Half of cyberattacks are from repeat offenders
What's more, 61 percent of the victims of these attacks say they were unable to remediate these compromises, leaving critical systems and data at risk.
The survey queried almost 1,800 cyber security leaders and practitioners and only 35 percent of respondents say they are using their security analysts effectively, indicating a lack of maturity with regards to threat hunting.
Threat hunting, particularly external threat hunting, has empowered more sophisticated security organizations to identify and block impending attacks, augment threat detection, and achieve comprehensive remediation. Yet, the majority of respondents say that their organizations are not allocating enough resources to realize the full potential of their analyst teams and threat hunting. The results indicate that the average 2021 budget for the respondents' organizations for IT operations is $117 million. An average of 19 percent of this is allocated to IT security and of that only an average of 22 percent is allocated to analyst activities and threat intelligence.
"IT and Cyber Security leadership often rely heavily on machine learning and automation as a way to achieve efficiency, viewing threat hunting as a tactical, reactionary function," says David Monnier, Team Cymru fellow. "However, from our experience, organizations that manage to get ahead of threats, both internally and throughout their third-party ecosystems, have dedicated a meaningful proportion of the budget to making external threat hunting a strategic priority."
The results also show differing views on the nature of threat hunting. Only 24 percent define threat hunting as looking outside their enterprise borders to monitor adversaries and identify impending attacks. Most view threat hunting as a reactive method of internal threat detection, looking for malicious activity that has already taken hold. However, 62 percent of organizations are increasing investment in analysts and threat intelligence.
The top three intelligence data types respondents say they have are dark web data (47 percent), domain registration data (42 percent) and endpoint telemetry (42 percent). But 61 percent acknowledge that threat intelligence can't keep up with changes in how threat actors attack their organizations. Additionally, despite the knowledge that traditional threat intelligence sources provide stale information, only 31 percent of respondents say that raw internet traffic telemetry is important in their ability to plan preventive measures, detect threats and resolve security incidents.
"If this statistic is an accurate representation, it is disappointing," says Monnier. "As organizations build out their analyst teams and intelligence capabilities, they will see a far greater return on investment if they give that group the visibility it needs to trace, map and monitor adversary infrastructure and its interactions with enterprise or third-party assets."
The full report is available from the Team Cymru website.