Cyber Threat Hunting Program: An Overview of the INSA Report

Blog

/

Cyber Threat Hunting Program: An Overview of the INSA Report

Content

Adam Cleveland

Published

July 26, 2021

Let’s talk about the most noteworthy piece of cybersecurity legislation to ever go through Congress: “Executive Order on Improving the Nation’s Cybersecurity.” (May 12, 2021)

The goal of these significant regulations is to ensure the United States is strong and resilient in the face of the increased activity by hackers, criminals, and other adversaries of our nation.

For example, one condition requires thorough dialogue between government and industry to make sure that Congress’ plan will be effectively implemented.

Section 1739 of the legislation calls for the Secretary of Defense to assess the feasibility and suitability of “a defense industrial base cybersecurity threat hunting program to actively identify cybersecurity threats and vulnerabilities within the defense industrial base.”

The initial assessment needs to be completed by September 2021, and if the Secretary of Defense thinks it’s possible, the program should be implemented in March 2022.

Here’s a brief summary of the INSA report. You can read the full report here.

1. Evaluate Existing Threat Hunting Policies

This point covers threat hunting elements at each CMMC level.

INSA Recommendation Rundown

Since small-to-midsize companies are the ones who will likely struggle the most with the cost of a cyber threat hunting program, they should be provided with technical and financial assistance.
The financial assistance could come from the U.S. government deeming the cost as an “allowable” one according to DoD acquisition guidelines.
The technical help may be through the use of trusted third-party vendors.

2. Assess the Suitability of an Ongoing Hunting Program

There are some considerations that must be made here, including:

Collection and analysis of metadata on DIB network activity.
Rapid investigation and remediation of possible intrusions.
Requirements for mitigating any vulnerabilities
Mechanisms for DoD to share cyber threat information with the DIB.

INSA Recommendation Rundown

Companies should gather and assess the data on their own networks.
DIB companies should present their threat analysis to the Department of Defense. (Due to the possibility of giving out personally identifying information, however, the DoD cannot be compelled to provide genuine metadata.)

3. Evaluate Recommendations for Participation

The recommendations referred to here concern:

Incentives.
Mandating minimum levels of participation.
Procurement prohibitions.
Waiver authority and criteria.
A tiered program with additional considerations.

INSA Recommendation Rundown

Focus on incentives, assistance, and waivers that can enable companies to engage in a threat hunting program.
Keep small businesses with limited budgets in mind.

4. Assess Who Conducts Threat Hunting Programs

Should the programs be administered by:

Qualified contractors.
Accredited third-party vendors.
U.S. Cyber Command (or another DoD component).
The deployment of DoD sensors on DIB networks.
A combination of the above.

INSA Recommendation Rundown

Companies should perform all their threat hunting activities on their own network. (The exception being accepting help from DoD or a third party.)
No company should be required to allow an outside party to operate or place sensors on its network.

5. Evaluate Changes in Regulation or Law

INSA Recommendation Rundown

There should be liability protection for companies in a threat hunting program, though this may require additional legislation.
Since smaller companies don’t have the expertise and resources to participate, the DoD should step in to lessen the cost.

6. Evaluate the Timeline

The program should be established by January 2023.

INSA Recommendation Rundown

Use CMMC as a model.
The cyber threat hunting program should be rolled out slowly. This will prove the value of the program and allow companies to assess any effects on the DIB supply chain.