Discussion with Senior Cyber Threat Hunter SME, Technica Corporation
Cyber Threat Hunt Data Sharing
During my six years as a cyber security analyst with the U.S. Navy, I worked every day on hardening the networks our teams supported by identifying vulnerabilities and anomalies that could be harmful. The typical protocol followed, when identifying a piece of malware, was to file a report and notify my supervisor. That threat information was added to a more extensive database of threats, and I would move forward searching for the next potential attack. The challenge I faced was that much of my work was completed in an individual silo with little knowledge of the threats my colleagues in the Navy, the other service branches, and even the federal government faced.
The Department of Defense needs a method for cyber defense teams to communicate better about classified threat information, something the team here at Technica has begun to investigate. The idea is to create a social media-like portal where Cyber Protection Teams (CPTs) can share information in a classified environment.
Building a ‘Cyber Facebook’
Social media platforms like Facebook provide users both a feed of information from people and groups they follow, along with the opportunity to comment and engage in real-time discussions. The idea of a classified cyber-Facebook-like platform would offer similar capabilities, allowing users to upload verified findings into a shared portal that other users can query to find comparable results.
In theory, if a CPT found a threat named 123Hacked.exe, that person could open the database, search for an Indicator of Compromise (IOC), and read what other team members wrote about it. That user could assess the threat, add comments to expand the conversation, or recreate the initial post if they find the threat first.
The message board would allow team members to ask general questions or reach out directly to ask more specific questions. If an analyst saw something unclear in the information captured, they could create a post asking other teams or the intelligence community for additional insight.
Providing Immediate Insight
While the Department of Defense and the Department of Homeland Security continue to push the development of threat-sharing platforms between organizations, this idea is aimed at the front-line analyst community. The Facebook-like platform would directly connect threat hunters working in a classified environment to improve their individual ability to identify and diffuse malicious threats quicker.
Of course, the environment’s security would be paramount and live inside a secured DoD or Intelligence Agency technology enclave. This capability would have greatly assisted me during my time in the Navy. I found myself lacking the contextual information sometimes needed with threats, and additional input from similarly skilled security analysts would have been invaluable.
The Technica Difference
This idea is still in the concept stage, but something we at Technica continue to explore within our Innovation, Research & Development organization. Designing, creating and testing new technologies, and concepts is what sets Technica apart from other cybersecurity companies, and as a Cyber Threat Hunter, I am excited to work in this type of environment. As we further research this idea, what thoughts and feedback does the classified cyber threat analyst community have? We would love to hear from you.
We want to hear your thoughts and ideas on this concept. Reply to this post, email us at firstname.lastname@example.org, or review this blog on Medium Cyber Threat Hunt Data Sharing for the Classified Community where you can contribute to the conversation!