An Interview Study on Third-Party Cyber Threat Hunting Processes in the U.S. Department of Homeland Security

TL;DR

This study explores the diverse threat hunting practices within the U.S. Department of Homeland Security through interviews, revealing process variations, common challenges, and providing recommendations for improving threat hunting effectiveness.

Contribution

First interview-based analysis of threat hunting processes in a government context, highlighting differences from existing literature and proposing a unified process model.

Findings

Processes vary significantly among practitioners

Difficulty in assessing threat hunter expertise is a major challenge

Automation development and maintenance are key issues

Abstract

Cybersecurity is a major challenge for large organizations. Traditional cybersecurity defense is reactive. Cybersecurity operations centers keep out adversaries and incident response teams clean up after break-ins. Recently a proactive stage has been introduced: Cyber Threat Hunting (TH) looks for potential compromises missed by other cyber defenses. TH is mandated for federal executive agencies and government contractors. As threat hunting is a new cybersecurity discipline, most TH teams operate without a defined process. The practices and challenges of TH have not yet been documented. To address this gap, this paper describes the first interview study of threat hunt practitioners. We obtained access and interviewed 11 threat hunters associated with the U.S. government's Department of Homeland Security. Hour-long interviews were conducted. We analyzed the transcripts with process and thematic coding.We describe the diversity among their processes, show that their processes differ from the TH processes reported in the literature, and unify our subjects' descriptions into a single TH process.We enumerate common TH challenges and solutions according to the subjects. The two most common challenges were difficulty in assessing a Threat Hunter's expertise, and developing and maintaining automation. We conclude with recommendations for TH teams (improve planning, focus on automation, and apprentice new members) and highlight directions for future work (finding a TH process that balances flexibility and formalism, and identifying assessments for TH team performance).