The problem with traditional defense against cyber attacks is that it is passive. Depending on security alerts is ineffective. According to the 2020 Mandiant Security Effectiveness Report:
- Alerts are only generated for 9% of attacks.
- Only 26% of attacks are detected.
- Only 33% of attacks are prevented.
- About 53% of attacks are missed.
On the other hand, Cisco's 2020 CISO Benchmark Report states 41% of organizations get more than 10,000 alerts per day. Organizations are getting both too much information and not enough.
Once an attacker breaches a network, the "dwell time" they can stay before being discovered is a median 146 days. The mean time is 207 days - almost seven months. Dwell times are increasing.
The answer according to a Halock post (https://www.halock.com/what-is-threat-hunting-and-why-you-need-it/) is "threat hunting". This is a proactive approach to search for attackers who have evaded security. The hunter's job is to remove malware, detect unknown vulnerabilities and uncover existing threats. Their target is advanced persistent threats (APT).
Threat hunters use advanced tools, intelligence and analytics to look for indications of compromise. It is a highly structured approach.
By using threat hunting, organizations can turn the tables on their attackers.