An Interview Study on Third-Party Cyber Threat Hunting Processes in the U.S. Department of Homeland Security

TL;DR

This study addresses the lack of empirical understanding of threat hunting processes in government contexts by interviewing 11 DHS threat hunters. Using semi-structured interviews, the authors induce a unified seven-stage TH process and develop 25 activities, revealing significant deviations from private-sector models TaHiTi and Endgame and the Trent CPT cognitive model. They identify core challenges—measuring expertise, automation, data collection, documentation, and turnover—and propose concrete recommendations: enhance planning, recalibrate automation, and implement apprenticeship-like onboarding. The work advances knowledge of TH in the public sector, informs cross-organizational collaboration, and outlines directions for future research on balancing process formality with flexibility and developing performance assessments for TH teams.

Abstract

Cybersecurity is a major challenge for large organizations. Traditional cybersecurity defense is reactive. Cybersecurity operations centers keep out adversaries and incident response teams clean up after break-ins. Recently a proactive stage has been introduced: Cyber Threat Hunting (TH) looks for potential compromises missed by other cyber defenses. TH is mandated for federal executive agencies and government contractors. As threat hunting is a new cybersecurity discipline, most TH teams operate without a defined process. The practices and challenges of TH have not yet been documented. To address this gap, this paper describes the first interview study of threat hunt practitioners. We obtained access and interviewed 11 threat hunters associated with the U.S. government's Department of Homeland Security. Hour-long interviews were conducted. We analyzed the transcripts with process and thematic coding.We describe the diversity among their processes, show that their processes differ from the TH processes reported in the literature, and unify our subjects' descriptions into a single TH process.We enumerate common TH challenges and solutions according to the subjects. The two most common challenges were difficulty in assessing a Threat Hunter's expertise, and developing and maintaining automation. We conclude with recommendations for TH teams (improve planning, focus on automation, and apprentice new members) and highlight directions for future work (finding a TH process that balances flexibility and formalism, and identifying assessments for TH team performance).

Figures (10)

• Figure 1: Threat hunt is one of three common ways to discover an adversary once they have circumvented cyber defenses. Once an adversary is discovered, an IR team responds.
• Figure 2: Unified TH process induced from interview data. A detailed version is given in \ref{['fig:DetailedInducedDiagram']}.
• Figure 3: Cumulative unique codes by subject. The graph indicates saturation was achieved after 7 subjects.
• Figure 4: Unique codes observed per subject. The graph indicates that re-ordering the saturation chart (\ref{['sat_fig']}) would not affect the saturation curve.
• Figure 5: Frequency at which thematic codes were mentioned by subjects, grouped by job role. The chart depicts the first 20 codes alphabetically. For visual clarity, the x-axis names only half of the codes. We observe no systematic variation by job role.