In part 1 of this series, we outlined the current state of cyber threat hunting as it was profiled in SANS’s recent survey of 464 companies on the handling of proactive cyber threat detection. In this section, we’ll discuss specifically what types of hunting practices these companies use to track and remove threats in their systems, and we will take a look ahead to see how threat hunting will continue to grow in the future.
In addition to the process of data collection, automation is used to speed up certain parts of the hunting process so that analysts can focus on what’s really valuable, as opposed to having to spend time gathering and parsing through large, disparate data sets. When SANS asked the survey participants what percentage of their threat hunting capacity is automated, the responses were fairly split, with each option (1 - 10%, 11 - 25%, 26 - 50%, 51 - 75%, 76-99%) each receiving about 20%. Each stage in the Threat Hunting Loop provides opportunities for automation that can make the hunting process much more efficient. When forming a hypothesis, automated risk scoring and heat mapping can highlight where to start looking; when investigating, automated visualizations with predetermined pathways and prescribed hunting techniques help you reach your target sooner; automated TTP detection analytics allow you to easily uncover and identify threats; and feeding data back into automated tools to enrich your analytics will only make the process quicker and more powerful for the next hunt.