The State of Threat Hunting

As you undoubtedly know, Security Operations Centers (SOCs) are increasingly turning to threat hunting to help security teams cope with today’s daunting threat landscape. Deployed proactively, threat hunting can identify risks that might go undetected by traditional security tools, while helping improve defenses against sophisticated new attacks.

In 2022, DomainTools, in partnership with Cybersecurity Insiders, conducted the fifth annual threat hunting survey to gain deeper insights into the maturity and evolution of this security practice. Incorporating the feedback of more than 300 cybersecurity professionals, the report reveals the role and benefits of threat hunting as an integral part of today’s SOC. We outline some of the key findings below.

Rising Threat Severity

To start, it’s worth gaining a better understanding of the respondents’ views on the current threat landscape. When asked to describe the change in severity – the potential damage and impact – of security threats faced by their organization in the past year, 56% of respondents affirmed an increase in threat levels by at least a factor of two. Indeed, one in every ten respondents believed the severity of threats had even hiked by a factor of three.

What’s more, Russia’s invasion of Ukraine has only intensified this hostile cyber environment. Forty-eight percent of respondents responsible for defending critical infrastructure have seen a rise in threat activity since the invasion of Ukraine. As a result, 37% of organizations have had to shift their focus to manage the new risks this situation presents, and a further 25% have had to actively increase their hunting resources in response.

Know Your Adversaries

Fortunately, as many of our survey respondents shared, threat hunting has proven to be a critical asset in an organization’s cyber arsenal. It provides invaluable insights into adversary infrastructure and the visibility that allows SOC teams to act against threats with greater precision. 

More than 60% of organizations said that threat hunting helped them identify actionable indicators of compromise for immediate response or blocking. This was closely followed by 59% of respondents who said that threat hunting helped generate rule sets or other automation to alert on similar, future threat activity. Moreover, half (51%) of respondents used threat hunting to understand adversary tendencies and trends, knowledge which is critical in the identification of future malicious infrastructure or adversary intent.

Tools of the Trade

To home in further, we asked respondents about the kinds of indicators most frequently investigated by their organization’s threat hunting team during daily missions. The most common were behavioral anomalies (such as unauthorized access attempts) at 76%, followed by suspicious IP addresses (65%), denied or flagged connections (55%), domain names (49%) and file names (34%). 

Don’t Leave Threats Lurking

Surprisingly, while almost two thirds (64%) of organizations surveyed take a proactive threat hunting stance, more than a third of organizations (36%) still respond to threats only after they’ve been detected. This reactive approach contributes to a hefty 37% of security threats being missed each week. 

Over the years as threat hunting has become more common, DomainTools Iris and Farsight DNSDB have helped hunters explore adversary infrastructure. This externally-focused form of hunting can help shed light on potentially risky traffic flows from the protected environment to dangerous assets on the Internet. In so-called “retro-hunting” as part of an incident response, the connected domain information surfaced in DomainTools products can help defenders determine whether there was previously-unnoticed traffic to dangerous domains that were not known at the time to be dangerous. For forward-looking hunting, enumerating the full extent of an adversary’s holdings offers the opportunity to build blocking or alerting rules for any DNS lookups or traffic flows from protected assets to adversary infrastructure.

We hope security teams will be inspired by the results others have experienced from proactive threat hunting. Bad actors from crime syndicates looking for financial gain to those working for state-sponsored groups seeking to halt the supply chain are finding even more creative ways to break into networks, lurking for weeks, or even months, before discovery. Effective threat hunting can go a long way to thwarting their efforts and reducing the damage done from attackers. For more information, or to schedule a demo, click here.  To view the full results of the survey, see here.