Discovering U.S. Government Threat Hunting Processes and Improvements
Abstract
INTRODUCTION: Cyber Threat Hunting (TH) is the activity of looking for potential compromises that other cyber defenses may have missed. These compromises cost organizations an estimated $10M each and an effective Threat Hunt can reduce this cost. TH is a new discipline and processes have not yet been standardized. Most TH teams operate with no defined process. This is a problem as repeatable processes are important for a mature TH team. OBJECTIVES: This thesis offers a Threat Hunt process as well as lessons learned derived from government TH practice. METHODS: To achieve this I conducted 12 interviews, 1 hour in length, with government threat hunters. The transcripts of these interviews were analyzed with process and thematic coding. The coding was validated with a second reviewer. RESULTS: I present a novel TH process depicting the process followed by government threat hunters. Common challenges and suggested solutions brought up by threat hunters were also enumerated and described. The most common problems were minimal automation and missing measures of TH expertise. Challenges with open questions were also identified. Open questions include: determining how to identify the best data to collect, how to create a specific but not rigid process and how to measure and compare the effectiveness of TH processes. Finally, subjects also provided features that indicate expertise to TH team members and recommendations on how to best integrate newer members into a TH team. CONCLUSION: This thesis offers a first look at government TH processes. In the short term, the process recommendations provided in this thesis can be implemented and tested. In the long term, experiments in this sensitive context remain an open challenge.
Degree
M.S.
Advisors
Davis, Purdue University.
Subject Area
Computer Engineering|Political science
Off-Campus Purdue Users:
To access this dissertation, please log in to our
proxy server.