A report by Ponemon Institute and commissioned by Team Cymru found that half of the organizations surveyed experienced disruptive cyber attacks from repeat sophisticated threat actors, the majority of whose exploits were unresolved.
Although organizations acknowledged experiencing disruptive attacks and from repeat offenders, total remediation was not possible. According to the report, this situation left personal data and organizations’ infrastructure at risk of more attacks.
While there are strategic benefits of threat hunting, the sobering report found that most organizations failed to leverage their cyber threat hunting teams effectively.
Organizations did not gain a defensive advantage in subsequent cyber-attacks
Half of the respondents surveyed said their organizations had experienced a cyber attack in the past two years. However, the organizations were not any better prepared to handle attacks from the same threat actors.
More than half of the organizations in North America (NA) experienced recurring attacks from a previous threat actor compared to 49% in Latin America (LATAM), 51% in the United Kingdom (UK), and 46% in Europe.
Half of the respondents said that the attack was because of the inability to defend against the same threat actor. An even higher number (61%) said they did not remediate a previous compromise by the same threat actor, leaving their organizations vulnerable to subsequent attacks.
When asked why organizations couldn’t prevent subsequent attacks, most respondents said that threat intelligence could not keep up with threat actors’ evolving tactics (NA 61%, LATAM & UK 64%, and Europe 55%).
Similarly, nearly half (NA 51%, LATAM 56%, UK 53%, and Europe 45%) of the respondents said that cyber threat intelligence was too outdated to be actionable.
Nearly two-thirds (65%) of respondents listed cloud vulnerabilities, denial of service attacks (60%), phishing/social engineering attacks (52%), malicious insider threat (45%), DNS-based attacks (44%), and remote worker endpoint security (40%) as their organizations’ top challenges.
Threat hunting teams are underfunded, unequipped, and underutilized
Most respondents said their organizations failed to allocate enough resources for their analyst teams, with the average budget of IT operations being $117 million.
Out of the allocated budget, only 19% of the budget was allocated to IT security, out of which only 22% was allocated to analyst activities and threat intelligence.
Additionally, the respondents said that their organizations’ security teams lacked proper tools and depended on stale data.
According to the State of Threat Hunting report, only over a third of organizations fully utilized analysis teams, indicating a general lack of maturity in the area.
The report authors concluded that although organizations have high capabilities, the challenges associated with threat prevention, detection, and response indicate they do not understand the strategic value of threat hunting.
Most organizations do not look beyond their network perimeter during threat hunting
The report also found that most organizations did not look beyond their perimeter to identify potential attacks. Only 24% of organizations considered threat hunting involved looking outside the network perimeter for lurking threats.
Nearly half (47%) of the respondents said their primary reason for threat hunting was to look inside the enterprise for indicators of compromise, while 28% said it was to reduce dwell time and disrupt attacks in advance.
Threat hunting is very difficult within but effective on third-party networks
There were mixed results on the effectiveness of each organization’s security operations center (SOC) in identifying attackers operating from within and on third-party networks. However, most threat hunting survey respondents said that gaining the attacker’s perspective on their organizations was extremely difficult.
Half of the respondents rated their teams as very effective in identifying sophisticated threats operating in their environments.
The respondents were also very confident in identifying vulnerabilities and threats on third-party networks. More than half (59%) of the respondents were confident in their ability to uncover vulnerabilities and potential compromises within third-party vendors’ networks.
Similarly, 51% believed in their ability to prioritize responses to incidents based on the impact on critical assets and operations, while a similar number cited the ability to identify abnormal communications between their information assets and unknown outside IP addresses.
Another 48% believed in their ability to detect rogue system connections that violate network segregation policies.
The researchers recommended that threat hunters reduce reliance on traditional threat intelligence and automated tools and shift towards analyst-driven threat hunting with non-curated access to internet infrastructure analysis and data.
Low-value threats alerts and inadequate staffing hinder incident response
More than two-thirds (69%) of the respondents said they were challenged by systems generating too many low-value alerts.
Similarly, most (60%) said their organizations lacked in-house experts to use technology and intelligence, while 56% were understaffed to deal with the workload.
Others mentioned the lack of staff or skills to deliver long-lasting solutions (53%) or business context data to correlate (42%), and the inability to prioritize alerts based on business impact (38%) or understand the evolution of advanced threats (36%).