One of the leading predictions for 2019 in our PandaLabs annual report is the boom of fileless malware. This can be put down to an increased difficulty in detecting them on the one hand, and on the other hand, to the increased cyberoffensive capacity in the world, both of states, and of criminal gangs, both state sponsored and unaffiliated.
To deal with an attack that is so difficult to detect, it is necessary to employ more complete and advanced techniques. Malware is no longer the main challenge for companies that have advanced cybersecurity capacities; the challenge is now to detect suspicious behaviors from users, machines, and processes. It is for this very reason that threat hunting is now so important in the current cybersecurity landscape; proactively searching for threats is the best way to ensure total security against hackers who are increasingly professionalized.
Threat Hunting Report 2019
The annual Threat Hunting report from Cybersecurity Insiders reveals some highly relevant statistics about the integration and awareness of this technique in the corporate cybersecurity world, and sheds some light on the challenges that cybersecurity professionals have to face.
46% of companies have experienced an increase in the severity of cyberattacks, a fact that serves to underscore how important it is to employ more advanced techniques to stop their advance. Cybersecurity professionals know this all too well: in the sector, there is increasing awareness of the importance of proactively searching for threats. According to the report, 77% of these professionals have a moderate or high degree of knowledge about threat hunting, a 4% increase compared to last year.
But what are the security challenges that these professionals have to deal with? The main challenge for 55% of companies is the detection of advanced threats. Other important challenges include wasting too much time on false positives, and a lack of expert security staff to mitigate threats.
The main goal of threat hunting is, generally speaking, to protect the company and to secure the company’s assets and its information. On this point, cybersecurity professionals agree; for 58% of these professionals, the goal of their threat hunting activity is to reduce exposure to external threats. Among the other goals mentioned by professionals are improving the speed and accuracy of threat responses (53%) and reducing the number of breaches (52%).
With such important goals for corporate security, it is no wonder that 83% of professionals believe that threat hunting should be the most important initiative for the early detection of threats.
Frequency of Threat hunting
Something that highlights the shortage of expert threat hunting professionals is the amount of time that is invested in these activities: on average, cybersecurity professionals spend 62% of their time reacting to threats, and only 38% proactively searching for threats—the key to this technique.
Another revealing statistic is the frequency with which companies carry out threat hunting. Only 32% of companies perform threat hunting continuously, while 40% only threat hunt when it is necessary. Since threat hunting itself is a proactive technique, employing it reactively significantly reduces its effectiveness.
Threat hunting methods
Efficient threat hunting requires a wide range of data sources to detect anomalies and suspicious activities as soon as possible. The majority (66%) of companies prioritize system logs as the most important data source, followed by firewall/IPS denied traffic, and network traffic.
There are multiple datasets that can be investigated during a threat hunting process. The best option is to gather, normalize, and analyze data from all possible sources in order to get a more complete and accurate idea of what has happened.
Along with a comprehensive vision of the data, another vital step for threat hunting is to understand IoCs (indicators of compromise) to be able to develop effective methods to defend against future problems. Knowing what IoCs they have to look for helps cybersecurity professionals to classify and remediate threats. The IoCs that cybersecurity teams most often investigate are behavioral anomalies (69%), suspicious IP addresses, and denied/flagged connections.
As for the capacities needed to hunt threats, the most important for 64% of professionals is threat intelligence.
The advantages of threat hunting
Using this technique clearly has many advantages in a corporate environment when it comes to keeping systems safe by providing protection against the most advanced threats. In this respect, professionals agree: 62% believe that the detection of advanced threats is the most important advantage provided by threat hunting. Other important advantages include reducing investigation time, saving time by not having to manually correlate events, and creating new ways to discover threats.
A lack of expert professionals is evidently something that can hinder threat hunting operations in a company, while time investigating false positives can slow down the work of cybersecurity professionals.
To find out how to carry out an effective threat hunting process, don’t miss the product technology news that we’re going to present on May 23 at the Panda Security Summit, the most important European cybersecurity event. Register now and come and talk to our experts!