Our series on threat hunters has covered what they are and what they do. This week’s post highlights two common mistakes threat hunters make and the three biggest challenges they face, according to a recent study by the University of Victoria. The bottom line is that these mistakes and challenges cost time and attention, which increases risk.
This discussion is part of our ongoing “The Rise of the Threat Hunter” series. To learn more about the series check out the introduction here or read last week’s entry on Threat hunters — A day in the life
Two common threat hunting mistakes
You’ve seen the headlines. High-profile data breaches and cyberattacks are everywhere. It’s understandable that threat hunters make two common mistakes: overestimating the severity of an anomaly and falsely identifying activity as suspicious or malicious.
Overestimating threat severity
When there is any deviation or irregularity in a dataset, threat hunters investigate the anomaly. Not all anomalies are equal though. And what a threat hunter may think is a data breach could just turn out to be a minor security gap.
Overestimating the severity of a threat can cause unnecessary alarm and divert resources from critical tasks, especially in large organizations. Focusing too much on minor anomalies can lead to alert fatigue, making it harder to identify genuine threats. This desensitization wastes valuable time and resources. Threat hunters may spend hours on non-issues instead of proactive threat hunting and improving security measures.
False positives
It can also be difficult for threat hunters to tell the difference between bad actors and harmless mistakes. Remember, insider threat doesn’t just refer to malicious users but also someone who is careless with their credentials.
The challenge of false positives is compounded by the immense volume of data that threat hunters must analyze. False positives not only waste time but can also lead to mistrust in threat detection systems. Repeated false alarms cause hesitancy in decision-making and slower response times. Investigating false positives often requires extensive log analysis and cross-departmental collaboration, straining resources and reducing efficiency. Over time, this can lead to alert fatigue, making it easier to overlook genuine threats. Improving detection accuracy and reducing false positives is crucial for effective threat hunting.
Understanding these common mistakes is the first step to improving threat hunting practices. However, beyond these pitfalls, threat hunters face broader, systemic challenges that impact their ability to effectively detect and respond to threats.
Top three challenges
The common mistakes made by threat hunters, such as overestimating threat severity and dealing with false positives, often stem from deeper issues. Tooling problems, lack of focus time, and organizational roadblocks create an environment where these mistakes are more likely. By addressing these top three challenges, we can enhance the effectiveness of threat hunting and reduce errors.
Tooling issues
Threat hunters rely on many different tools. Broadly speaking, these tools can be categorized as technical or non-technical. Technical tools help with the actual threat hunting, while non-technical tools mainly support notetaking, presentations, reporting, etc.
When asked about the disadvantages of their existing tooling, threat hunters cited a lack of cohesion between tools, poor performance, and ineffective visualizations. These issues can lead to missed threats and wasted time correlating results between disconnected tools.
Time to focus
Threat hunters are constantly juggling different kinds of tasks. Context switching between clients— plus bouncing between administrative and hunting tasks—pulls focus.
Speaking of clients, threat hunters typically work with several collaborators, both internally and externally. As you can imagine, communication and handoff among these collaborators can be tricky without a standardized handoff protocol.
Organizational roadblocks
Given the importance of threat hunting, you might be surprised at some of the internal resistance teams can face. There are the usual suspects that all teams deal with, like resource allocation. But there are often cultural issues as well. Not all teams within an organization prioritize security. And sometimes teams choose not to share info about threats.
Overcoming threat hunting challenges
To be successful, threat hunters need support from all teams and the organization as a whole. Is there a way to help threat hunters avoid common mistakes and solve their challenges? Ironically enough, a solution lies within the first challenge: tooling. The threat hunters surveyed said that the right tools can make a big difference. An integrated toolset that helps them better detect anomalies and prioritize threats can save time, boost security, and improve trust between threat hunters and the larger organization they serve.
Catch the next post in this series to learn about different threat hunter personas.
Learn more about OpenText Cybersecurity
Ready to enable your threat hunting team with products, services, and training to protect your most valuable and sensitive information? Check out our cybersecurity portfolio for a modern portfolio of complementary security solutions that offer threat hunters and security analysts 360-degree visibility across endpoints and network traffic to proactively identify, triage, and investigate anomalous and malicious behavior.
