Traditionally, a cyberattack would be identified, and the remediation process would begin. The effectiveness of this is questionable because not all attacks are discovered. Secondly, even if they were discovered, the malicious actor may have left files in areas for future exploits. Because of this logic, we see a new emphasis on threat detection.

In fact, in July of 2023, the Department of Homeland Security issued a report to Congress with a report called “Threat Hunting.”  This nineteen-page report covers areas that include the number of services to review, the time required, and the number of personnel to deliver this service.

This initiative is one reason to listen to today’s interview with David Monnier, the CIO from Team Cymru. David is a seasoned threat hunter as well with decades of experience including a stint in the U.S. Marine Corps.

During the interview, David talks about challenges in threat hunting federal leaders contend with that range from lack of tools to undocumented baseline activity to the lack of executive-level support.

He begins with the simple identification of an IP address that a federal leader may have uncovered in a threat analysis. Many questions must be asked:  Is it just you or is someone spraying the entire Internet? When was this discovered? What do other organizations have to say about this IP address?

David expands on what is called “pure signal.”  This is a concept that gives you an understanding of the source of these events and what infrastructure this malicious code can be found in. Real threat intelligence gives you the tools to put attacks into perspective.

One final concept is although federal-based threat hunters have a great capability, not even sophisticated federal threat-hunting systems have the kind of experience in the commercial world to be able to understand the nuances of today’s sophisticated attacks.