parts of the investigation
process and spend 50% more of
their time actually hunting. As a
result, 70% of them are closing
investigations in a week or less,
compared to only 50% of the less
mature organisations.
• Mature organisations are three times
more likely to consider every level of
the identification and investigation
processes as viable for automation,
especially sandboxing, endpoint
detection and response, and user
behaviour analysis.
• Tool emphasis changes with experience.
Sandboxing was the number one tool
for tier 1 and 2 analysts of all sizes and
maturity levels, but tier 3 and 4 analysts
use sandboxing as part of a broader
mix of tools.
• Immature companies are trying
to use the same tools as the most
mature companies, but without the
same results. Adopting new tools
without changing the processes for
hunting and incident response is
rarely successful, as success requires
an upfront investment in architecture
and optimised processes.
• Threat hunters in mature SOCs spend
70% more time on customisation of
tools and techniques. Custom scripts
and security information and event
management (SIEM) are heavily
used to automate manual and ad
hoc processes.
Observe, orient, decide, and act
Human decision-making can be the
critical advantage in many security
scenarios, tilting the playing field in your
favour. US Air Force Colonel John Boyd
first documented the four fundamental
parts of this process, which are observe,
orient, decide, and act (OODA).
Effective security operations teams are
leveraging this process to exploit their
adversaries’ weaknesses, supported by
automated processes, machine-driven
analytics, and curated threat intelligence.
Threat hunters often begin with the
assumption of a breach or compromise,
following clues and personal intuition,
and later turning successful hunts into
automated rules. Hunting is a human-
centric activity, using a wide range
of tools and information to seek out
hidden threats to the organisation.
Based on the survey results, threat
hunting begins as an ad hoc process
in the least-mature organisations,
then swings strongly towards process
www.intelligentcio.com