As Congress considers expanding threat hunting programs into the private sector, a majority of federal workers surveyed last year didn’t seem to have a clue about such efforts within their own agencies.
Only 29% of almost a thousand government employees surveyed were able to say whether their agency practiced proactive threat hunting. Going into next year, that may need to change given provisions in the National Defense Authorization Act currently in consideration.
Versions of the legislation passed by both the House and Senate have called for the secretary of Homeland Security to assess the ability of the Cybersecurity and Infrastructure Security Agency to conduct threat hunting activities across the federal government and the private sector.
Lawmakers in the House have also laid out details for what a threat hunting program would look like within the defense industrial base. It would require participating entities to address any vulnerabilities identified and provide incentives for the private sector to also share information it finds with the government.
Threat hunting, according to cybersecurity firm CrowdStrike, relies on human intelligence to investigate and identify potential threats weeks or even months in advance of when they would be detected by relying solely on automated tools.
The survey, published in May 2019, was conducted by the Government Business Council, with 70% of respondents describing themselves as at least somewhat familiar with their organization’s cybersecurity programs. It suggests agencies may have kept rank and file workers in the dark about threat hunting programs. GBC is a division of Government Executive Media Group, Nextgov’s parent company.
“It is not uncommon for agencies to keep knowledge of threat hunting programs and practices to limited personnel,” the survey reads. “As would be expected, nearly two-thirds of respondents are not familiar with their organization’s threat hunting practices.”
The survey was then narrowed to the roughly 200 individuals who did claim to know something about their organization’s work in this area. Even then, knowledge of specifics were shaky.
“51% of respondents do not know how long it takes for their organization to detect an active attacker to the network, despite having familiarity with cybersecurity programs,” according to the survey. “While one-third say it takes only a few hours to detect threats, another 14% say identifying a threat can take a matter of days to several weeks on average.”
Additionally, only 19% of respondents see value in open source threat hunting tools, which, according to the survey report, are increasingly recommended by cyber professionals.
The GBC survey also noted that more respondents (36%) highlight the need for expanding automated tools than for recruiting staff who can provide investigative oversight (32%).