abstract illustration
sans 2018 threat hunting report image.
Survey Reports

SANS 2018 Cyber Threat Hunting Survey

Threat hunting is a focused and iterative approach to searching out, identifying and understanding adversaries who have entered the defender’s networks. Results from the SANS 2018 Threat Hunting Survey show that, for many organizations, hunting is still new and poorly defined from a process and organizational standpoint. Unfortunately, most organizations are still reacting to alerts and incidents instead of proactively seeking out the threats. Threat hunting itself cannot be fully automated. The act of threat hunting begins where automation ends, although it leverages automation heavily. That said, many organizations are finding success by focusing on core continuous monitoring technologies and relying on more security automation in their environments to make hunting more effective.

The survey of 600 respondents reveals that most organizations that are hunting tend
to be larger enterprises or those that have been heavily targeted in the past. The survey uncovers some other interesting data points, including the fact that, of the organizations that achieve measurable improvements in their security, most measure improvements in speed and accuracy, while the same percentage report that the use
 of hunting reduced their exposures. The survey also shows that threat intelligence and hunting must go hand in hand to work effectively. Responses indicate intelligence is key to effective threat hunting and that focusing on people and training are paramount for that effectiveness.

This survey also includes information surrounding:

  • Critical DFIR skills for threat hunting
  • The hunting armory (effective tools and resources)
  • How to measure hunt team success