Press Releases

New Research From SANS And DomainTools Reveals Shift Towards Threat Hunting Model And 'Work Smarter

SEATTLE, April 14, 2016 /PRNewswire/ –DomainTools®, the leader in domain and DNS-based cyber threat intelligence, today announced the results of the first annual Threat Hunting: Open Season on the Adversary Survey, conducted by the SANS Institute. The research revealed that 85 percent of enterprises have already adopted some form of Threat Hunting to aggressively track and eliminate cyber adversaries as early as possible. This proactive “Threat Hunting Model” leverages existing tools combined with human intervention to strengthen the security posture of the organization. According to the survey, adopters of this model reported positive results, with 74 percent citing reduced attack surfaces, 59 percent experiencing faster speed and accuracy of responses, and 52 percent finding previously undetected threats in their networks.

As the number of cyber threats continues to climb, understanding and managing cybersecurity risks has become top of mind for all organizations. Businesses are responding by taking action and implementing holistic technology initiatives, like Threat Hunting, to mitigate the overall risk to the organization instead of relying solely on traditional, siloed prevention like Firewalls or Intrusion Detection Systems (IDS). The new SANS/DomainTools research corroborates the shift towards a Threat Hunting approach, with 62 percent of organizations planning to increase spending on Threat Hunting in the coming year and over 42 percent increasing it by 25 percent or more.

“With cyberattacks increasing exponentially each year, it’s no surprise enterprises are attracted to Threat Hunting as a proactive multi-layered approach to discovering and mitigating cyber threats as early as possible,” said Tim Chen, CEO of DomainTools. “As the findings note, successful Threat Hunting isn’t necessarily about overhauling an existing cybersecurity program, it’s about using the third-party data and technologies that most organizations already possess in order to maximize the chances of proactively finding, attributing and eliminating an adversary before the damage is done.”

Additional key findings from the SANS report include:

  • The top seven data sets that support threat hunting are: IP addresses, network artifacts and patterns, DNS activity, host artifacts and patterns, file monitoring, user behavior and analytics, and software baseline monitoring.
  • 86 percent of respondents said the most common trigger for launching a hunt is an anomaly or anything that deviates from normal network behavior.
  • Only 23 percent of businesses have hunting processes that are invisible to attackers, meaning the majority of organizations are at risk from exposing internal hunting TTPs in a way that benefits the attacker.

The survey report can be found at and was comprised of nearly 500 top security and business executives from industries including technology and IT, financial services, government, and education.