Detecting the Unknown – A Guide to Threat Hunting by UK Government

The National Cyber Security Strategy 2016-2021 details the UK government’s investment in cyber security, with the vision for 2021 that the UK will be secure and resilient to cyber threats while prosperous and confident in the digital world.

To achieve this, government departments are currently investing in improvements to their own cyber security to meet the Minimum Cyber Security Standard (MCSS), published by the Cabinet Office in June 2018; however, departments should take the opportunity to start investing in the mobilisation and development of their Threat Hunting capabilities.
Threat Hunting, often referred to as Incident Response without the Incident, is an emergent activity that comprises the proactive, iterative, and human-centric identification of cyber threats that are internal to an Information Technology network and have evaded existing security controls. Departments that operate a Threat Hunting capability will improve their security posture and hence reduce risk, as malicious activity can be identified earlier on in an attack, thereby minimising the opportunity for adversaries to disrupt, damage or steal.
Departments must create an enabling environment for their Threat Hunting function, by providing enablers such as Cyber Threat Intelligence, relevant data from across the estate, and appropriate investment in people, processes and tools. A joined-up approach to Threat Hunting should be taken across HM Government, where collaboration ensures that the improvements to our collective cyber security from Threat Hunting are greater than that of each department’s own efforts, while helping to develop the next generation of the UK’s defenders.
This guide, produced via a literature review and engagements with public and private sector organisations, provides recommendations for Security Operations Centres (SOCs), government departments, and across HM Government, to detect unknown malicious activity through development of Threat Hunting as both a capability and a profession.
This guide’s key findings are:
 Operate a SOC-based Threat Hunting capability to reduce risk, via the appointment of a Threat Hunting Lead, implementation of a formalised process such as our Extended Hunting Loop, and adoption of our Capability Maturity Model to aid development
 Enable the Threat Hunting function to improve the Return on Security Investment, via adoption of a standardised framework such as MITRE’s ATT&CK™ for Enterprise, by appropriately investing in the development of people, and by providing essential data visibility
 Leverage HM Government to develop the Threat Hunter role by collaborating between departments, setting common standards for departments and suppliers, and collectively developing the Threat Hunting profession

Leave a Reply

Your email address will not be published. Required fields are marked *