Discovering U.S. Government Threat Hunting Processes And Improvements

INTRODUCTION: Cyber Threat Hunting (TH) is the activity of looking for potential

compromises that other cyber defenses may have missed. These compromises cost organiza-

tions an estimated $10M each and an effective Threat Hunt can reduce this cost. TH is a

new discipline and processes have not yet been standardized. Most TH teams operate with

no defined process. This is a problem as repeatable processes are important for a mature

TH team.

OBJECTIVES: This thesis offers a Threat Hunt process as well as lessons learned

derived from government TH practice.

METHODS: To achieve this I conducted 12 interviews, 1 hour in length, with govern-

ment threat hunters. The transcripts of these interviews were analyzed with process and

thematic coding. The coding was validated with a second reviewer.

RESULTS: I present a novel TH process depicting the process followed by government

threat hunters. Common challenges and suggested solutions brought up by threat hunters

were also enumerated and described. The most common problems were minimal automation

and missing measures of TH expertise. Challenges with open questions were also identified.

Open questions include: determining how to identify the best data to collect, how to create

a specific but not rigid process and how to measure and compare the effectiveness of TH pro-

cesses. Finally, subjects also provided features that indicate expertise to TH team members

and recommendations on how to best integrate newer members into a TH team.

CONCLUSION: This thesis offers a first look at government TH processes. In the short

term, the process recommendations provided in this thesis can be implemented and tested.

In the long term, experiments in this sensitive context remain an open challenge.