Improving Cyber Threat Hunting Practices
A study reveals effective strategies for enhancing threat hunting in cybersecurity.
― 6 min read
Table of Contents
Cybersecurity is a significant concern for large organizations, including governments and corporations. Traditional cybersecurity methods mainly focus on preventing attacks and responding after they occur. Cybersecurity teams try to keep out intruders, and if they succeed, they clean up after any breaches. Recently, a new method known as Cyber Threat Hunting (TH) has emerged. This proactive approach involves actively searching for potential threats that may have gone unnoticed by existing defenses.
Threat hunting is now required for federal agencies and their contractors. However, since this is a newer field, many threat hunting teams do not have a set process to follow. There is still much to learn about the best practices and challenges faced by these teams. To improve understanding in this area, a study was conducted by interviewing threat hunters within the U.S. Department of Homeland Security (DHS).
Importance of Cybersecurity
Cyber intrusions pose a serious threat to both public and private organizations. A study showed that unauthorized access to networks could cost companies an average of 13 million dollars annually. Furthermore, organizations could lose sensitive data or face problems related to national security. If an intruder remains undetected for a long time, the damage could be worse. One study indicated that reducing the time an intruder stayed unnoticed could lower the overall cost of an attack significantly.
To identify threats that might slip past security measures, organizations implement Cyber Threat Hunting. This process involves looking for intrusions that the usual defenses might miss. Both government and private sectors engage in threat hunting, though private organizations tend to focus on threats within their own networks.
Despite the growing need for threat hunting, a survey found that most organizations had no formal process for it. This lack of structure limits their ability to adopt best practices and improve over time. To help address this issue, researchers interviewed threat hunters to gather insights into their practices.
Methodology of the Study
The study involved semi-structured interviews with 11 threat hunters from two organizations within the DHS. Each interview lasted about an hour, and participants were asked questions about their processes and challenges. The interview transcripts were analyzed to identify common themes and insights.
The researchers used coding methods to analyze the data collected from the interviews. The goal was to develop a better understanding of how DHS teams conduct threat hunting and to create a unified process model based on the findings.
Findings on Threat Hunting Processes
The analysis revealed a variety of approaches used by the threat hunting teams studied. Their processes did not align well with existing literature on threat hunting, highlighting the unique challenges faced by government teams. Based on interviews, a unified threat hunting process was developed, which includes several distinct stages.
Stages of the Threat Hunting Process
Initiating the Hunt: Threat hunting missions can begin in two ways: proactively or in response to triggers. Proactive missions are initiated by the organization with no specific suspicion of a breach, whereas triggered missions arise from intelligence that suggests undetected intrusions.
Planning the Mission: This stage involves coordination between threat hunting teams and the organization requesting the hunt. It includes assessing what parts of the network will be examined, creating hypotheses, and documenting the mission plan.
Collecting Intelligence: Teams gather information relevant to the hunt. Depending on whether the mission is proactive or triggered, they may look for current attacker trends or indicators of prior threats.
Pre-Mission Activities: Before beginning the hunt, teams ensure they have the right tools and sensors in place for a successful operation. This may include placing sensors on the network to monitor for threats.
Manual and Automated Analysis: During the mission, teams engage in two types of analysis loops. The manual loop involves deeper examination of data for malicious activities, while the automated loop focuses on triaging alerts generated by sensors.
Concluding the Mission: After the analysis phase, the teams conclude their missions based on the evidence found. If adversarial activity is detected, they shift to Incident Response procedures.
Common Challenges in Threat Hunting
Through the interviews, several challenges faced by threat hunting teams were identified:
Assessing Team Expertise: It is difficult to evaluate the experience and skills of team members. Many expressed a need for better metrics to determine individual capabilities.
Automation Issues: Teams often struggle with insufficient automation. While automation is vital for efficiency, many processes remain manual, leading to potential delays and human error.
Data Access and Collection: Teams frequently begin collecting data only when they arrive on-site, resulting in a lack of crucial baseline information. They highlighted the need for advanced preparation to ensure data is available when needed.
Personnel Turnover: High turnover rates within cybersecurity teams contribute to challenges in maintaining knowledge and expertise. The study suggested integrating new members with experienced ones to facilitate smoother transitions.
Documentation and Process Consistency: Some teams lack clear documentation of their processes, making it difficult for new members to understand what needs to be done. There are differing opinions on how detailed this documentation should be.
Recommendations for Improvement
Based on the findings, several recommendations were made for enhancing the threat hunting process:
Enhance Mission Planning: All teams should prioritize creating robust mission plans and share objectives with everyone involved to ensure clarity and direction.
Improve the Automated Alert Loop: Since the automated alerts were not effectively identifying threats, teams should either enhance the automation or reduce resources spent on this aspect.
Implement Stronger Apprenticeship Programs: Pairing experienced members with newcomers can help integrate them into the team effectively. Creating structured apprenticeship programs can support this effort.
Future Directions for Research
Threat hunting is still an emerging field, and there are various areas that require further research. Potential topics include:
- Exploring how to tailor automation tools to better meet the needs of threat hunting teams.
- Investigating the impacts of automation on team performance and effectiveness.
- Examining the balance between process formality and flexibility in threat hunting operations.
By addressing these areas, organizations can continue to improve their threat hunting practices and enhance cybersecurity efforts overall.
Conclusion
This study highlights the importance of understanding the processes used by threat hunters within government agencies. By documenting and analyzing these practices, researchers can help foster improvements in threat hunting, ultimately leading to better security measures against cyber threats.
Title: An Interview Study on Third-Party Cyber Threat Hunting Processes in the U.S. Department of Homeland Security
Abstract: Cybersecurity is a major challenge for large organizations. Traditional cybersecurity defense is reactive. Cybersecurity operations centers keep out adversaries and incident response teams clean up after break-ins. Recently a proactive stage has been introduced: Cyber Threat Hunting (TH) looks for potential compromises missed by other cyber defenses. TH is mandated for federal executive agencies and government contractors. As threat hunting is a new cybersecurity discipline, most TH teams operate without a defined process. The practices and challenges of TH have not yet been documented. To address this gap, this paper describes the first interview study of threat hunt practitioners. We obtained access and interviewed 11 threat hunters associated with the U.S. government's Department of Homeland Security. Hour-long interviews were conducted. We analyzed the transcripts with process and thematic coding.We describe the diversity among their processes, show that their processes differ from the TH processes reported in the literature, and unify our subjects' descriptions into a single TH process.We enumerate common TH challenges and solutions according to the subjects. The two most common challenges were difficulty in assessing a Threat Hunter's expertise, and developing and maintaining automation. We conclude with recommendations for TH teams (improve planning, focus on automation, and apprentice new members) and highlight directions for future work (finding a TH process that balances flexibility and formalism, and identifying assessments for TH team performance).
Authors: William P. Maxam, James C. Davis
Last Update: 2024-02-19 00:00:00
Language: English
Source URL: https://arxiv.org/abs/2402.12252
Source PDF: https://arxiv.org/pdf/2402.12252
Licence: https://creativecommons.org/licenses/by/4.0/
Changes: This summary was created with assistance from AI and may have inaccuracies. For accurate information, please refer to the original source documents linked here.
Thank you to arxiv for use of its open access interoperability.
Reference Links
- https://tex.stackexchange.com/questions/299969/titlesec-loss-of-section-numbering-with-the-new-update-2016-03-15
- https://www.acm.org/publications/taps/whitelist-of-latex-packages
- https://dl.acm.org/ccs.cfm
- https://www.usenix.org/conference/usenixsecurity24/submission-policies-and-instructions
- https://attack.mitre.org