Discovering U.S. Government Threat Hunting Processes And Improvements
INTRODUCTION: Cyber Threat Hunting (TH) is the activity of looking for potential
compromises that other cyber defenses may have missed. These compromises cost organiza-
tions an estimated $10M each and an effective Threat Hunt can reduce this cost. TH is a
new discipline and processes have not yet been standardized. Most TH teams operate with
no defined process. This is a problem as repeatable processes are important for a mature
OBJECTIVES: This thesis offers a Threat Hunt process as well as lessons learned
derived from government TH practice.
METHODS: To achieve this I conducted 12 interviews, 1 hour in length, with govern-
ment threat hunters. The transcripts of these interviews were analyzed with process and
thematic coding. The coding was validated with a second reviewer.
RESULTS: I present a novel TH process depicting the process followed by government
threat hunters. Common challenges and suggested solutions brought up by threat hunters
were also enumerated and described. The most common problems were minimal automation
and missing measures of TH expertise. Challenges with open questions were also identified.
Open questions include: determining how to identify the best data to collect, how to create
a specific but not rigid process and how to measure and compare the effectiveness of TH pro-
cesses. Finally, subjects also provided features that indicate expertise to TH team members
and recommendations on how to best integrate newer members into a TH team.
CONCLUSION: This thesis offers a first look at government TH processes. In the short
term, the process recommendations provided in this thesis can be implemented and tested.
In the long term, experiments in this sensitive context remain an open challenge.
- Master of Science
- Electrical and Computer Engineering
- West Lafayette