2021 Threat Hunting Report
2021 Threat Hunting Report
2021 Threat Hunting Report
THREAT
HUNTING
REPORT
INTRODUCTION
Threat hunting continues to evolve for organizations that focus on proactively detecting and
isolating Advanced Persistent Threats (APTs) that might otherwise go undetected by traditional,
reactive security technologies.
While many SOCs are struggling to cope with the current security threat workload, more
organizations are adopting threat hunting as part of their security operations. They are discovering
that proactive threat hunting can reduce the risk and impact of threats while improving defenses
against new attacks.
In 2021, Cybersecurity Insiders conducted the fourth annual threat hunting research project to
gain deeper insights into the maturity and evolution of the security practice.
• The survey reveals that cybersecurity professionals see timely detection of advanced threats
(55%) and lack expert security staff to mitigate such threats (52%) as the top challenges
facing their SOC. This is followed by a lack of confidence in automation tools catching all
threats (37%) and too much time being wasted on false-positive alerts as the top challenge
for their SOC.
• Organizations highlight a broad range of goals of their threat hunting program. However,
reducing exposure to external threats was named by more than half of the organizations
surveyed (51%). This is followed by reducing the number of breaches and infections (45%)
and reducing attack surface (43%).
• Although threat hunting is still an emerging discipline, it is not surprising that most
organizations agree that threat hunting should be a top security initiative (88%).
• Threat hunting platforms provide security analysts with powerful tools to enable earlier
detection, reduce dwell time, and improve defenses against future attacks. This year, more
organizations (68% in 2021 versus 63% in 2020) highlight improving detection of advanced
threats as the main benefit of using a threat hunting platform for security analysts.
Thank you,
2021 THREAT HUNTING REPORT All Rights Reserved. ©2021 Cybersecurity Insiders 2
THREAT HUNTING GOALS
Organizations highlight a broad range of goals for their threat hunting program. However, reducing
exposure to internal threats was named by more than half of the organizations (51%). This is followed
by reducing the number of breaches and infections (45%) and reducing the attack surface (43%).
What are the primary goals of your organization’s threat hunting program?
51%
Reduce exposure
45% 43%
Reduce number Reduce attack
to internal threats of breaches and surface
infections
2021 THREAT HUNTING REPORT All Rights Reserved. ©2021 Cybersecurity Insiders 3
KEY SECURITY CHALLENGES
The survey reveals that cybersecurity professionals prioritize timely detection of advanced threats
(55%) and lack of expert security staff to mitigate such threats (52%) as the top challenges facing
their SOC. This is followed by lack of confidence in automation tools catching all threats (37%) and
too much time wasted on false positive alerts (36%).
Which of the following do you consider to be top challenges facing your SOC?
55%
Detection of
52%
The lack of expert
37%
Lack of confidence
advanced threats security staff to assist in automation tools
(hidden, unknown, with threat mitigation catching all threats
and emerging)
Working with outdated SIEM tools and SOC infrastructure 19% | Other 9%
2021 THREAT HUNTING REPORT All Rights Reserved. ©2021 Cybersecurity Insiders 4
BENEFITS OF THREAT HUNTING
Threat hunting platforms provide security analysts with powerful tools to enable earlier detection,
reduce dwell time, and improve defenses against future attacks. This year, five percent more
organizations (68% in 2021 versus 63% in 2020) highlight improving detection of advanced threats
as the main benefit for using a threat hunting platform for their security analysts.
What are the main benefits of using a threat hunting platform for security analysts?
68%
Improving detection
55% 55%
Reducing Saving time manually
of advanced threats investigation time correlating events
Connecting disparate sources of information 39% | Reducing extra and unnecessary noise in the system 38% |
Saving time scripting and running queries 35% | Other 3%
2021 THREAT HUNTING REPORT All Rights Reserved. ©2021 Cybersecurity Insiders 5
THREAT HUNTING PRIORITY
Although threat hunting is still an emerging discipline, it is not surprising that most organizations
agree either strongly (48%) or somewhat (40%) that threat hunting should be a top security initiative.
What is your level of agreement with the following statement? “Threat hunting should be a top security
initiative.”
48%
Strongly agree
40%
Somewhat agree
8%
Neither agree nor disagree
88%
Agree that threat
hunting should be a
3% top security initiative.
Somewhat disagree
1%
Strongly disagree
2021 THREAT HUNTING REPORT All Rights Reserved. ©2021 Cybersecurity Insiders 6
THREAT MANAGEMENT MATURITY
Security Operations Centers (SOCs) continually face rapidly evolving threats to secure and defend
their environments against. From a maturity perspective, only 12% of organizations claim to have
a mature cutting edge SOC for addressing emerging threats.
Which of the following best reflects the maturity of your SOC in addressing emerging threats?
We are cutting-edge,
ahead of the curve 12%
We are advanced,
but not cutting-edge 30%
We are compliant,
but behind the curve 26%
Our capabilities are
limited at this time 32%
2021 THREAT HUNTING REPORT All Rights Reserved. ©2021 Cybersecurity Insiders 7
THREAT HUNTERS SKILLS
Based on feedback from organizations data analysis and reasoning skills are in high demand for
protection against security threats. For example, pattern recognition (76%), data analytics (70%), and
deductive reasoning (67%) are the most important attributes that organizations look for when hiring
threat hunters.
Other 3%
2021 THREAT HUNTING REPORT All Rights Reserved. ©2021 Cybersecurity Insiders 8
THREAT HUNTING BUDGET
Year after year, there is not much change in how organizations are allocating their threat hunting
budget. Last year, 37% of organizations were likely to increase their budgets; this year 36% will
grow their threat hunting spend. Similarly, last year 50% kept budgets flat; this year 53% percent
will hold threat hunting budgets steady.
How is your organization’s threat hunting budget going to change in the next 12 months?
53%
Budget will
36%
Budget will
likely stay flat likely increase
11%
Budget will
likely decline
2021 THREAT HUNTING REPORT All Rights Reserved. ©2021 Cybersecurity Insiders 9
INVESTMENTS FOR BETTER
THREAT HUNTING
Organizations claim investing in more training (45%), better endpoint detection and response
(43%), better network detection and response (43%), and better SIEM (40%) would have had the
biggest impacts on their threat hunting abilities.
What investments would make the biggest difference in your threat hunting abilities?
2021 THREAT HUNTING REPORT All Rights Reserved. ©2021 Cybersecurity Insiders 10
FREQUENCY OF CYBER THREATS
While there has not been much change year after year in the number of organizations that are
seeing a decrease in the frequency of security threats, five percent more organizations this year
have found a way to stabilize the frequency of threats facing their organization.
Which of the following best describes the frequency of security threats faced by your
organization compared to the previous year?
100010011
110000 110
100010011
110000 110
30% 30%
9% 9% 8%
5%
Don’t know 9%
2021 THREAT HUNTING REPORT All Rights Reserved. ©2021 Cybersecurity Insiders 11
MOST COMMON ATTACKS
The three most common attacks that organizations proactively discover include malware (76%),
phishing (71%), and network intrusions (46%).
What are the most common attacks proactively discovered through threat hunting?
76% Malware
71% 46%
Phishing Network intrusion
41% 2%
Other 2%
2021 THREAT HUNTING REPORT All Rights Reserved. ©2021 Cybersecurity Insiders 12
INSIGHTS INTO ADVERSARIES
Sixty-eight percent of all organizations, at least occasionally develop insights into adversary
infrastructures as part of their threat hunting activities. When they glean insights from threat hunting,
organizations discover actionable IoCs, for immediate response/blocking and better understanding
adversary tendencies and trends to assist in identifying infrastructure or adversary intent.
How often do you develop insights into adversary infrastructure (domains and IP addresses) as part of
your hunt activities?
68%
Of all organization at least occasionally
develop insights into adversary infrastructures
as part of their threat hunting activities.
26%
21% 21% 20%
12%
Almost Frequently Occasionally Almost Don’t know
every time never
What are the most useful insights into adversary infrastructure that threat hunting produces?
2021 THREAT HUNTING REPORT All Rights Reserved. ©2021 Cybersecurity Insiders 13
DATA COLLECTION SOURCES
Organizations collect a host of data to analyze security risks. This year, endpoint activities (72%) and
system logs (71%) take the top two spots for what organizations assess. Firewall traffic is third (69%),
falling two notches over last year.
LOG
Active directory 53% | DNS traffic 52% | Server traffic 47% | Web proxy logs 45% | User behavior 39% |
File monitoring data 36% | Packet sniff/tcpdump 33% | Don’t know/other 12%
2021 THREAT HUNTING REPORT All Rights Reserved. ©2021 Cybersecurity Insiders 14
MOST VALUABLE DATA SOURCES
The top three valuable data sources for investigating known threats include activity logs (31%),
threat intelligence feeds (24%), and network data (21%), followed by endpoint data (18%).
What is the most valuable data source for your organization when threat hunting or investigating
known threats?
31%
Activity logs
24%
Threat intelligence
feeds
21%
Network data
18%
Endpoint data
Other 6%
2021 THREAT HUNTING REPORT All Rights Reserved. ©2021 Cybersecurity Insiders 15
POPULAR RECONNAISSANCE
ACTIVITIES
Port scanning is the most used activity for reconnaissance, with 73% of organizations including
this technique in their threat hunting efforts.
Which of the following reconnaissance activities do you look for as part of your threat hunting
activities?
2021 THREAT HUNTING REPORT All Rights Reserved. ©2021 Cybersecurity Insiders 16
ACTIVE DIRECTORY BEHAVIORS
There are three active directory events organizations look for as part of their threat hunting
activities: attempts to reset admin and sensitive account passwords (67%), login failures (61%), and
domain policy changes (48%).
Which of the following active directory events do you look for as part of your threat hunting activities?
67%
Attempt to reset
61% 48%
Logon failure Domain policy
admin and sensitive was changed
account passwords
User requests a Kerberos service ticket 24% | Custom special group logon tracking 24% | None 10% | Other 4%
2021 THREAT HUNTING REPORT All Rights Reserved. ©2021 Cybersecurity Insiders 17
THREAT HUNTING TECHNOLOGIES
There is a diverse portfolio of technologies for threat hunting. While last year endpoint detection
and response and SIEM were equally sited (55%) as the top technologies, this year endpoint
detection and response is the clear leader with 63% of organizations integrating these tools into
their threat hunting efforts.
Which technologies do you use as part of your organization’s threat hunting approach?
Enrichment and investigation tools 29% | Security Orchestration, Automation and Response (SOAR) 19% | Not sure/
other 12%
2021 THREAT HUNTING REPORT All Rights Reserved. ©2021 Cybersecurity Insiders 18
METHODOLOGY & DEMOGRAPHICS
This Threat Hunting Report is based on the results of a comprehensive online survey of cybersecurity
professionals, conducted in February 2021, to gain deep insight into the latest trends, key challenges,
and solutions for threat hunting management. The respondents range from technical executives to
managers and IT security practitioners, representing a balanced cross-section of organizations of varying
sizes across multiple industries.
PR I MARY RO LE
IT Manager, Director or CIO CSO, CISO or VP of Security Security Analyst Security Manager or Director Systems Administrator
Security Administrator Threat Analyst Auditor Other
C AR EER LE VEL
D EPARTM ENT
IT Security IT Operations Security Operations Center (SOC) Engineering Sales/Marketing Product Management
Other
CO M PAN Y S IZE
I N D U STRY
Technology Financial Services, Banking or Insurance Government Healthcare Manufacturing Telecommunications or ISP
Retail or Ecommerce Energy or Utilities Other
2021 THREAT HUNTING REPORT All Rights Reserved. ©2021 Cybersecurity Insiders 19
DomainTools helps security analysts turn threat data into threat
domains and IPs, and connect them with nearly every active domain
2021 THREAT HUNTING REPORT All Rights Reserved. ©2021 Cybersecurity Insiders 20