How can IT security threat hunters measure success? That's one of the core questions raised in the SANS Threat Hunting Survey, co-sponsored by Authentic8.

The  answer may lie in a strategy and tool selection that avoids mission and  cost creep, and results in measurable effects - and savings - to prove  it.

That’s our main takeaway from this year’s Threat Hunting Survey. Co-authors Mathias Fuchs and Joshua Lemon capture the different  needs and challenges within organizations that are just starting their cyber threat hunting program, versus those who are honing their skills and programs.

Definitions of Threat Hunting

What is threat hunting? The SANS survey results document a wide variety of methodologies, spending priorities, tools deployed, training needs - and opinions about what constitutes effective threat hunting practices.

"Many organizations use an alert-driven approach to threat hunting or use indicators of compromise [IoCs] to guide their hunts," says Mathias Fuchs, a SANS instructor and threat hunting expert. "It seems that fewer organizations are using hypothesis-driven  hunting—and that could leave them vulnerable to dangerous visibility  gaps."

Most respondents report using a variety of reactive approaches to threat hunting, including alerts (40%) or IoCs via a SIEM or other alerting system to find adversary tools or artifacts (57%).

Silo saves money and resources over the “DIY approach” of creating a threat hunting platform from off-the-shelf and open source solutions. Many threat hunters face questions in their organizations over the cost creep and configuration, maintenance, and post-mission clean-up burden resulting from the old approach.

Threat hunting teams that deploy Silo for Researchsave on average 89% annually over those who operate a custom-made solution, as an itemized comparison shows.

 

About the Author

A8 Team
A8 Team
Director U.S.A.

Authentic8 Team is a group of cybersecurity enthusiasts, investigation sleuths, top-notch engineers, news junkies, policy wonks and all-around fervent writers hell-bent on bringing you the best darn blog in the industry. 

Related resources

Video
Video

Maximize Threat Intelligence to Maximize Your SOC

Learn best practices for mitigating risks while maximizing SOC investments

Guide
Guide

21 OSINT Research Tools for Threat Intelligence

Authentic8 engineers curated a list of the 21 most widely used OSINT research tools for cybersecurity researchers, analysts and other security professionals

Video
Video

Why Cyber Threat Intelligence Researchers Need Access to the Dark Web

SANS expert Jake Williams and Authentic8’s Nick Espinoza talk about where CTI researchers can find high-value data while staying secure and anonymous

Close
Close