The state of threat hunting in 2024

Nick Palmer at Censys explains why threat hunting is such an important part of cyber-security and outlines how organisations can support their threat hunters

 

Over the last few years, as the cyber-security landscape has become ever more complex, organisations have been unable to rely solely on automated security solutions. Sophisticated threats can break through defences and cause significant damage, so it’s important that organisations have another layer of defence. This is where threat hunting comes in.

 

Threat hunters are the human element of security, searching for vulnerabilities that may be missed by traditional detection methods. Additionally, they often work to identify best security practices as they go along, using their discoveries to elevate cyber-security strategies. 

 

In the past, threat hunting has largely been undertaken by individual experts who work on their own in an unstructured manner. As such, the discipline has lacked a uniform set of standards or practises that newcomers can follow.

 

However, as the role becomes more and more important, organisations are increasingly viewing threat hunting as a part of their overall security. As a result, the job is given to security practitioners with other competing responsibilities.

 

As the discipline evolves, so does the  state of threat hunting. So, what are the biggest challenges for threat hunters today, and how can organisations support them to ensure they’re successful?

 

The challenging landscape

As it stands, a key issue for the threat hunting discipline is the lack of consistency and standardisation. There are no clear criteria that are used across the board to classify a threat, and individual threat hunters often rely on their own experience and tools to assess it. As such, each individual works in a unique way, making it difficult for others to replicate their methods and causing challenges when it comes to setting up a standard practice in a business. 

 

Therefore, greater collaboration across the discipline is essential if threat hunting is to become a standard and successful component of cyber-security.

 

When it comes to specific technical challenges threat hunters face, the most formidable is the prevalence of false positives. According to Censys’ 2024 State of Threat Hunting Report, around one-third of threat hunters find that over 20% of their results are false positives. This takes up a significant amount of time and resources as threat hunters waste their efforts investigating non-harmful activity. Additionally, a high level of false positives can lead to alert fatigue, meaning that these cyber-security professionals may overlook a true threat. 

 

Additionally, for many threat hunters, there is an entirely non-technical challenge to face. Once they have discovered threats that may have a negative impact on the business, they need to communicate this to various stakeholders - which can be a daunting and difficult task.

 

Even when sharing with their direct managers - the group they are most likely to have established relationships with - only 68% of threat hunters are fully confident communicating threats, and this confidence drops off when it comes to other groups. Less than 50% were confident when it came to reporting to legal or public relations personnel - arguably the groups that have the greatest need to understand the impact of a threat.

 

Three ways organisations can empower threat hunters

In what is clearly a fragmented and difficult field, organisations must ensure they are supporting both their wider security teams and individual threat hunters. Therefore, they should consider the following:

 

1. Invest in new security tools

Automated tools can provide significant security savings for threat hunters. In particular, attack surface management tools that offer continuous asset discovery can reduce the number of previously unknown assets threat hunters discover, meaning that threat hunters don’t have to spend as much time manually discovering and managing them on their own.

 

Additionally, new AI tools can bring huge benefits, such as generating automated threat hunting queries, identifying suspicious patterns, analysing data and using predictive analysis to forecast future threats. Organisations should work with their threat hunting teams to identify the tools that would be of greatest benefit to them, and ensure they have the resources they need.

 

2. Offer adequate training

With the discipline so focused on individual work and experience, it can be easy for practitioners to get burnt out, particularly with the high levels of pressure the job entails. As such, organisations should ensure that practitioners are given adequate training - particularly for those who may have undertaken threat hunting responsibilities as part of a larger role.

 

For example, this could mean giving them access to webinars, sending them to conferences or offering peer training. As the discipline grows, we will hopefully see a greater community that practitioners can take advantage of, but there will also likely be skills gaps that organisations will need to take creative steps to bridge.

 

3. Support communication

It’s clear that investment in soft skills such as communication and presentation are vital if threat hunters are to put their hard-won intelligence to good use within an organisation. Businesses working with threat hunters should think critically about how they can build confidence and bridge any communication gaps.

 

This could mean creating more opportunities for stakeholders and threat hunters to interact in order to deepen relationships, or it may mean more support from others within the organisation to get the message across. Ultimately, it’s down to organisations to create a security-focused culture where threat hunters are taken seriously.

 

Overall, it’s clear that threat hunting is a crucial area for cyber-security. Organisations must prioritise providing the right resources and support to their threat hunting teams, or else they will remain at a disadvantage, and potentially miss serious cyber-threats. Ultimately, an empowered threat hunting team will make a business safer. 

 

---

 

Nick Palmer is a Solutions Engineer at Censys

 

Main image courtesy of iStockPhoto.com and Shutter2U