SlideShare ist ein Scribd-Unternehmen logo
1 von 29
Downloaden Sie, um offline zu lesen
2017 | REPORT
THREAT HUNTING
Group Partner
Information
Security
PRESENTEDBY
THREAT HUNTING
2 0 1 7 R E P O R T
TABLE OF CONTENTS
Overview
Key Survey Findings
Familiarity with Threat Hunting
Threat Hunting Priority
Top Challenges for SOCs
Confidence in SOCs
Data Captured for Forensic Review
Threat Detection by Automated Tools
Vulnerability Scanning & Analysis
SOC Threat Management Maturity
Resources for Threat Hunting
Time Spent on Threat Hunting
Attack Discovery
Financial Impact of Threats
Threat Hunters’ Job Satisfaction
Threat Hunting Adoption
Barriers to Adoption
Threat Hunting Performance
Benefits of Threat Hunting Platforms
Threat Hunting ROI
Key Features of Threat Hunting Platforms
Methodology and Demographics
Threat Hunting Overview
Sponsor Overview
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
29
In 2017, the Information Security Community on LinkedIn
conducted a comprehensive online research project to gain
more insight into the state of threat hunting in security
operation centers (SOCs). When the 330 respondents
were asked what keeps them up at night, many comments
revolved around a central theme of undetected threats
slipping through an organization’s defenses. Many
responses included “unknown” and “advanced” when
describing threats, indicating the respondents understand
the challenges and fear those emerging threats.
We would like to thank our sponsor Cybereason for
supporting this unique research.
We hope you will enjoy the report.
Thank you,
Holger Schulze
OVERVIEW
Many organizations are quickly
discovering that cyber threat
hunting is the next step in the
evolution of the modern Security
Operations Center (SOC) to
combat an increasing array
of sophisticated threats from
attackers.
Threat Hunting refers to manual
and machine-assisted methods
of proactively and iteratively
searching through networks
and datasets to find advanced
persistent threats (APTs) that
evade existing security defenses.
Holger Schulze
Founder
Information Security
Community on LinkedIn
hhschulze@gmail.com
Group Partner
Information
Security
3
Holger Schulze
Founder
Information Security
Community on LinkedIn
THREAT HUNTING REPORT
THREAT HUNTING REPORT 4
KEY SURVEY FINDINGS
Respondents state that the frequency of security threats their organizations are facing increased
significantly. Over 80% of respondents say threats have at least doubled in the past year. Based
on the current trend, the number of advanced and emerging threats will continue to outpace the
capabilities and staffing of organizations to handle those threats.
Threat hunting is becoming a top security initiative for many organizations. However, the inability
to detect advanced threats and find expert security staff to assist with threat mitigation are the
top two challenges SOCs are facing. As a result, about four in five respondents stated their SOC
does not spend enough time searching for emerging and advanced threats.
The main benefits of threat hunting platforms include improved detection of advanced threats,
creating new ways of finding threats, and reducing investigation time. Threat hunting platforms
can cut in half the time spent to detect a threat, and it improves the average time to investigate
and address a threat by 42%. Nearly half of respondents state that an investment in a threat
hunting platform pays for itself within a year given its ability to detect unknown, emerging and
advanced threats.
Confidence in organizations’ ability to uncover advanced threats is low. Two-thirds of SOCs report
that they are falling behind in terms of capabilities to address sophisticated threats. Confidence is
further undercut by the increasing number of successful cyber attacks and the time it takes many
organizations to detect and respond to a breach - many data breaches still have an average dwell
time of 5 months.
Cybersecurity professionals who work with a threat hunting platform feel more appreciated,
recognized, and valued by their organization. Virtually all respondents want to work for a SOC
with lean-forward proactive security capabilities such as threat hunting, confirming the value
respondents place on threat hunting capabilities to help them do their job more effectively.
1
2
3
4
5
THREAT HUNTING REPORT 5
FAMILIARITY WITH THREAT HUNTING
Q: How familiar are you with threat hunting?
Among the respondents to the threat hunting survey, six in 10 have some knowledge or are very knowledgeable
about the topic. An additional 25% were aware of threat hunting but had no knowledge about the topic.
60%
I am very knowledgeable
on threat hunting
Have a moderate or high
degree of knowledge
about threat hunting
I have some knowledge
on threat hunting
I am aware of threat
hunting, but have
no knowledge
I am unfamiliar
with threat hunting
18%
42%
25%
15%
THREAT HUNTING REPORT 6
THREAT HUNTING PRIORITY
Q: What is your level of agreement with the statement “Threat hunting should be or will be a top security initiative in 2017”?
Nearly four out of five respondents said that threat hunting should be or will be a top security initiative in 2017 with
42% saying that they strongly agreed with the statement. Over three-quarters of respondents believe threat hunting
is of major importance.
3/4 of respondents
believe threat hunting is of major importance
Strongly agree Somewhat agree
Neither agree
nor disagree
Somewhat
disagree
Strongly
disagree
42% 37% 11% 6% 4%
THREAT HUNTING REPORT 7
TOP CHALLENGES FOR SOCS
Q: Which of the following do you consider to be top challenges facing your SOC?
The top two challenges facing SOCs are the detection of advanced threats (hidden, unknown, and emerging) and
the lack of expert security staff to mitigate such threats. More than half of the SOCs face these two top challenges.
All the challenges mentioned in the survey were ranked by at least 30% of the participants, suggesting that SOCs are
dealing with a broad array of issues on a day-to-day basis.
Detection of
advanced threats
(hidden, unknown,
and emerging)
70% The lack of expert
security staff to assist
with threat mitigation
59%
Detection of
rogue insiders/
insider attacks
Slow response time
to find or detect
advanced threats
Too much time
wasted on false
positive alerts
Lack of confidence
in automation tools
catching all threats
49% 49% 47% 45%
Lack of proper
reporting tools
32%
Working with outdated SIEM tools and SOC infrastructure 30% | Too much data to collect, aggregate, report and analyze 30% | Other 7%
THREAT HUNTING REPORT 8
CONFIDENCE IN SOCS
Q: Using a scale of 1 to 5 where “5” is very confident and “1” not at all confident, how confident are you in your SOC’s ability
to uncover advanced threats?
The Challenges faced by SOCs, such as their inability to detect advanced threats, the lack of expert staff to assist,
and the slow response time all weigh heavy on their level of confidence. Only 6% of respondents were fully confident
in their SOC’s ability to uncover advanced threats; only 26% of respondents were confident to very confident.
Very confidentNot at all confident
Moderately confident
1
2
3
4
5
45%
6%
20%
23%
7%
THREAT HUNTING REPORT 9
DATA CAPTURED FOR FORENSIC REVIEW
Q: What kind(s) of data does your SOC log for forensic review later?
When asked about the type of data their SOC log for forensics review, three in four respondents said they log and
review firewall/IPS denied traffic. Other commonly collected logs are firewall/IPS allowed traffic, DNS traffic, and
Web and email traffic. The importance respondents see in keeping different types of logs for forensic review is
evident by the fact that each data option was logged by at least 30% of the respondents.
Firewall/IPS
denied traffic
70%
Firewall/IPS
allowed traffic
.com
.net
Server traffic Packet sniff/
tcpdump
Windows
domain logs
58% 41% 40% 33%
Unsure
16%
Web and email
filter traffic
65% DNS traffic
60%
THREAT HUNTING REPORT 10
THREAT DETECTION BY AUTOMATED TOOLS
Q: What percent of emerging and advanced threats are
missed by automation security tools?
Q: Which of the following best describes the frequency
of security threats facing your organization?
Nearly half of all threats go undetected by automated
security tools (44%). Respondents’ answers ranged
from single digits to more than 90%, implying that
there is a wide range of perceived effectiveness of
automated tools. Needless to say, this bodes very
poorly for the current state of industry readiness.
threats go undetected by
automated security tools
44% 4%
Increased at the rate
of 2x in the past year
Increased at the
rate of 5x or more
Not changed in
the past year
Decreased
Increased at the rate
of 3x in the past year
Increased at the rate
of 4x in the past year
38%
24%
9%
12%
13%
Respondents overwhelmingly believe that their
organization faced more security threats over the past
year, with 82% saying threats occurred more frequently.
In addition, nearly half (45%) stated the amount of
threats they face have at least tripled or more in the
past year.
THREAT HUNTING REPORT 11
VULNERABILITY SCANNING & ANALYSIS
Q: When threat hunting, do you run a network scan/
analysis of common vulnerabilities to determine if the
threat is attacking a known CVE?
Q: How useful do you find network vulnerability scanning/
patching CVEs in helping you limit the risk of threats?
Although identifying attacking threats seems to be of
extreme importance to organizations, nearly 1 in 4 do
not analyze vulnerabilities to determine if the threat
is attacking a known CVE (Common Vulnerability
and Exposure). 3 in 4 respondents stated they take
measures to determine if a threat is attacking a known
CVE for their organization.
Over 75% of respondents stated that vulnerability
scanning and CVE patching is helpful in limiting
potential threats. These results support the prior
question in determining the importance of analyzing
and acting on vulnerable areas for security purposes.
Only a small minority believe that scanning for and
patching CVEs is unhelpful.
76%
YES
24%
NO
4%
12%
7%
77%
Somewhat
helpful
Somewhat
unhelpful
Neither
helpful nor
unhelpful
think vulnerability scanning
and CVE patching is helpful
in limiting potential threats
Very
helpful
Very
unhelpful
53%
24%
THREAT HUNTING REPORT 12
SOC THREAT MANAGEMENT MATURITY
Q: Which of the following best explains the status of your SOC in relation to addressing emerging threats?
When it comes to the state of their organization’s threat hunting capabilities, only 6% actually believe they are
cutting edge, and 30% believe they are advanced. Nearly two thirds of respondents stated they’re minimally
compliant or even behind the curve when it comes to addressing emerging threats. Although emerging and
advanced threats seem to be a major challenge for SOCs, little action is being taken to address them.
6%
We are cutting-edge,
ahead of the curve
We are advanced,
but not cutting-edge
We are compliant,
but behind the curve
Our capabilities are
limited at this time
30%
37%
27%
THREAT HUNTING REPORT 13
RESOURCES FOR THREAT HUNTING
Q: Approximately how much do you spend on security
detection and defense technologies to identify and stop
advanced threats?
Q: Approximately, what percentage of employees at your
SOC are threat hunting today?
When asked for an approximate amount their
organization spent on security detection and defense
technologies to identify and stop advanced threats,
answers varied significantly. On average, respondents
stated approximately $550,000 with some amounts
ranging up to $6-8 million dollars.
Less than 2 in 10 employees within SOCs are threat
hunting today. When asked approximately what
percentage of employees were involved in threat
hunting, the average response was around 14%.
Average Spend on
Technologies for Security
Detection and Defense
$550,000
14%SOC employees involved
in threat hunting
THREAT HUNTING REPORT 14
TIME SPENT ON THREAT HUNTING
Q: In a typical week, what percent of your time is spent
with alert triage or reactive response to security threats
versus engaging in proactive and innovative detection
methods?
Q: Do you feel enough time is spent searching for emerging
and advanced threats at your SOC?
When compared to engaging in proactive and
innovative detection, respondents spend nearly
double the time with alert triage and reacting to
security threats. An average of 43% of respondents’
time is spent reacting to security threats, while an
average of 22% of respondents said that their time
is spent proactively seeking threats. The rest of the
time is spent on other activities. These results align
with previous questions that revealed that many
respondents’ organizations are behind the curve when
it comes to taking steps to enhance their security and
threat hunting capabilities.
A staggering 4 in 5 respondents believe their SOC
does not spend enough time searching for emerging
and advanced threats. While many organizations and
SOCs spend most of their time reacting to detected
threats or other procedures, respondents clearly
believe more time should be spent on proactively
looking for these threats. Only 20% of respondents
believe that their SOC spends enough time searching
for emerging and advanced threats.
20%
YES
80%
NO
2x
time
22%
Proactively
seeking threats
43%
Reacting to
security threats
THREAT HUNTING REPORT 15
ATTACK DISCOVERY
Q: On average, how long do attackers who breach your
security defenses dwell in your network before they are
discovered by your SOC?
Q: Missed and Detected Security Threats?
Attackers dwell on a network for an average of
40 days before they’re discovered, according to
the survey. Some respondents said attackers were
discovered much faster while others said the attack
could go undetected for as long as three months
or even longer. Nearly all respondents agree that
attackers dwell on a network for some period of time
before they’re discovered by the SOC.
An average of 40% of security threats to the
respondent’s SOC are missed, while an average of
60% were identified. With over 4 in 10 security threats
being missed by SOCs, there’s significant potential for
a breach.
40DAYS
Average time attackers
dwell on networks
until discovered
40%
MISSED
Security Threats
60%
DETECTED
Security Threats
THREAT HUNTING REPORT 16
FINANCIAL IMPACT OF THREATS
Q: What is the typical financial impact of a security threat which goes undetected and results in a breach at your
organization?
Nearly 2 in 5 respondents stated a security breach could have a financial impact of up to $1 million at their
organization. Almost half of respondents were unsure of the financial impact an undetected threat that results in
a breach would cause. This number represents a significant lack of awareness around the potential damage that
undetected threats can cause.
Under
$500,000
32%
7% 7%
4%
1% 2%
47%
$500,000
to $999,999
$1 million to
$2.9 million
$3 million to
$5.9 million
$6 million to
$9.9 million
More than
$10 million
Unsure
think a security breach could have a financial
impact of up to $1 million at their organization
2 of 5 of respondents
THREAT HUNTING REPORT 17
THREAT HUNTERS’ JOB SATISFACTION
Q: Do you feel the work you do is: Appreciated?,
Recognized?, Valued?
Q: Would you prefer to work in a SOC with lean-forward
proactive security capabilities, such as threat hunting?
Overall, 61% of respondents in SOc without a threat
hunting platform stated they feel appreciated, 53% say
they are recognized, and 59% believe they are valued at
their organization. However, respondents who work in a
SOC that uses a threat hunting platform feel significantly
more appreciated, recognized, and valued. Of those
respondents, 72% state they feel appreciated, 61% state
they are recognized, and 67% believe they are valued.
Respondents overwhelmingly stated that they would
prefer to work in a SOC with lean-forward proactive
security capabilities such as threat hunting, an opinion
shared by nearly 95% of respondents. Respondents
value the importance of threat detection capabilities for
not only their own work, but also for their organization.
WITH threat hunting platform WITHOUT threat hunting platform
61%
Appreciated
Recognized
Valued
53%
59%
72%
61%
67%
YES
NO
7%
93%
THREAT HUNTING REPORT 18
THREAT HUNTING ADOPTION
Q: Does your SOC currently use a threat hunting platform
for its security analysts?
Nearly two-thirds of respondents stated their SOC
does not currently use a threat hunting platform for
its security analysts, indicating a lower adoption rate.
Respondents agree that the need and importance to
identify emerging and advanced threats is paramount
but many organizations have yet to adopt technologies
to do so.
35%
2/3 SOCs do not currently use
a threat hunting platform
NO
YES
65%
76%
NO
YES
24%
Q: Would you like your organization to purchase a threat
hunting platform for its security analysts?
Among those who do not use threat hunting platforms,
more than 3 in 4 (76%) stated they would like to see
their organization upgrade security capabilities by
purchasing a threat hunting platform. This supports
the themes in which detecting advanced threats is a
major challenge to SOCs, magnified by a lack of expert
staff, and the fact respondents believe not enough time
or budget is allocated to threat hunting tools.
THREAT HUNTING REPORT 19
BARRIERS TO ADOPTION
Q: What is the main reason your SOC does not have a threat hunting platform for its security analysts?
Lack of budget remains the top reason why SOCs have not adopted a threat hunting platform, an answer given
by 35% of respondents. Lack of training on threat hunting was the second most common reason, said 20% of
respondents. This puts more responsibility on threat hunting platforms to prove their value, accelerate onboarding
times and improve comprehension with SOC staff.
35%Lack of budget
Not a priority
for our SOC
Lack of training
on threat hunting
Platform fatigue,
we have many platforms
Lack of collaboration
across departments
20% 19% 11% 7%
Other
9%
THREAT HUNTING REPORT 20
THREAT HUNTING PERFORMANCE
Q: On average, how long does it take to detect /
investigate threats without a threat hunting platform
at your SOC?
Q: On average, how long does it take to detect / investigate
threats with a threat hunting platform at your SOC?
When asked to estimate the amount of time it takes
to address threats without a threat hunting platform,
the average time it took to “detect” a threat was 38
days, and the average time to “investigate” a threat
was 26 days.
When asked to estimate the same time to “detect”
and “investigate” threats with a threat hunting
platform, a much different story emerged. With a
threat hunting platform, the average time spent to
“detect” dropped to 15 days and the average time
to “investigate” the threat lasted just 14 days. The
average time spent to detect the threat improved by
61% and investigating the threat improved by 42%.
WITH
THREAT HUNTING PLATFORM
WITHOUT
A THREAT HUNTING PLATFORM
Time to detect
38 days 15 days
Time to investigate
26 days 14 days
2.5x
improvement
~2x
improvement
THREAT HUNTING REPORT 21
BENEFITS OF THREAT HUNTING PLATFORMS
Q: What do you think are the main efficiency benefits from a threat hunting platform for security analysts?
The top efficiency benefits from a threat hunting platform as mentioned by respondents were improving the
detection of advanced threats (72%), creating new ways of finding threats (68%), discovering threats they could
not discover otherwise (67%), and reducing investigation time (66%).
Saves time manually
correlating events
Creates new ways
of finding threats
Discovering threats
I could not discover
otherwise
Reducing
investigation time
58%68% 67% 66%
Reducing time wasted
on chasing false lead
56%
Improving detection
of advanced threats72%
Ability to quick connect disparate sources of information 43% | Reducing extra and unnecessary noise in the system 41% | Reduces attack surface 40% |
Saves time scripting and running queries 39% | Other 4%
THREAT HUNTING REPORT 22
THREAT HUNTING ROI
Q: How long does it take for a SOC to break-even on the investment of a threat hunting platform?
Nearly half of respondents believe an investment in a threat hunting platform would pay for itself within a year.
A small minority of respondents stated the investment in a threat hunting platform would take three years or more
to break even.
Immediately Within days Within weeks Within months Within a year Within 2 yrs Within 3 yrs More than 3 yrs Unsure
5%
3%
11%
7%
18%
10% 8%
4%
32%
believe the investment in a threat hunting
platform would pay for itself within a year44%
THREAT HUNTING REPORT 23
KEY FEATURES OF THREAT HUNTING PLATFORMS
Q: Using a scale of 1 to 5 where “5” indicates very appealing and “1” indicates not at all appealing, how appealing is each
of the following when selecting a threat hunting platform?
The most appealing features of a threat hunting platform are the forensic details and automated analytics
(machine learning used for automating decisions). All features carried some appeal with respondents. None of the
features received an average score below a “3” on a 1 to 5 scale of appeal.
4.1 4.0
Forensics detail Automated and
packaged analytics
VERY
APPEALING
NOT AT ALL
APPEALING
VERY
APPEALING
NOT AT ALL
APPEALING
3.9
Searchability
VERY
APPEALING
NOT AT ALL
APPEALING
Investigation workflow 3.8 | Visualizations 3.8 | Breadth of data sources 3.8 | Automated mitigation 3.7 | Sequence timeline 3.5 | Storage capacity 3.4
THREAT HUNTING REPORT 24
METHODOLOGY & DEMOGRAPHICS
The 2017 Threat Hunting Report is based on the results of an online survey of over 330 cybersecurity and IT
professionals to gain more insight into the state of threat management in SOCs. The respondents range from security
analysts and IT managers to CISOs. The respondents represent a representative cross section of organizations of
varying sizes across many industries, ranging from financial services to telecommunications and healthcare.
6% 5% 4% 2%
PRIMARY ROLE
Security Analyst IT Manager, Director or CIO Security Manager or Director CSO, CISO, or VP of Security Security Administrator
Threat Analyst Systems Administrator Auditor Other
INDUSTRY
Financial services, banking or insurance Telecommunications or ISP Healthcare Government Manufacturing
Retail or ecommerce Energy or utilities Other
COMPANY SIZE
Less than 100 100 to 499 500 to 999 1,000 to 4,999 5,000 to 9,999 10,000 or more
20% 19% 19% 15% 11%
22% 15% 11% 19% 13% 20%
20% 8%14% 9% 6% 33%5% 4%
THREAT HUNTING REPORT 25
THREAT HUNTING OVERVIEW
THREAT HUNTING REPORT 26
UNDERSTANDING THE THREAT
Today’s attacks have become more sophisticated while their means and methods are increasingly difficult to
detect. Upon gaining access to a network, most advanced persistent threats (APTs) work silently and stealthily
to gather intel and gain more access to their target network. In the past, APTs using this methodology were
extremely difficult to detect and sometimes were active for months or even years before being discovered.
However, many SOCs are beginning to take the fight to the enemy by employing threat hunting techniques to seek
out malicious activity before it is able to do significant damage.
Mapping to the Cyber Kill Chain
The clear majority of attacks faced by organizations today can be mapped via the cyber kill chain model.
Under this framework, attackers will start out by gathering intelligence on and surveilling a network, exploiting
weaknesses, and moving on to escalating privileges. However, at every level of the kill chain, attackers are
vulnerable to detection and potential disruption.
By understanding how attackers utilize the kill chain, hunters can engage their targets before adversaries
compromise or steal valuable information. In other words, monitoring, targeting, and engaging threats before
they cause damage. In this process, hunters will start out by hypothesizing and mapping out potential means and
methods that can be used by attackers. Hunters should therefore be able to collect actionable intelligence that
enables them to further refine their data-gathering techniques and provides jumping-off points for future hunts.
1 2 3 4 5 6 7
Reconnaissance
CYBER THREAT KILL CHAIN
Weaponization Delivery Exploitation Installation
Command
& Control
Actions on
Objectives
THREAT HUNTING REPORT 27
THE PYRAMID OF PAIN
All attackers have signatures that can be used to identify who is attacking and how. These can include anything
from the attacker’s IP address, network/host artifacts, and tactics, techniques and procedures (TTPs). Collectively,
these methods are referred to as Indicators of Compromise (IoCs). By identifying relevant IoCs and denying their
use, hunters can make attacks upon their networks more time-consuming, costly, and difficult. In short, by picking
out IoCs through the use of behavioral analytics, intelligence gathering, etc., hunters can pinpoint and deny
potential avenues of approach to malicious actors.
This method of disrupting threats is encapsulated within the “pyramid of pain” model. The pyramid maps the
levels of IoC that are used by adversaries and correlates them with the relative amount of inconvenience that can
be caused by forcing attackers to change their techniques. By relying on behavior and data-driven intelligence
(as opposed to reactive automated defenses), hunters are able to predict the tactics most likely to be used by
adversaries.
TTPs Tough
Challenging
Annoying
Simple
Easy
Trivial
Tools
Network/
Host Artifacts
Domain Names
IP Addresses
Hash Values
THREAT HUNTING REPORT 28
THE HUNTING MATURITY MODEL
Each organization’s ability to seek out IOCs can be mapped according to the hunting maturity model. The
framework rates SOCs on their ability to utilize intelligence indicators and data collection to predict and identify
threats. SOCs are assessed on their defense techniques (e.g. entirely automated vs intelligence-driven), their
collection and use of data, and their adaptability. The model also evaluates SOCs based on the frequency,
sophistication, and institutionalization of their hunt techniques.
This model provides SOCs with a broad-view outline for assessing their effectiveness, as well as laying out a
roadmap for improving operational effectiveness. Under this framework, the most effective SOCs are those that
consistently incorporate intelligence and “lessons learned” from hunts into alerts and automated responses, as well
as those that invest in specialized, scalable tools for hunters.
0
2
3
4
1
• These teams either have
no hunting capabilities
and mainly perform
incident response
LEVEL
NO THREAT
HUNTING
PROGRAM
• These teams incorporate
basic searching as their
hunting techniques
(searching for key
indicators in datasets)
• Most hunting in this stage
is not data driven and is
conducted on an ad-hoc basis
BASIC
THREAT
HUNTING
• These teams incorporate
published hunting procedures
and techniques into their
detection activities
• Threat hunting in this
stage utilizes data collection,
and is applied on a regular basis
UTILIZING
EXISTING
PROCEDURES
• These teams create new
hunting procedures that can
be followed (and published)
based on organizational need
• Hunting at this level occurs
on a frequent basis
CREATING
NEW
PROCEDURES
• These teams incorporate
all of the above practices
but also automate successful
hunts and use hunting results to
improve automated detection
systems, freeing up hunters
to pursue new hunts
LEADERS
IN THREAT
HUNTING
LEVEL
LEVEL
LEVEL
LEVEL
THREAT HUNTING REPORT 29
SPONSOR OVERVIEW
Cybereason | www.cybereason.com
Cybereason is the leader in endpoint protection, offering endpoint detection and response, next-
generation antivirus, and managed monitoring services. Founded by elite intelligence professionals
born and bred in offense-first hunting, Cybereason gives enterprises the upper hand over cyber
adversaries.

Weitere ähnliche Inhalte

Was ist angesagt?

How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxInfosec
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence WorkshopPriyanka Aash
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
 SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...AlienVault
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceZaiffiEhsan
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceAndreas Sfakianakis
 

Was ist angesagt? (20)

How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar Users
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptx
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence Workshop
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
 SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
 

Ähnlich wie Threat Hunting Report

2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response SurveyFireEye, Inc.
 
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...CMR WORLD TECH
 
Ponemon Institute Data Breaches and Sensitive Data Risk
Ponemon Institute Data Breaches and Sensitive Data RiskPonemon Institute Data Breaches and Sensitive Data Risk
Ponemon Institute Data Breaches and Sensitive Data RiskFiona Lew
 
VIPRE --Responding to Cyberattacks
VIPRE --Responding to CyberattacksVIPRE --Responding to Cyberattacks
VIPRE --Responding to CyberattacksAbhishek Sood
 
Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingwardell henley
 
Achieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress ReportAchieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress ReportGov BizCouncil
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesJoseph DeFever
 
2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summarypatmisasi
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyScalar Decisions
 
5 Key Findings on Advanced Threats
5 Key Findings on Advanced Threats5 Key Findings on Advanced Threats
5 Key Findings on Advanced ThreatsHannah Jenney
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3Lumension
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3Lumension
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3Lumension
 
M-Trends® 2012: An Evolving Threat
M-Trends® 2012: An Evolving Threat M-Trends® 2012: An Evolving Threat
M-Trends® 2012: An Evolving Threat FireEye, Inc.
 
Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
Security Whack-a-Mole: SANS 2017 Threat Landscape SurveySecurity Whack-a-Mole: SANS 2017 Threat Landscape Survey
Security Whack-a-Mole: SANS 2017 Threat Landscape SurveyQualys
 
Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013EY
 

Ähnlich wie Threat Hunting Report (20)

2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
 
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
 
Ponemon Institute Data Breaches and Sensitive Data Risk
Ponemon Institute Data Breaches and Sensitive Data RiskPonemon Institute Data Breaches and Sensitive Data Risk
Ponemon Institute Data Breaches and Sensitive Data Risk
 
when minutes counts
when minutes countswhen minutes counts
when minutes counts
 
VIPRE --Responding to Cyberattacks
VIPRE --Responding to CyberattacksVIPRE --Responding to Cyberattacks
VIPRE --Responding to Cyberattacks
 
CAPP Conference Survey
CAPP Conference SurveyCAPP Conference Survey
CAPP Conference Survey
 
Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_training
 
Achieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress ReportAchieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress Report
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & Practices
 
2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security Study
 
2014 Executive Breach Preparedness Research Report
2014 Executive Breach Preparedness Research Report2014 Executive Breach Preparedness Research Report
2014 Executive Breach Preparedness Research Report
 
5 Key Findings on Advanced Threats
5 Key Findings on Advanced Threats5 Key Findings on Advanced Threats
5 Key Findings on Advanced Threats
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3
 
M-Trends® 2012: An Evolving Threat
M-Trends® 2012: An Evolving Threat M-Trends® 2012: An Evolving Threat
M-Trends® 2012: An Evolving Threat
 
Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
Security Whack-a-Mole: SANS 2017 Threat Landscape SurveySecurity Whack-a-Mole: SANS 2017 Threat Landscape Survey
Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
 
Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013
 

Kürzlich hochgeladen

NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 

Kürzlich hochgeladen (20)

20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 

Threat Hunting Report

  • 1. 2017 | REPORT THREAT HUNTING Group Partner Information Security PRESENTEDBY
  • 2. THREAT HUNTING 2 0 1 7 R E P O R T TABLE OF CONTENTS Overview Key Survey Findings Familiarity with Threat Hunting Threat Hunting Priority Top Challenges for SOCs Confidence in SOCs Data Captured for Forensic Review Threat Detection by Automated Tools Vulnerability Scanning & Analysis SOC Threat Management Maturity Resources for Threat Hunting Time Spent on Threat Hunting Attack Discovery Financial Impact of Threats Threat Hunters’ Job Satisfaction Threat Hunting Adoption Barriers to Adoption Threat Hunting Performance Benefits of Threat Hunting Platforms Threat Hunting ROI Key Features of Threat Hunting Platforms Methodology and Demographics Threat Hunting Overview Sponsor Overview 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 29
  • 3. In 2017, the Information Security Community on LinkedIn conducted a comprehensive online research project to gain more insight into the state of threat hunting in security operation centers (SOCs). When the 330 respondents were asked what keeps them up at night, many comments revolved around a central theme of undetected threats slipping through an organization’s defenses. Many responses included “unknown” and “advanced” when describing threats, indicating the respondents understand the challenges and fear those emerging threats. We would like to thank our sponsor Cybereason for supporting this unique research. We hope you will enjoy the report. Thank you, Holger Schulze OVERVIEW Many organizations are quickly discovering that cyber threat hunting is the next step in the evolution of the modern Security Operations Center (SOC) to combat an increasing array of sophisticated threats from attackers. Threat Hunting refers to manual and machine-assisted methods of proactively and iteratively searching through networks and datasets to find advanced persistent threats (APTs) that evade existing security defenses. Holger Schulze Founder Information Security Community on LinkedIn hhschulze@gmail.com Group Partner Information Security 3 Holger Schulze Founder Information Security Community on LinkedIn THREAT HUNTING REPORT
  • 4. THREAT HUNTING REPORT 4 KEY SURVEY FINDINGS Respondents state that the frequency of security threats their organizations are facing increased significantly. Over 80% of respondents say threats have at least doubled in the past year. Based on the current trend, the number of advanced and emerging threats will continue to outpace the capabilities and staffing of organizations to handle those threats. Threat hunting is becoming a top security initiative for many organizations. However, the inability to detect advanced threats and find expert security staff to assist with threat mitigation are the top two challenges SOCs are facing. As a result, about four in five respondents stated their SOC does not spend enough time searching for emerging and advanced threats. The main benefits of threat hunting platforms include improved detection of advanced threats, creating new ways of finding threats, and reducing investigation time. Threat hunting platforms can cut in half the time spent to detect a threat, and it improves the average time to investigate and address a threat by 42%. Nearly half of respondents state that an investment in a threat hunting platform pays for itself within a year given its ability to detect unknown, emerging and advanced threats. Confidence in organizations’ ability to uncover advanced threats is low. Two-thirds of SOCs report that they are falling behind in terms of capabilities to address sophisticated threats. Confidence is further undercut by the increasing number of successful cyber attacks and the time it takes many organizations to detect and respond to a breach - many data breaches still have an average dwell time of 5 months. Cybersecurity professionals who work with a threat hunting platform feel more appreciated, recognized, and valued by their organization. Virtually all respondents want to work for a SOC with lean-forward proactive security capabilities such as threat hunting, confirming the value respondents place on threat hunting capabilities to help them do their job more effectively. 1 2 3 4 5
  • 5. THREAT HUNTING REPORT 5 FAMILIARITY WITH THREAT HUNTING Q: How familiar are you with threat hunting? Among the respondents to the threat hunting survey, six in 10 have some knowledge or are very knowledgeable about the topic. An additional 25% were aware of threat hunting but had no knowledge about the topic. 60% I am very knowledgeable on threat hunting Have a moderate or high degree of knowledge about threat hunting I have some knowledge on threat hunting I am aware of threat hunting, but have no knowledge I am unfamiliar with threat hunting 18% 42% 25% 15%
  • 6. THREAT HUNTING REPORT 6 THREAT HUNTING PRIORITY Q: What is your level of agreement with the statement “Threat hunting should be or will be a top security initiative in 2017”? Nearly four out of five respondents said that threat hunting should be or will be a top security initiative in 2017 with 42% saying that they strongly agreed with the statement. Over three-quarters of respondents believe threat hunting is of major importance. 3/4 of respondents believe threat hunting is of major importance Strongly agree Somewhat agree Neither agree nor disagree Somewhat disagree Strongly disagree 42% 37% 11% 6% 4%
  • 7. THREAT HUNTING REPORT 7 TOP CHALLENGES FOR SOCS Q: Which of the following do you consider to be top challenges facing your SOC? The top two challenges facing SOCs are the detection of advanced threats (hidden, unknown, and emerging) and the lack of expert security staff to mitigate such threats. More than half of the SOCs face these two top challenges. All the challenges mentioned in the survey were ranked by at least 30% of the participants, suggesting that SOCs are dealing with a broad array of issues on a day-to-day basis. Detection of advanced threats (hidden, unknown, and emerging) 70% The lack of expert security staff to assist with threat mitigation 59% Detection of rogue insiders/ insider attacks Slow response time to find or detect advanced threats Too much time wasted on false positive alerts Lack of confidence in automation tools catching all threats 49% 49% 47% 45% Lack of proper reporting tools 32% Working with outdated SIEM tools and SOC infrastructure 30% | Too much data to collect, aggregate, report and analyze 30% | Other 7%
  • 8. THREAT HUNTING REPORT 8 CONFIDENCE IN SOCS Q: Using a scale of 1 to 5 where “5” is very confident and “1” not at all confident, how confident are you in your SOC’s ability to uncover advanced threats? The Challenges faced by SOCs, such as their inability to detect advanced threats, the lack of expert staff to assist, and the slow response time all weigh heavy on their level of confidence. Only 6% of respondents were fully confident in their SOC’s ability to uncover advanced threats; only 26% of respondents were confident to very confident. Very confidentNot at all confident Moderately confident 1 2 3 4 5 45% 6% 20% 23% 7%
  • 9. THREAT HUNTING REPORT 9 DATA CAPTURED FOR FORENSIC REVIEW Q: What kind(s) of data does your SOC log for forensic review later? When asked about the type of data their SOC log for forensics review, three in four respondents said they log and review firewall/IPS denied traffic. Other commonly collected logs are firewall/IPS allowed traffic, DNS traffic, and Web and email traffic. The importance respondents see in keeping different types of logs for forensic review is evident by the fact that each data option was logged by at least 30% of the respondents. Firewall/IPS denied traffic 70% Firewall/IPS allowed traffic .com .net Server traffic Packet sniff/ tcpdump Windows domain logs 58% 41% 40% 33% Unsure 16% Web and email filter traffic 65% DNS traffic 60%
  • 10. THREAT HUNTING REPORT 10 THREAT DETECTION BY AUTOMATED TOOLS Q: What percent of emerging and advanced threats are missed by automation security tools? Q: Which of the following best describes the frequency of security threats facing your organization? Nearly half of all threats go undetected by automated security tools (44%). Respondents’ answers ranged from single digits to more than 90%, implying that there is a wide range of perceived effectiveness of automated tools. Needless to say, this bodes very poorly for the current state of industry readiness. threats go undetected by automated security tools 44% 4% Increased at the rate of 2x in the past year Increased at the rate of 5x or more Not changed in the past year Decreased Increased at the rate of 3x in the past year Increased at the rate of 4x in the past year 38% 24% 9% 12% 13% Respondents overwhelmingly believe that their organization faced more security threats over the past year, with 82% saying threats occurred more frequently. In addition, nearly half (45%) stated the amount of threats they face have at least tripled or more in the past year.
  • 11. THREAT HUNTING REPORT 11 VULNERABILITY SCANNING & ANALYSIS Q: When threat hunting, do you run a network scan/ analysis of common vulnerabilities to determine if the threat is attacking a known CVE? Q: How useful do you find network vulnerability scanning/ patching CVEs in helping you limit the risk of threats? Although identifying attacking threats seems to be of extreme importance to organizations, nearly 1 in 4 do not analyze vulnerabilities to determine if the threat is attacking a known CVE (Common Vulnerability and Exposure). 3 in 4 respondents stated they take measures to determine if a threat is attacking a known CVE for their organization. Over 75% of respondents stated that vulnerability scanning and CVE patching is helpful in limiting potential threats. These results support the prior question in determining the importance of analyzing and acting on vulnerable areas for security purposes. Only a small minority believe that scanning for and patching CVEs is unhelpful. 76% YES 24% NO 4% 12% 7% 77% Somewhat helpful Somewhat unhelpful Neither helpful nor unhelpful think vulnerability scanning and CVE patching is helpful in limiting potential threats Very helpful Very unhelpful 53% 24%
  • 12. THREAT HUNTING REPORT 12 SOC THREAT MANAGEMENT MATURITY Q: Which of the following best explains the status of your SOC in relation to addressing emerging threats? When it comes to the state of their organization’s threat hunting capabilities, only 6% actually believe they are cutting edge, and 30% believe they are advanced. Nearly two thirds of respondents stated they’re minimally compliant or even behind the curve when it comes to addressing emerging threats. Although emerging and advanced threats seem to be a major challenge for SOCs, little action is being taken to address them. 6% We are cutting-edge, ahead of the curve We are advanced, but not cutting-edge We are compliant, but behind the curve Our capabilities are limited at this time 30% 37% 27%
  • 13. THREAT HUNTING REPORT 13 RESOURCES FOR THREAT HUNTING Q: Approximately how much do you spend on security detection and defense technologies to identify and stop advanced threats? Q: Approximately, what percentage of employees at your SOC are threat hunting today? When asked for an approximate amount their organization spent on security detection and defense technologies to identify and stop advanced threats, answers varied significantly. On average, respondents stated approximately $550,000 with some amounts ranging up to $6-8 million dollars. Less than 2 in 10 employees within SOCs are threat hunting today. When asked approximately what percentage of employees were involved in threat hunting, the average response was around 14%. Average Spend on Technologies for Security Detection and Defense $550,000 14%SOC employees involved in threat hunting
  • 14. THREAT HUNTING REPORT 14 TIME SPENT ON THREAT HUNTING Q: In a typical week, what percent of your time is spent with alert triage or reactive response to security threats versus engaging in proactive and innovative detection methods? Q: Do you feel enough time is spent searching for emerging and advanced threats at your SOC? When compared to engaging in proactive and innovative detection, respondents spend nearly double the time with alert triage and reacting to security threats. An average of 43% of respondents’ time is spent reacting to security threats, while an average of 22% of respondents said that their time is spent proactively seeking threats. The rest of the time is spent on other activities. These results align with previous questions that revealed that many respondents’ organizations are behind the curve when it comes to taking steps to enhance their security and threat hunting capabilities. A staggering 4 in 5 respondents believe their SOC does not spend enough time searching for emerging and advanced threats. While many organizations and SOCs spend most of their time reacting to detected threats or other procedures, respondents clearly believe more time should be spent on proactively looking for these threats. Only 20% of respondents believe that their SOC spends enough time searching for emerging and advanced threats. 20% YES 80% NO 2x time 22% Proactively seeking threats 43% Reacting to security threats
  • 15. THREAT HUNTING REPORT 15 ATTACK DISCOVERY Q: On average, how long do attackers who breach your security defenses dwell in your network before they are discovered by your SOC? Q: Missed and Detected Security Threats? Attackers dwell on a network for an average of 40 days before they’re discovered, according to the survey. Some respondents said attackers were discovered much faster while others said the attack could go undetected for as long as three months or even longer. Nearly all respondents agree that attackers dwell on a network for some period of time before they’re discovered by the SOC. An average of 40% of security threats to the respondent’s SOC are missed, while an average of 60% were identified. With over 4 in 10 security threats being missed by SOCs, there’s significant potential for a breach. 40DAYS Average time attackers dwell on networks until discovered 40% MISSED Security Threats 60% DETECTED Security Threats
  • 16. THREAT HUNTING REPORT 16 FINANCIAL IMPACT OF THREATS Q: What is the typical financial impact of a security threat which goes undetected and results in a breach at your organization? Nearly 2 in 5 respondents stated a security breach could have a financial impact of up to $1 million at their organization. Almost half of respondents were unsure of the financial impact an undetected threat that results in a breach would cause. This number represents a significant lack of awareness around the potential damage that undetected threats can cause. Under $500,000 32% 7% 7% 4% 1% 2% 47% $500,000 to $999,999 $1 million to $2.9 million $3 million to $5.9 million $6 million to $9.9 million More than $10 million Unsure think a security breach could have a financial impact of up to $1 million at their organization 2 of 5 of respondents
  • 17. THREAT HUNTING REPORT 17 THREAT HUNTERS’ JOB SATISFACTION Q: Do you feel the work you do is: Appreciated?, Recognized?, Valued? Q: Would you prefer to work in a SOC with lean-forward proactive security capabilities, such as threat hunting? Overall, 61% of respondents in SOc without a threat hunting platform stated they feel appreciated, 53% say they are recognized, and 59% believe they are valued at their organization. However, respondents who work in a SOC that uses a threat hunting platform feel significantly more appreciated, recognized, and valued. Of those respondents, 72% state they feel appreciated, 61% state they are recognized, and 67% believe they are valued. Respondents overwhelmingly stated that they would prefer to work in a SOC with lean-forward proactive security capabilities such as threat hunting, an opinion shared by nearly 95% of respondents. Respondents value the importance of threat detection capabilities for not only their own work, but also for their organization. WITH threat hunting platform WITHOUT threat hunting platform 61% Appreciated Recognized Valued 53% 59% 72% 61% 67% YES NO 7% 93%
  • 18. THREAT HUNTING REPORT 18 THREAT HUNTING ADOPTION Q: Does your SOC currently use a threat hunting platform for its security analysts? Nearly two-thirds of respondents stated their SOC does not currently use a threat hunting platform for its security analysts, indicating a lower adoption rate. Respondents agree that the need and importance to identify emerging and advanced threats is paramount but many organizations have yet to adopt technologies to do so. 35% 2/3 SOCs do not currently use a threat hunting platform NO YES 65% 76% NO YES 24% Q: Would you like your organization to purchase a threat hunting platform for its security analysts? Among those who do not use threat hunting platforms, more than 3 in 4 (76%) stated they would like to see their organization upgrade security capabilities by purchasing a threat hunting platform. This supports the themes in which detecting advanced threats is a major challenge to SOCs, magnified by a lack of expert staff, and the fact respondents believe not enough time or budget is allocated to threat hunting tools.
  • 19. THREAT HUNTING REPORT 19 BARRIERS TO ADOPTION Q: What is the main reason your SOC does not have a threat hunting platform for its security analysts? Lack of budget remains the top reason why SOCs have not adopted a threat hunting platform, an answer given by 35% of respondents. Lack of training on threat hunting was the second most common reason, said 20% of respondents. This puts more responsibility on threat hunting platforms to prove their value, accelerate onboarding times and improve comprehension with SOC staff. 35%Lack of budget Not a priority for our SOC Lack of training on threat hunting Platform fatigue, we have many platforms Lack of collaboration across departments 20% 19% 11% 7% Other 9%
  • 20. THREAT HUNTING REPORT 20 THREAT HUNTING PERFORMANCE Q: On average, how long does it take to detect / investigate threats without a threat hunting platform at your SOC? Q: On average, how long does it take to detect / investigate threats with a threat hunting platform at your SOC? When asked to estimate the amount of time it takes to address threats without a threat hunting platform, the average time it took to “detect” a threat was 38 days, and the average time to “investigate” a threat was 26 days. When asked to estimate the same time to “detect” and “investigate” threats with a threat hunting platform, a much different story emerged. With a threat hunting platform, the average time spent to “detect” dropped to 15 days and the average time to “investigate” the threat lasted just 14 days. The average time spent to detect the threat improved by 61% and investigating the threat improved by 42%. WITH THREAT HUNTING PLATFORM WITHOUT A THREAT HUNTING PLATFORM Time to detect 38 days 15 days Time to investigate 26 days 14 days 2.5x improvement ~2x improvement
  • 21. THREAT HUNTING REPORT 21 BENEFITS OF THREAT HUNTING PLATFORMS Q: What do you think are the main efficiency benefits from a threat hunting platform for security analysts? The top efficiency benefits from a threat hunting platform as mentioned by respondents were improving the detection of advanced threats (72%), creating new ways of finding threats (68%), discovering threats they could not discover otherwise (67%), and reducing investigation time (66%). Saves time manually correlating events Creates new ways of finding threats Discovering threats I could not discover otherwise Reducing investigation time 58%68% 67% 66% Reducing time wasted on chasing false lead 56% Improving detection of advanced threats72% Ability to quick connect disparate sources of information 43% | Reducing extra and unnecessary noise in the system 41% | Reduces attack surface 40% | Saves time scripting and running queries 39% | Other 4%
  • 22. THREAT HUNTING REPORT 22 THREAT HUNTING ROI Q: How long does it take for a SOC to break-even on the investment of a threat hunting platform? Nearly half of respondents believe an investment in a threat hunting platform would pay for itself within a year. A small minority of respondents stated the investment in a threat hunting platform would take three years or more to break even. Immediately Within days Within weeks Within months Within a year Within 2 yrs Within 3 yrs More than 3 yrs Unsure 5% 3% 11% 7% 18% 10% 8% 4% 32% believe the investment in a threat hunting platform would pay for itself within a year44%
  • 23. THREAT HUNTING REPORT 23 KEY FEATURES OF THREAT HUNTING PLATFORMS Q: Using a scale of 1 to 5 where “5” indicates very appealing and “1” indicates not at all appealing, how appealing is each of the following when selecting a threat hunting platform? The most appealing features of a threat hunting platform are the forensic details and automated analytics (machine learning used for automating decisions). All features carried some appeal with respondents. None of the features received an average score below a “3” on a 1 to 5 scale of appeal. 4.1 4.0 Forensics detail Automated and packaged analytics VERY APPEALING NOT AT ALL APPEALING VERY APPEALING NOT AT ALL APPEALING 3.9 Searchability VERY APPEALING NOT AT ALL APPEALING Investigation workflow 3.8 | Visualizations 3.8 | Breadth of data sources 3.8 | Automated mitigation 3.7 | Sequence timeline 3.5 | Storage capacity 3.4
  • 24. THREAT HUNTING REPORT 24 METHODOLOGY & DEMOGRAPHICS The 2017 Threat Hunting Report is based on the results of an online survey of over 330 cybersecurity and IT professionals to gain more insight into the state of threat management in SOCs. The respondents range from security analysts and IT managers to CISOs. The respondents represent a representative cross section of organizations of varying sizes across many industries, ranging from financial services to telecommunications and healthcare. 6% 5% 4% 2% PRIMARY ROLE Security Analyst IT Manager, Director or CIO Security Manager or Director CSO, CISO, or VP of Security Security Administrator Threat Analyst Systems Administrator Auditor Other INDUSTRY Financial services, banking or insurance Telecommunications or ISP Healthcare Government Manufacturing Retail or ecommerce Energy or utilities Other COMPANY SIZE Less than 100 100 to 499 500 to 999 1,000 to 4,999 5,000 to 9,999 10,000 or more 20% 19% 19% 15% 11% 22% 15% 11% 19% 13% 20% 20% 8%14% 9% 6% 33%5% 4%
  • 25. THREAT HUNTING REPORT 25 THREAT HUNTING OVERVIEW
  • 26. THREAT HUNTING REPORT 26 UNDERSTANDING THE THREAT Today’s attacks have become more sophisticated while their means and methods are increasingly difficult to detect. Upon gaining access to a network, most advanced persistent threats (APTs) work silently and stealthily to gather intel and gain more access to their target network. In the past, APTs using this methodology were extremely difficult to detect and sometimes were active for months or even years before being discovered. However, many SOCs are beginning to take the fight to the enemy by employing threat hunting techniques to seek out malicious activity before it is able to do significant damage. Mapping to the Cyber Kill Chain The clear majority of attacks faced by organizations today can be mapped via the cyber kill chain model. Under this framework, attackers will start out by gathering intelligence on and surveilling a network, exploiting weaknesses, and moving on to escalating privileges. However, at every level of the kill chain, attackers are vulnerable to detection and potential disruption. By understanding how attackers utilize the kill chain, hunters can engage their targets before adversaries compromise or steal valuable information. In other words, monitoring, targeting, and engaging threats before they cause damage. In this process, hunters will start out by hypothesizing and mapping out potential means and methods that can be used by attackers. Hunters should therefore be able to collect actionable intelligence that enables them to further refine their data-gathering techniques and provides jumping-off points for future hunts. 1 2 3 4 5 6 7 Reconnaissance CYBER THREAT KILL CHAIN Weaponization Delivery Exploitation Installation Command & Control Actions on Objectives
  • 27. THREAT HUNTING REPORT 27 THE PYRAMID OF PAIN All attackers have signatures that can be used to identify who is attacking and how. These can include anything from the attacker’s IP address, network/host artifacts, and tactics, techniques and procedures (TTPs). Collectively, these methods are referred to as Indicators of Compromise (IoCs). By identifying relevant IoCs and denying their use, hunters can make attacks upon their networks more time-consuming, costly, and difficult. In short, by picking out IoCs through the use of behavioral analytics, intelligence gathering, etc., hunters can pinpoint and deny potential avenues of approach to malicious actors. This method of disrupting threats is encapsulated within the “pyramid of pain” model. The pyramid maps the levels of IoC that are used by adversaries and correlates them with the relative amount of inconvenience that can be caused by forcing attackers to change their techniques. By relying on behavior and data-driven intelligence (as opposed to reactive automated defenses), hunters are able to predict the tactics most likely to be used by adversaries. TTPs Tough Challenging Annoying Simple Easy Trivial Tools Network/ Host Artifacts Domain Names IP Addresses Hash Values
  • 28. THREAT HUNTING REPORT 28 THE HUNTING MATURITY MODEL Each organization’s ability to seek out IOCs can be mapped according to the hunting maturity model. The framework rates SOCs on their ability to utilize intelligence indicators and data collection to predict and identify threats. SOCs are assessed on their defense techniques (e.g. entirely automated vs intelligence-driven), their collection and use of data, and their adaptability. The model also evaluates SOCs based on the frequency, sophistication, and institutionalization of their hunt techniques. This model provides SOCs with a broad-view outline for assessing their effectiveness, as well as laying out a roadmap for improving operational effectiveness. Under this framework, the most effective SOCs are those that consistently incorporate intelligence and “lessons learned” from hunts into alerts and automated responses, as well as those that invest in specialized, scalable tools for hunters. 0 2 3 4 1 • These teams either have no hunting capabilities and mainly perform incident response LEVEL NO THREAT HUNTING PROGRAM • These teams incorporate basic searching as their hunting techniques (searching for key indicators in datasets) • Most hunting in this stage is not data driven and is conducted on an ad-hoc basis BASIC THREAT HUNTING • These teams incorporate published hunting procedures and techniques into their detection activities • Threat hunting in this stage utilizes data collection, and is applied on a regular basis UTILIZING EXISTING PROCEDURES • These teams create new hunting procedures that can be followed (and published) based on organizational need • Hunting at this level occurs on a frequent basis CREATING NEW PROCEDURES • These teams incorporate all of the above practices but also automate successful hunts and use hunting results to improve automated detection systems, freeing up hunters to pursue new hunts LEADERS IN THREAT HUNTING LEVEL LEVEL LEVEL LEVEL
  • 29. THREAT HUNTING REPORT 29 SPONSOR OVERVIEW Cybereason | www.cybereason.com Cybereason is the leader in endpoint protection, offering endpoint detection and response, next- generation antivirus, and managed monitoring services. Founded by elite intelligence professionals born and bred in offense-first hunting, Cybereason gives enterprises the upper hand over cyber adversaries.