Fuzzy to Clear: Elucidating the Threat Hunter Cognitive Process and Cognitive Support Needs

TL;DR

This study explores the cognitive processes of threat hunters through observational research, aiming to improve tool support and enhance cybersecurity practices by focusing on human factors.

Contribution

It introduces a model of threat hunter cognition, identifies key support needs, and proposes design improvements for cybersecurity tools based on empirical insights.

Findings

Threat hunters develop and refine mental models during sessions.

23 themes reveal critical support needs for threat hunters.

Five design propositions to improve threat hunting tools.

Abstract

With security threats increasing in frequency and severity, it is critical that we consider the important role of threat hunters. These highly-trained security professionals learn to see, identify, and intercept security threats. Many recent works and existing tools in cybersecurity are focused on automating the threat hunting process, often overlooking the critical human element. Our study shifts this paradigm by emphasizing a human-centered approach to understanding the lived experiences of threat hunters. By observing threat hunters during hunting sessions and analyzing the rich insights they provide, we seek to advance the understanding of their cognitive processes and the tool support they need. Through an in-depth observational study of threat hunters, we introduce a model of how they build and refine their mental models during threat hunting sessions. We also present 23 themes that provide a foundation to better understand threat hunter needs and suggest five actionable design propositions to enhance the tools that support them. Through these contributions, our work enriches the theoretical understanding of threat hunting and provides practical insights for designing more effective, human-centered cybersecurity tools.