Discovering U.S. Government Threat Hunting Processes And Improvements

William Pierce Maxam III (15339184)

24 April 2023

<p><strong>INTRODUCTION:</strong> Cyber Threat Hunting (TH) is the activity of looking for potential</p> <p>compromises that other cyber defenses may have missed. These compromises cost organiza-</p> <p>tions an estimated $10M each and an effective Threat Hunt can reduce this cost. TH is a</p> <p>new discipline and processes have not yet been standardized. Most TH teams operate with</p> <p>no defined process. This is a problem as repeatable processes are important for a mature</p> <p>TH team.</p> <p><strong>OBJECTIVES:</strong> This thesis offers a Threat Hunt process as well as lessons learned</p> <p>derived from government TH practice.</p> <p><strong>METHODS:</strong> To achieve this I conducted 12 interviews, 1 hour in length, with govern-</p> <p>ment threat hunters. The transcripts of these interviews were analyzed with process and</p> <p>thematic coding. The coding was validated with a second reviewer.</p> <p><strong>RESULTS:</strong> I present a novel TH process depicting the process followed by government</p> <p>threat hunters. Common challenges and suggested solutions brought up by threat hunters</p> <p>were also enumerated and described. The most common problems were minimal automation</p> <p>and missing measures of TH expertise. Challenges with open questions were also identified.</p> <p>Open questions include: determining how to identify the best data to collect, how to create</p> <p>a specific but not rigid process and how to measure and compare the effectiveness of TH pro-</p> <p>cesses. Finally, subjects also provided features that indicate expertise to TH team members</p> <p>and recommendations on how to best integrate newer members into a TH team.</p> <p><strong>CONCLUSION:</strong> This thesis offers a first look at government TH processes. In the short</p> <p>term, the process recommendations provided in this thesis can be implemented and tested.</p> <p>In the long term, experiments in this sensitive context remain an open challenge.</p>

System and network security

Threat Hunting

Cyberspace Operations

Rapid Mission Assurance Assessment via Sociotechnical Modeling and Simulation

Lanham, Michael J.

01 May 2015

How do organizations rapidly assess command-level effects of cyber attacks? Leaders need a way of assuring themselves that their organization, people, and information technology can continue their missions in a contested cyber environment. To do this, leaders should: 1) require assessments be more than analogical, anecdotal or simplistic snapshots in time; 2) demand the ability to rapidly model their organizations; 3) identify their organization’s structural vulnerabilities; and 4) have the ability to forecast mission assurance scenarios. Using text mining to build agent based dynamic network models of information processing organizations, I examine impacts of contested cyber environments on three common focus areas of information assurance—confidentiality, integrity, and availability. I find that assessing impacts of cyber attacks is a nuanced affair dependent on the nature of the attack, the nature of the organization and its missions, and the nature of the measurements. For well-manned information processing organizations, many attacks are in the nuisance range and that only multipronged or severe attacks cause meaningful failure. I also find that such organizations can design for resiliency and provide guidelines in how to do so.

Mission Assurance

Resilience

Assessment

Cyberspace Operations

Cyber

Organization Resilience

Rapid Mission Assurance Assessment via Sociotechnical Modeling and Simulation

Lanham, Michael Jay

01 May 2015

How do organizations rapidly assess command-level effects of cyber attacks? Leaders need a way of assuring themselves that their organization, people, and information technology can continue their missions in a contested cyber environment. To do this, leaders should: 1) require assessments be more than analogical, anecdotal or simplistic snapshots in time; 2) demand the ability to rapidly model their organizations; 3) identify their organization’s structural vulnerabilities; and 4) have the ability to forecast mission assurance scenarios. Using text mining to build agent based dynamic network models of information processing organizations, I examine impacts of contested cyber environments on three common focus areas of information assurance—confidentiality, integrity, and availability. I find that assessing impacts of cyber attacks is a nuanced affair dependent on the nature of the attack, the nature of the organization and its missions, and the nature of the measurements. For well-manned information processing organizations, many attacks are in the nuisance range and that only multipronged or severe attacks cause meaningful failure. I also find that such organizations can design for resiliency and provide guidelines in how to do so.

Mission Assurance

Resilience

Assessment

Cyberspace Operations

Cyber

Organization Resilience

Rapid Modeling