This is SANS’ fifth year of conducting the Threat Hunting Survey to examine how the cybersecurity industry is currently supporting threat hunting and how they are conducting threat hunting in their organizations. Our goal is to better understand where we currently are in the threat hunting field and to provide guidance on where the industry should focus as it continues to move the advantage more in our favor of defenders. Based on the results from the 2020 survey, this paper aims to provide an informed view on what the data tells us and where we need to focus our future threat hunting efforts.
For this year’s survey, we changed some of our previous survey questions to better understand the makeup of threat hunting teams and how they are performing their work—be it with tooling, staffing, or capabilities. We wanted to take a dive deeper into how threat hunters are fulfilling their missions, which tools they are selecting, and why they are using certain tools or procedures. Our hope is to continue this trend to see how threat hunters’ views change over time, along with the technology and education of threat hunters. Included in our findings are not only the raw results and trends but also recommendations of how to further push the boundaries of threat hunting and better defend your networks from threat actors.
This survey also includes information surrounding:
- The risks behind threat hunting as a form of compliance
- The formalization of threat hunting processes and procedures
- Primary tasks of an organization’s threat hunting team members
- The use of automated tools in threat hunting and threat intelligence
- Threat hunting for vulnerabilities