SANS 2019 Threat Hunting Survey: The Differing Needs of New and Experienced Hunters

The 2019 SANS Threat Hunting Survey gathered current industry data from 575 respondents predominantly from small/medium to medium/large organizations that are working in the field of threat hunting or working alongside threat hunters. This year’s report aims to help organizations understand what threat hunting is, why it is essential to protect their organizations, and how novice and experienced hunters can improve their processes.

Results demonstrate that confusion still exists about what respondents believe constitutes threat hunting and how to properly approach threat hunting. In addition to uncovering these areas of confusion, the report offers practical takeaways and action items that readers can use to strengthen their cybersecurity defenses within their organizations.

In this year’s survey, we explore how threat hunting teams are tasked in an environment, where they hunt and how they hunt. More than half of the respondents use atomic indicators of compromise (IoCs) or an alert-driven approach to hunting. This year’s survey results show that respondents have decreased their hypothesis-driven hunting over the past three years, which may pose some dangerous visibility gaps for organizations.

The results confirm that many organizations are still dual-tasking threat hunters, and very few have progressed over the past three years to standing up a dedicated team. It seems that threat hunting is still seen very much in its infancy for most organizations. This report explores how teams are structured, the priorities given to hunters along with other roles they are fulfilling in the organization, and how an organization resources a threat hunting team.

This report recognizes that organizations are still concentrating on technology as a key driver for increasing the capabilities of a threat hunting team. However, we question how useful a tool may be in the hands of an unskilled hunter, especially if training is not seen as a critical area to enable hunt teams.

Results indicate that organizations are still struggling to measure the benefits—or organizational impact—a threat hunting team can have. We suggest a process threat hunters can use to demonstrate to management why threat hunting is essential and how threat hunters can begin measuring the impact they are having in their organization.

This year’s report provides several key takeaways and action items that readers should consider integrating into their threat hunting programs. We encourage anyone running a threat hunting team to start implementing change as soon as possible to ensure that your teams can keep pace with the ever-changing attack vectors and advances by adversaries.