Threat hunting, definition and framework

Liliengren, Theodor, Löwenadler, Paul

January 2018

Being pioneers comes with advantages and responsibility. The concept of threathunting is currently being subsidized by businesses promoting their products. Additionally,there is little or no information regarding the implementation and theeffects, which vary depending on the organization. Threat hunting needed an unbiaseddefinition in accordance with employees in IT security. Consequently, theframeworks used when assessing threat hunting had to be objective. This thesispresents a definition of threat hunting, composed using impartial opinions. Furthermore,the thesis provides unique frameworks to assist when implementing andassessing threat hunting at an organization. This thesis has several areas of application:as a knowledge base for threat hunting, as the recommended practice forimplementing threat hunting and as groundwork for a more comprehensive evaluationof threat hunting capabilities. Ultimately, the thesis offers unprecedentednonpartisan information and recommendations on threat hunting.

Threat hunting

Computer Systems

Datorsystem

Discovering U.S. Government Threat Hunting Processes And Improvements

William Pierce Maxam III (15339184)

24 April 2023

<p><strong>INTRODUCTION:</strong> Cyber Threat Hunting (TH) is the activity of looking for potential</p> <p>compromises that other cyber defenses may have missed. These compromises cost organiza-</p> <p>tions an estimated $10M each and an effective Threat Hunt can reduce this cost. TH is a</p> <p>new discipline and processes have not yet been standardized. Most TH teams operate with</p> <p>no defined process. This is a problem as repeatable processes are important for a mature</p> <p>TH team.</p> <p><strong>OBJECTIVES:</strong> This thesis offers a Threat Hunt process as well as lessons learned</p> <p>derived from government TH practice.</p> <p><strong>METHODS:</strong> To achieve this I conducted 12 interviews, 1 hour in length, with govern-</p> <p>ment threat hunters. The transcripts of these interviews were analyzed with process and</p> <p>thematic coding. The coding was validated with a second reviewer.</p> <p><strong>RESULTS:</strong> I present a novel TH process depicting the process followed by government</p> <p>threat hunters. Common challenges and suggested solutions brought up by threat hunters</p> <p>were also enumerated and described. The most common problems were minimal automation</p> <p>and missing measures of TH expertise. Challenges with open questions were also identified.</p> <p>Open questions include: determining how to identify the best data to collect, how to create</p> <p>a specific but not rigid process and how to measure and compare the effectiveness of TH pro-</p> <p>cesses. Finally, subjects also provided features that indicate expertise to TH team members</p> <p>and recommendations on how to best integrate newer members into a TH team.</p> <p><strong>CONCLUSION:</strong> This thesis offers a first look at government TH processes. In the short</p> <p>term, the process recommendations provided in this thesis can be implemented and tested.</p> <p>In the long term, experiments in this sensitive context remain an open challenge.</p>

System and network security

Threat Hunting

Cyberspace Operations