Arm your security team with the tools, techniques, and insights to uncover hidden threats. Learn to identify risks early and strengthen your defenses with actionable intelligence.
SANS CTI Survey 2024: Threat hunting is the top CTI use case
Share:
2024 SANS CTI report summary
In last year's annual cyber threat intelligence (CTI) research report from the SANS Institute, SANS CTI Survey 2024: Managing the Evolving Threat Landscape, the report delves into several important topics related to cyber threat intelligence (CTI), including:
- Geopolitical and regulation landscapes are critical in a CTI team’s tasks
- Threat hunting is now the top use case for CTI
- AI is making its mark on CTI, with nearly one-quarter of respondents leveraging AI in their CTI program
SANS findings: Threat hunting
One of the key findings that the report highlights is significant and underscores the value of threat intelligence. For the first time in the survey’s history, threat hunting is the top use case for CTI. Roughly 75% of respondents said CTI data is used for this purpose. The next two use cases are incident response (73.5%) and vulnerability management (66.3%).
As stated in the SANS report, “Threat hunting is a proactive approach for detecting threats that are either unidentified or not yet remediated within an organization’s network… Respondents report they ‘leverage threat intel to scope and target threat hunts against the organization’ and ‘create threat hunt packs for particular malware or APTs.’”
Threat hunting is a constant game of cat and mouse. It’s about finding the threat actors before they find you. It's thrilling to see that CTI is widely embraced for the value it brings to threat hunting, an activity that we spend a fair amount of time doing.
Why is CTI so important to effective threat hunting?
There are many use cases for real-time, contextual CTI, including threat hunting. The deep-dive investigative capabilities afforded by comprehensive CTI empower threat-hunting teams to find the highest-priority threats to remediate.
Asset monitoring
A real-time CTI solution can compile, manage, and monitor the organization’s complete asset inventory across any external source to include the deep and dark web, messaging platforms, and more through automated capabilities. We call this “threat monitoring,” referring to the continuous nature, rather than “threat hunting,” which is manual. This process identifies potential risks and exposures and helps security teams understand threat actors’ potential attack vectors and TTPs to proactively expose and prevent emerging cyber-attacks before they are weaponized. For example, CTI can identify malicious links published in external sources, extract the URLs, and then block it on the corporate firewall, triggering playbooks on the organization’s SIEM, SOAR, EPP, or VM platforms before others have a chance to download or click on it.
Data integration
Threat-hunting activities often span multiple tools and data sets. An effective CTI solution should allow security engineers to integrate and easily cross-reference data between their tools to save time and resources. For example, a security engineer should be able to review logs within their SIEM for suspicious activity or indicators and immediately enrich those indicators with CTI to know whether or not a threat exists.
Protecting sensitive data
Threat hunting, or monitoring, is also essential to protect credentials, methods of payment, and sensitive data. Continuous, real-time monitoring of the company’s critical assets, brand, and employee and customer data across the surface web and cybercriminal underground is foundational. This continuous monitoring ensures that security teams receive early warnings of active threats relevant to the organization as they surface so they can take proactive defensive measures to protect the organization, its assets, and customers.
Incident detection
As shown in the SANS CTI survey results, incident (detection and) response and vulnerability management also rank in the top three CTI use cases. The value of the insights gained from comprehensive, contextual CTI in helping these efforts cannot be understated. The autonomous, continuous collection of CTI across the deep, dark, and clear web and monitoring of an organization’s attack surface means security teams can be alerted to potential threats and incidents so they can respond with preemptive action before threats materialize into an attack.
Vulnerability detection
Additionally, comprehensive, real-time contextual threat intelligence with attack surface scanning can inform a security team of what vulnerabilities the organization has. But more than that, it also indicates the specific vulnerabilities that threat actors are currently exploiting, highlighting those that put the organization at risk – which is critical for prioritizing remediation efforts.
More SANS results: CTI Reports rise in importance
Another interesting data point resulting from the survey is the rise of CTI reports as the top method for disseminating important information across the organization. According to the report: “Although traditionally emails, spreadsheets, and presentations were the most preferred options to disseminate CTI, reporting emerged as the most prevalent method this year. Survey results show a rise in the use of reporting for dissemination, growing from 62% in 2022 to 74% in 2024. Similarly, the utilization of briefings to disseminate intelligence increased from 51% in 2019 to 64% in 2024. The uptick in reporting and briefings may reflect the evolving maturity of CTI, because both reports and briefings indicate a receptive audience of decision-makers. This underscores the importance of communication as a core skill for CTI analysts.”
Reporting may be the #1 method for information sharing in the organization, but it’s no simple task and can take a few hours or more to produce just one report. However, Bitsight offers a set of tools that takes the pain of reporting away, saving users valuable time so they can focus their efforts on thwarting cyber attacks.
These tools include automated reports on crucial CTI topics such as ransomware group activity, trending malware discussions and industry risk reports, and the custom report creator which allows users to collect information and data points from across the portal into a custom report.
Bitsight's AI-powered reporting enables efficient information sharing
Bitsight's IQ Report Generator simplifies and streamlines strategic, operational, and tactical threat intelligence reporting, saving security teams significant time and effort in creating reports about cybersecurity events and threat entities. In addition to helping security teams and threat analysts share relevant, critical findings with others in the organization, IQ Report Generator also helps Managed Security Services Providers (MSSPs) rapidly create custom, in-depth reports for multiple clients.
This valuable time-savings feature leverages Bitsight IQ, generative AI technology, enabling users to create detailed, custom reports in minutes by entering a topic and setting parameters from dropdown menu options.
In addition to CTI reports, IQ Report Generator can provide insights and recommendations for remediation when threats are detected. The deliverables IQ Report Generator can produce include:
- Risk-assessment reports: assessing overall cybersecurity risk, potential impact, and mitigation strategies
- Threat intelligence briefings: assessing key threat trends, emerging threats, and their potential impact on the organization
- Incident response reports: including indicators of compromise, attack timelines, affected systems, and recommended actions
- Post-incident reports: summarizing lessons learned, recommendations to improve, and strategies to prevent future incidents
- Vendor risk reports: highlighting the risks from third-party vendors and informing decision-making
Underscoring the value that AI brings to reporting, the SANS CTI survey states that while use of AI in CTI is on the rise, one of the areas where it plays a beneficial role is in analysis and report writing. Our IQ Report Generator powers the generation of a wide variety of CTI reports, including incident response reports, risk and compliance reports, executive-level communications reports, and third-party risk reports.
