The need for reliable intelligence is pressing in threat hunting and emerging AI technologies can fulfill that to a good extent, according to a Censys study.
The study included US and Europe-based organizations across industries and noted that current threat-hunting practices are “as much an art as science” and can use a discipline of common, proven, and accepted standards for assessments supported by reliable intelligence.
“One throughline that emerges is the need for reliable threat intelligence and its impact on threat hunters’ ability to do their jobs well,” said the Censys report on the study. “Threat intelligence, or lack thereof, is a commonality across the top challenges respondents identified. Access to threat intelligence also affects nearly every aspect of how respondents say they do their jobs.”
False positives present a formidable challenge to day-to-day threat hunting, the report remarks, and are expected by experts to ease out to some extent if the application of AI goes mainstream.
AI can address the tool gap
Besides the potential to help standardize threat-hunting practices, AI is delivering a considerable advantage to organizations with automation, accuracy, and innovation.
Half of threat hunters in the US have shifted to using attack surface management (ASM), managed detection and response (MDR), and exposure management (EM) tools powered with automation against a comparatively fewer number in Europe. This has to do with the US regarding cybersecurity as a matter of national security, while Europe sees it as a means to “protect privacy and ward of economic danger”, according to the report.
“AI should help threat hunters make enormous strides in identifying and mitigating threats underway,” said Dave Gruber, principal analyst at Enterprise Strategy Group. “As Microsoft formally GAs Copilot, integrated with Chronicle and Defender XDR, hunters will be able to validate and investigate the hypothesis, with more context and broader scope more rapidly.”
Forty-nine percent of US threat hunters are using ASM/EM technologies, with a third (33%) using MDR solutions. The corresponding shares for Europe were 20.7 % and 22.7 %, respectively.
“While a large percentage of security professionals aspire to be threat hunters, it takes a very special skill set to be an effective threat hunter,” Gruber added. “The application of GenAI technologies will ease this and should enable a higher percentage of security pros to participate in meaningful threat hunting activities for their organizations.”
Sixty-five percent of US-based respondents said reliable historical data (intelligence) is extremely important for threat hunting. This was at 55.5% for European respondents.
Challenges include disparate tools, high false positives
A considerable number of European respondents said they struggle with false positives (40%), feel the need to use multiple tools (40%), and experience difficulty in handling the tools (40%) while threat hunting with free/ open-source tools.
For the US, these numbers stood at 71% for needing multiple tools and 29% for experiencing false positives, making false positives and comprehensive tools major challenges in threat hunting.
“As we strive to detect more, looking for fragments of potentially suspicious activities, we increase the level of noise in the process, often resulting in more false positives,” Gruber said. “Many detection and response solutions have made great strides in reducing this noise, in many cases leveraging automation and AI techniques to filter out false positives. Despite these improvements, false positives will continue at some level, as we strive to reduce the percentage.”
While AI can help reduce the number of false positives greatly, it is unlikely to completely bring it to zero as they tend to be natural in hypothesis-driven hunting, Gruber added.
Another problem noted in the study is the lack of communication between the threat-hunting team and the business stakeholders. Thirty-seven percent of all the respondents said they are “somewhat confident” in communicating threat findings to senior business leadership. “The skill sets required by serious threat hunters are very technical, which don’t always align to the same people that are communications experts,” Gruber explained. “Translating risk and potentially damaging attacks requires a deep understanding of both technical operations and the business operations that it supports. Threat hunters aren’t always equipped with this level of knowledge, requiring intervention by others to assist in communication activities.”