More organizations are now performing continuous threat hunting operations, according to the 2018 SANS Threat Hunting  report

In 2017, the number was only 35 percent, which shows that many organizations are now adopting methodologies that are key to reducing adversaries’ overall dwell time.

According to the report,

  • Almost 58 percent of the intelligence is created internally based on previous attacks, and 70 percent originates from thirdparty sources. Most organizations use traditional alerts and alarms to identify threats. 
  • Among survey respondents, 41 percent said technology was most important when threat hunting, compared with 30 percent who said staff was most important. 
  • 73 percent selected threat analysis as a key skill needed, second only to log analysis and analysis skills at 83 percent.
  • The most significant area of improvement was time for containment (88 percent). Significant improvement was made in attack surface hardening (48 percent) and decreasing adversary dwell time (40 percent). When combining “significant improvement” and “some improvement,” 74 percent of the respondents noted improved efforts in their threat hunting. 

Critical Digital Forensic and Incident Response (DFIR) Skills for Threat Hunting, 2017 vs. 2018 Surveys

DFIR Skills 2017 2018
Incident Response 66.2% 70.9%
Endpoint Forensics 19.8% 53.6%
Network Forensics 57.5% 57.8%
Malware Analytics 49.3% 48.9%
Memory Forensics 28.4% 32.8%