Participation in this year’s survey was diverse across various sectors, with cybersecurity leading at 15% and the manufacturing industry making up 9% of respondents. The manufacturing sector has recently faced notable challenges from ransomware attacks. The survey included participants from organizations of different sizes, ranging from small entities with fewer than 100 employees (24%) to large corporations with over 100,000 employees (9%).
The roles of the respondents within their organizations were varied, highlighting the interdisciplinary nature of threat hunting. Security administrators or analysts accounted for 22%, while business managers made up 11%, demonstrating a balance between technical, financial, and personnel perspectives in threat-hunting practices.
However, the survey indicated a bias towards participants from the United States, with 65% of organizations based there. This geographical concentration could impact findings related to staffing and organizational practices, though it is believed not to affect the technical aspects of threat hunting.
Key Discoveries and Implications
The survey delved into the constantly evolving landscape of cyber threats and the strategies employed by threat hunters to detect and mitigate these risks. Notably, it uncovered the prevalent types of attacks encountered:
- Business email compromise (BEC): Approximately 68% of respondents identified BEC as a significant concern. BEC involves unauthorized access to legitimate email accounts to manipulate individuals into making fund transfers through social engineering strategies.
- Ransomware: Detected by 64% of participants, ransomware remains a critical issue. Ransomware operations involve encrypting data and demanding payment for decryption, posing a substantial threat in the cybersecurity sphere.
- Tactics, techniques, and procedures (TTPs): The survey highlighted the use of TTPs in various attack scenarios. In cases of ransomware, threat actors often use tailor-made malware, target specific data for extraction, utilize tools like Cobalt Strike, attempt to erase traces, and in certain instances, physically breach target organizations.
Advancements in Threat-Hunting Practices
The survey by SANS indicated that organizations have significantly enhanced their threat-hunting methodologies, adapting them on an as-needed, monthly, quarterly, or annual basis.
Outsourced threat hunting is now employed by 37% of organizations, with over half adopting defined methodologies for threat hunting, signifying progress in this area.
Furthermore, 64% of organizations actively assess the effectiveness of their threat-hunting activities, indicating a decrease in those without structured methodologies from 7% to 2%. The selection of methodologies is increasingly influenced by available human resources, recognized by 47% of organizations.
Chief Information Security Officers (CISOs) play a pivotal role in crafting threat-hunting methodologies, actively involved in 40% of cases.
Advantages of Enhanced Threat-Hunting Practices
Enhanced threat hunting brings significant benefits such as improved attack surface and endpoint security, more accurate detections with fewer false positives, and reduced resources needed for remediation.
Approximately 30% of organizations utilize vendor data as additional threat intelligence, with 14% relying solely on it. The engagement of incident response teams in developing threat-hunting methodologies increased to 33% in 2024, showcasing better integration within security operations.
Challenges like data quality and standardization problems are on the rise, highlighting the complexities of managing expanding cybersecurity data.
Concluding Remarks
The SANS 2024 Threat Hunting Survey underscores the evolution of the cybersecurity sector and the concerted efforts to bolster cyber defense capabilities. Organizations are striving to enhance threat hunting by leveraging better contextual awareness and advanced data tools, with 51% aiming to refine responses to sophisticated threats.
Almost half (47%) plan to integrate AI and ML to combat escalating threat complexity and volume. There is a significant planned investment in both personnel and tools, with certain organizations intending to boost their investment by more than 10% or even 25% in the next 24 months, highlighting the strategic significance of threat hunting.
However, a minority anticipate scaling back their investment, hinting at a potential shift in security strategy.
About Author
