Characterizing the Threat Hunt Process

Principal Investigator: Jamie Davis

Cyber security is a huge concern for governments and private corporations alike. The average cyber intrusion costs $13 million and continues increasing. Dwell time, the amount of time an adversary is able to maintain a foothold in a compromised network undetected, is a key indicator showing organizations how capable they are of detecting adversaries once they are inside the network. Reducing dwell time significantly reduces the cost of cyber intrusions, however, according to a 2020 IBM report the average dwell time is 207 days and increasing. According to a 2019 Attivo survey (n=927), over half of the respondents said that a 100 day dwell time was either "about right" or "low". These reports highlight the importance of searching for adversary activity internal to the network boundary.

One method of detecting adversaries internal to the network boundary is a Cyber Threat Hunt (TH). Threat Hunting is "a focused and iterative approach to searching out, identifying and understanding adversaries internal to the defender’s networks". Although most organizations value hunting as evidenced by widespread implementation, as a domain it is still in it's infancy with less than half of organizations utilizing a written TH process. Although theoretical threat hunt methodologies exist, the processes actually being used by TH teams are not well documented.

As a first step in understanding this important cybersecurity process, we are conducting interviews. We are interviewing threat hunt practitioners across 2 different government organizations to understand (1) their threat hunt process; and (2) the integration of non-expert and expert team members (a specific problem in the government context). Our analysis has the goal of understanding the TH process used by each practitioner and the system encompassing their processes.


Students: William "Trey" Maxam