2021 Threat Hunting Report
We know who they are. how they work. how to stop them.
The Falcon OverWatch Team of Threat Hunters:
Human insight and experience.
Because technology on its own cannot find and stop all of the threats.
Last year, Falcon OverWatch Threat Hunters identified and stopped:
Developed and deployed:
We know the adversary.
We know their tradecraft.
Most important, Falcon OverWatch Threat Hunters know how to shut them down.
How The Falcon OverWatch Threat Hunting Team gets it done
CrowdStrike’s rich telemetry creates the foundation for OverWatch threat hunting. Upward of 1 trillion events per day, comprising hundreds of event types from millions of endpoints, are collected and cataloged by the Falcon platform to provide comprehensive visibility into activity across the CrowdStrike install base.
CrowdStrike's proprietary Threat Graph contextualizes events and reveals relationships between data points in real time. Threat hunters add a further dimension to the data by drawing on CrowdStrike’s up-to-the-minute threat intelligence about the tradecraft of more than 160 adversary groups, as well as by using their intimate working knowledge of the tactics, techniques and procedures (TTPs) in use in the wild. All of this is underpinned by OverWatch’s proprietary tools and processes, which ensure every hunt is optimized for maximum efficiency.
OverWatch analysts use a mix of patent-protected hunting workflows and complex statistical methods to identify anomalous activity. This is supported by a deep understanding of adversary behaviors and motivations, enabling the team to form hypotheses about where adversaries may strike. The breadth and depth of experience on the OverWatch team is world class, with representation from every corner of public and private industry. Further, the team is continuously building its knowledge base, going toe-to-toe with adversaries on the front line, 24/7/365.
In order to take action against an adversary, it is critical to understand the full nature of the threat. In just minutes, OverWatch analysts reconstruct threat activity, transforming it from a collection of data points into a clear story. This information empowers organizations to not only remediate but also plug the gaps in their environment.
Time is of the essence in preventing an intrusion from becoming a breach. OverWatch operates as a native component of the Falcon platform. Through Falcon, OverWatch delivers clear, accurate and actionable information on potentially malicious activity in near real time, enabling organizations to respond quickly and decisively, without friction.
With each new threat, OverWatch extracts new insights to drive continuous improvements in automated detections and human threat hunting. The team is consistently fine-tuning its skills and processes to always stay a step ahead of the adversary.