Connect with us

Expert Speak

How Effective is Threat Hunting for Organisations?

Published

4 years ago

on

Written by Anthony Perridge, VP International, ThreatQuotient

In recent years threat hunting has become much more widely adopted, but today the definition of threat hunting is still quite a controversial topic. Threat hunting is the art of finding the unknown in your environment, going beyond traditional detection technologies, with active cyber defence activity, proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.

An essential part of security operations centre (SOC) services, threat hunting should be incorporated at an early stage. However, even though organisations have been threat hunting for a number of years now, with the job of ‘threat hunter’ being defined about five or six years ago, adoption and use is still quite a hotly debated topic. This is one of the reasons why we recently sponsored this year’s SANS 2020 Threat Hunting Survey, to see if this would shed more light on how organisations are using threat hunting and how valuable it is proving to be.

Threat hunting is being utilised to tick the compliance box
Whenever introducing new threat hunting strategies to find malicious activities, there are various methods that organisations can utilise. The SANS survey found that some companies define how their threat hunting operations need to work and build up teams to meet these goals. Unfortunately, the other still-quite-common approach is to run threat hunting operations with what organisations already have.

Instead of defining goals that threat hunting needs to deliver the maximum value to the organisation, they define threat hunting as simply having some form of threat hunting in the business, classifying it as an activity for existing teams to adopt. While this approach might still render results, these will not be as beneficial to the organisation and its security posture as they could be. SANS frequently sees this approach at compliance-driven IT organisations whereby some standards require them to have threat hunting in place, which prompts them to set up a form of threat hunting simply to tick that box.

Security professionals state that threat hunting has strengthened their company’s defences
Interestingly, in the recent VMware Carbon Black 2020 Global Threat Report which interviewed over 3,000 IT leaders from 13 different countries, it found that threat hunting teams were starting to formalise their processes and procedures, and that trends were moving in the right direction for the industry overall. 80% of respondents stated that attacks had become more sophisticated, however, respondents also said unequivocally that threat hunting was paying dividends and increasingly being recognised for its value in identifying malicious actors already in the system.

When asked “In the last 12 months did your company’s threat hunting achieve a goal of strengthening its defences against cyberattack and did the threat hunting find malicious cyberattack activity you would not have ordinarily found?” 88% of respondents said they are using it as part of their cybersecurity strategy and that it was proving effective with 86% saying it had strengthened their company’s defences.

The difference between threat hunters and incident responders
However, the SANs report found that many organisations were tagging threat hunting activities onto the incident responder’s role. Undoubtedly there are commonalities and differences between threat hunting and incident response. While threat hunting comes in various shapes and forms, the most sophisticated way of threat hunting is hypothesis-based hunting. In this case, the hunter envisions an attack scenario that might have happened in the organisation. That scenario leads to a hypothesis that subsequently must be tested. Testing that hypothesis usually requires intimate knowledge about the suspected attack path as well as the right toolset and visibility to either accept or reject the hypothesis.

Incident responders usually know that an attack occurred, then start their investigation with limited knowledge about the attack path. This results in incident responders extending their knowledge about the attack and establishing visibility to investigate further. The tools and techniques for this overlap broadly between incident response and threat hunting. For that reason, it tends to be beneficial to use incident responders when building up threat hunting operations. However, over time the incident response-led approach should transform into a dedicated threat hunting team.

 A lack of automation and frequently switching applications all impact the hunt
The report also found that there does appear to be a significant gap in the use of automated tools to aid in the curation of useful and applicable threat intelligence. And that most threat hunters are not full-time threat hunters but split their time with other responsibilities. The trend to staff threat hunting operations with incident responders and SOC analysts was also very prominent. While incident responders may be very familiar with the task of finding new, unknown threats, SOC analysts might have difficulties deviating from their routine of analysing alerts to actively searching for signs of a breach.

The report found that what threat hunters struggle most with are frequent context switches, as only a few respondents said that they never need to switch tools while doing their job. So, jumping between applications is one area that has a huge potential for improvement and increased efficiency. What also factors into efficiency is that a high proportion of respondents (36.3%) are manually applying the threat intelligence they have collected. One of the reasons appears to be that almost half of the respondents don’t store threat intelligence in a platform but rather they are using traditional file-based methods such as spreadsheets or PDFs.

Finding a common understanding of threat hunting
I found it surprising that half of the respondents said that they see no value in hunting for new or unknown threats because uncovering unknown threats is one of the main arguments for threat hunting, while daily threats can be met by a SOC.

In summary and to move forward, we need to establish a common understanding of threat hunting, improve tools that reduce context switches, automate the process and make threat hunting more measurable. Low-hanging fruit for many respondents would be to switch their intelligence management from document-based to an open-source or commercial platform to make threat intelligence easier to consume, evolve and apply.

Threat hunting is becoming more pervasive in the industry, but its general value is still not widely understood, nor is there a gold standard for threat hunting today.

Related Topics:
Continue Reading

Artificial Intelligence

How AI is Reinventing Cybersecurity for the Automotive Industry

Published

3 weeks ago

on

April 23, 2025

By

Written by Alain Penel, VP of Middle East, CIS & Turkey at Fortinet (more…)

Continue Reading

Cyber Security

Positive Technologies Study Reveals Successful Cyberattacks Nett 5X Profits

Published

2 months ago

on

March 25, 2025

By

Positive Technologies has released a study on the dark web market, analysing prices for illegal cybersecurity services and products, as well as the costs incurred by cybercriminals to carry out attacks. The most expensive type of malware is ransomware, with a median cost of $7,500. Zero-day exploits are particularly valuable, often being sold for millions of dollars. However, the net profit from a successful cyberattack can be five times the cost of organizing it.

Experts estimate that performing a popular phishing attack involving ransomware costs novice cybercriminals at least $20,000. First, hackers rent dedicated servers, subscribe to VPN services, and acquire other tools to build a secure and anonymous IT infrastructure to manage the attack. Attackers also need to acquire the source code of malicious software or subscribe to ready-to-use malware, as well as tools for infiltrating the victim’s system and evading detection by security measures. Moreover, cybercriminals can consult with seasoned experts, purchase access to targeted infrastructures and company data, and escalate privileges within a compromised system. Products and tools are readily available for purchase on the dark web, catering to beginners. The darknet also offers leaked malware along with detailed instructions, making it easier for novice cybercriminals to carry out attacks.

Malware is one of the primary tools in a hacker’s arsenal, with 53% of malware-related ads focused on sales. In 19% of all posts, infostealers designed to steal data are offered. Crypters and code obfuscation tools, used to help attackers hide malware from security tools, are featured in 17% of cases. Additionally, loaders are mentioned in 16% of ads. The median cost of these types of malware stands at $400, $70, and $500, respectively. The most expensive malware is ransomware: its median cost is $7,500, with some offers reaching up to $320,000. Ransomware is primarily distributed through affiliate programs, known as Ransomware-as-a-Service (RaaS), where participants in an attack typically receive 70–90% of the ransom. To become a partner, a criminal must make a contribution of 0.05 Bitcoin (approximately $5,000) and have a solid reputation on the dark web.

Another popular attack tool is exploits: 69% of exploit-related ads focus on sales, with zero-day vulnerability posts accounting for 32% of them. In 31% of cases, the cost of exploits exceeds $20,000 and can reach several million dollars. Access to corporate networks is relatively inexpensive, with 72% of such ads focused on sales, and 62% of them priced at under a thousand dollars. Among cybercriminal services, hacks are the most popular option, accounting for 49% of reports. For example, the price for compromising a personal email account starts at $100, while the cost for a corporate account begins at $200.

Dmitry Streltsov, Threat Analyst at Positive Technologies, says, “On dark web marketplaces, prices are typically determined in one of two ways: either sellers set a fixed price, or auctions are held. Auctions are often used for exclusive items, such as zero-day exploits. The platforms facilitating these deals also generate revenue, often through their own escrow services, which hold the buyer’s funds temporarily until the product or service is confirmed as delivered. On many platforms, these escrow services are managed by either administrators or trusted users with strong reputations. In return, they earn at least 4% of the transaction amount, with the forums setting the rates.”

Considering the cost of tools and services on the dark web, along with the median ransom amount, cybercriminals can achieve a net profit of $100,000–$130,000 from a successful attack—five times the cost of their preparation. For a company, such an incident can result not only in ransom costs but also in massive financial losses due to disrupted business processes. For example, in 2024, due to a ransomware attack, servers of CDK Global were down for two weeks. The company paid cybercriminals $25 million, while the financial losses of dealers due to system downtime exceeded $600 million.

Continue Reading

Expert Speak

What the Bybit Hack Reveals About the Future of Crypto Security

Published

2 months ago

on

March 8, 2025

By

Written by Oded Vanunu, Chief Technologist & Head of Product Vulnerability Research at Check Point (more…)

Continue Reading
Advertisement

Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.