Plan for an Evaluation of Government Cyber Threat Hunting Processes
William Maxam and Jamie Davis
Cyber intrusions are a concern for critical infrastructure operators, governments, and private corporations. One method of detecting these network intruders is a cyber Threat Hunt (TH). Although theoretical threat hunt methodologies exist, the processes actually being used by TH teams are not well documented. This may not pose a problem for expert threat hunters for whom the process has already been internalized however it could be problematic for teams seeking to onboard newer members who are not able to latch on to a well-documented process. The problem of integrating less expert member is a reoccurring issue for military units where analysts are rotated to different teams and assignments every few years, but the effects can be reduced via a well implemented process. Our study seeks to interview current TH practitioners in order to document the process currently in use by military and civilian government TH teams. Using this data we hope to provide process recommendations to TH teams on how to integrate novice members.