)
As we recently wrote about, the SANS Institute recently released its annual cyber threat intelligence (CTI) research report, SANS CTI Survey 2024: Managing the Evolving Threat Landscape. One of the key findings that the report highlights is significant and underscores the value of threat intelligence – for the first time in the survey’s history, threat hunting is the top use case for CTI. Roughly 75% of respondents said CTI data is used for this purpose. The next two use cases are incident response (73.5%) and vulnerability management (66.3%).
As stated in the SANS report, “Threat hunting is a proactive approach for detecting threats that are either unidentified or not yet remediated within an organization’s network… Respondents report they ‘leverage threat intel to scope and target threat hunts against the organization’ and ‘create threat hunt packs for particular malware or APTs.’”
I learned a long time ago that threat hunting is a constant game of cat and mouse. It’s about finding the threat actors before they find you. I personally am thrilled to see that CTI is widely embraced for the value it brings to threat hunting, an activity that I spend a fair amount of time doing. I also have developed training and other materials to help others hone this critical skill. (See my eBook Threat Hunting for Effective Risk Management for a step-by-step guide on how to threat hunt and a threat hunting tools list.)
Why is CTI so important to effective threat hunting?
In our report, CTI: A Formidable Weapon in Cyberwarfare, we discuss the many use cases for real-time, contextual CTI, including threat hunting. As described in the report, the deep-dive investigative capabilities afforded by comprehensive CTI empower threat-hunting teams to find the highest-priority threats to remediate.
A real-time CTI solution can compile, manage, and monitor the organization’s complete asset inventory across any external source to include the deep and dark web, messaging platforms, and more through automated capabilities. We call this “threat monitoring,” referring to the continuous nature, rather than “threat hunting,” which is manual. This process identifies potential risks and exposures and helps security teams understand threat actors’ potential attack vectors and TTPs to proactively expose and prevent emerging cyber-attacks before they are weaponized. For example, CTI can identify malicious links published in external sources, extract the URLs, and then block it on the corporate firewall, triggering playbooks on the organization’s SIEM, SOAR, EPP, or VM platforms before others have a chance to download or click on it.
Threat-hunting activities often span multiple tools and data sets. An effective CTI solution should allow security engineers to integrate and easily cross-reference data between their tools to save time and resources. For example, a security engineer should be able to review logs within their SIEM for suspicious activity or indicators and immediately enrich those indicators with CTI to know whether or not a threat exists.
Threat hunting, or monitoring, is also essential to protect credentials, methods of payment, and sensitive data. Continuous, real-time monitoring of the company’s critical assets, brand, and employee and customer data across the surface web and cybercriminal underground is foundational. This continuous monitoring ensures that security teams receive early warnings of active threats relevant to the organization as they surface so they can take proactive defensive measures to protect the organization, its assets, and customers.
As shown in the SANS CTI survey results, incident (detection and) response and vulnerability management also rank in the top three CTI use cases. The value of the insights gained from comprehensive, contextual CTI in helping these efforts cannot be understated. The autonomous, continuous collection of CTI across the deep, dark, and clear web and monitoring of an organization’s attack surface means security teams can be alerted to potential threats and incidents so they can respond with preemptive action before threats materialize into an attack.
Additionally, comprehensive, real-time contextual threat intelligence with attack surface scanning can inform a security team of what vulnerabilities the organization has. But more than that, it also indicates the specific vulnerabilities that threat actors are currently exploiting, highlighting those that put the organization at risk – which is critical for prioritizing remediation efforts.
To understand the significant role of CTI in threat hunting, incident response, vulnerability prioritization and management, and more, download our eBooks CTI: A Formidable Weapon in Cyberwarfare and Threat Hunting for Effective Risk Management.
Or get in touch with us to discuss how Cybersixgill’s comprehensive solutions can boost your organization’s CTI program.
)
)
)
)