Cyber Threat Hunting Program: An Overview of the INSA Report

Adam Cleveland
July 26, 2021

Let’s talk about the most noteworthy piece of cybersecurity legislation to ever go through Congress: “Executive Order on Improving the Nation’s Cybersecurity.” (May 12, 2021)

The goal of these significant regulations is to ensure the United States is strong and resilient in the face of the increased activity by hackers, criminals, and other adversaries of our nation. 

For example, one condition requires thorough dialogue between government and industry to make sure that Congress’ plan will be effectively implemented. 

Section 1739 of the legislation calls for the Secretary of Defense to assess the feasibility and suitability of “a defense industrial base cybersecurity threat hunting program to actively identify cybersecurity threats and vulnerabilities within the defense industrial base.”

The initial assessment needs to be completed by September 2021, and if the Secretary of Defense thinks it’s possible, the program should be implemented in March 2022.

Here’s a brief summary of the INSA report. You can read the full report here.

1. Evaluate Existing Threat Hunting Policies

This point covers threat hunting elements at each CMMC level.

INSA Recommendation Rundown

  • Since small-to-midsize companies are the ones who will likely struggle the most with the cost of a cyber threat hunting program, they should be provided with technical and financial assistance.
  • The financial assistance could come from the U.S. government deeming the cost as an “allowable” one according to DoD acquisition guidelines.
  • The technical help may be through the use of trusted third-party vendors.

2. Assess the Suitability of an Ongoing Hunting Program

There are some considerations that must be made here, including:

  • Collection and analysis of metadata on DIB network activity.
  • Rapid investigation and remediation of possible intrusions.
  • Requirements for mitigating any vulnerabilities
  • Mechanisms for DoD to share cyber threat information with the DIB.

INSA Recommendation Rundown

  • Companies should gather and assess the data on their own networks.
  • DIB companies should present their threat analysis to the Department of Defense. (Due to the possibility of giving out personally identifying information, however, the DoD cannot be compelled to provide genuine metadata.)

3. Evaluate Recommendations for Participation

The recommendations referred to here concern:

  • Incentives.
  • Mandating minimum levels of participation.
  • Procurement prohibitions.
  • Waiver authority and criteria.
  • A tiered program with additional considerations.

INSA Recommendation Rundown

  • Focus on incentives, assistance, and waivers that can enable companies to engage in a threat hunting program.
  • Keep small businesses with limited budgets in mind.

4. Assess Who Conducts Threat Hunting Programs

Should the programs be administered by:

  • Qualified contractors.
  • Accredited third-party vendors.
  • U.S. Cyber Command (or another DoD component).
  • The deployment of DoD sensors on DIB networks.
  • A combination of the above.

INSA Recommendation Rundown

  • Companies should perform all their threat hunting activities on their own network. (The exception being accepting help from DoD or a third party.)
  • No company should be required to allow an outside party to operate or place sensors on its network.

5. Evaluate Changes in Regulation or Law

INSA Recommendation Rundown

  • There should be liability protection for companies in a threat hunting program, though this may require additional legislation.
  • Since smaller companies don’t have the expertise and resources to participate, the DoD should step in to lessen the cost.

6. Evaluate the Timeline

The program should be established by January 2023.

INSA Recommendation Rundown

  • Use CMMC as a model.
  • The cyber threat hunting program should be rolled out slowly. This will prove the value of the program and allow companies to assess any effects on the DIB supply chain.

7. Identify Barriers to the Program

Look for anything that would keep the program from being established.

INSA Recommendation Rundown

  • Cyber threat hunting programs should be:
  • Voluntary.
  • Company-managed.
  • Company-controlled.
  • Share tailored categories of information.

What the Report Means for You

This legislation has implications for your company, whether it’s small, large, or somewhere in between.

It’s important for you to have the right security software to manage the coming changes.

Let’s talk about how ThreatSwitch may be the solution you’re looking for. 

Keep Reading

Posts by Topic

Subscribe to our