Survey highlights why threat hunting is important for cyber resilience
- Published: Tuesday, 24 August 2021 09:08
A new Ponemon survey, commissioned by Team Cymru, has found that half of attacks on organizations that caused severe business disruption were by repeat offenders - and 61 percent of these were never resolved.
Titled ‘The State of Threat Hunting and the Role of the Analyst’ the survey report indicates that lack of awareness and gaps in knowledge are a weak link for cyber security leadership who are responsible for strategic planning of Cyber Security defenses / defences, leaving organizations exposed to risks. With 2021 already claiming high-profile victims such as Colonial Pipeline and JBS, along with the world’s first bank announcing a $1 billion cybersecurity budget, there is an urgent need for CISOs to rethink their strategy and look for alternative ways to empower their teams.
The Ponemon survey queried almost 1800 cyber security leaders and practitioners about their views specifically on external threat hunting and the people involved in this emerging and increasingly necessary technique that organizations are adopting to build their defensive capabilities.
Only 35 percent of respondents said they were leveraging their security analysts effectively, indicating a lack of maturity with regards to threat hunting. Threat hunting, particularly external threat hunting, has empowered more sophisticated security organizations to identify and block impending attacks, augment threat detection, and achieve comprehensive remediation. Yet, the majority of respondents indicate that their organizations are not allocating enough resources to realize the full potential of their analyst teams and threat hunting. Survey results indicate that the average 2021 budget for the respondents’ organizations for IT operations is $117 million. An average of 19 percent of this is allocated to IT security and of that an average of 22 percent is allocated to analyst activities and threat intelligence.
Respondents had varied views on what threat hunting was or how it was leveraged. Only 24 percent defined threat hunting as looking outside their enterprise borders to monitor adversaries and identify impending attacks. Most viewed threat hunting as a reactive method of internal threat detection, looking for malicious activity that has already taken hold. Given that 70 percent of respondents said they had a high degree of difficulty gaining an attacker’s perspective on their organizations, the fact that so many organizations take an internal-only threat hunting approach makes sense.
62 percent of organizations are increasing investment in analysts and threat intelligence “to improve prevention and detection.” However, responses indicate that they are doing so with a very tactical and reactionary perception of what an analyst team should be.
The top three intelligence data types that respondents said they had were dark web data (47 percent), domain registration data (42 percent) and endpoint telemetry (42 percent). 61 percent acknowledged that threat intelligence could not keep up with the changes in how threat actors attack their organizations. Additionally, despite the knowledge that traditional threat intelligence sources provide stale information, only 31 percent of respondents said that raw Internet traffic telemetry is important in their ability to plan preventive measures, detect threats and resolve security incidents.
This finding hints at the possibility that most organizations are building out their analyst teams and intelligence capabilities with a view to chasing more alerts and conducting post incident investigations, as opposed to achieving a proactive security posture.