The U.S. Defense Department’s cyber warriors continue to improve their ability to sniff out intruders who sneak past the defenses at the network’s perimeter—a perim- eter that is disintegrating with the
march toward mobile devices.
Cyber hunting is a more proactive
approach to locating network threats.
(See also “In Cyberspace, It’s Always Hunting Season,” page
29.) It offers the opportunity to observe and analyze an
adversary’s actions, and it provides insights into a network
intruder’s tactics, techniques and procedures. Actively
hunting for cyberthreats also enhances investigatory capabilities, explains Roger Greenwell, chief of cybersecurity
and authorizing official, Office of the Risk Management
Executive, Defense Information Systems Agency (DISA).
“As we collect more data, bringing that together gives you a
much better ability to deal with the investigation of an incident that may be detected on the network without having to
go back and do post-forensic gathering of data. You would
already have a lot of that information readily available to
support incident analysis,” Greenwell says.
In an article posted on the DISA website, agency officials
list three components to cyber hunting: cyber protection
teams, integrated security and identity management. The
cyber protection teams under DISA’s control receive exten-
sive training, including immersion training alongside red
teams responsible for finding vulnerabilities. The teams also
receive enhanced training on tools and systems that provide
broad visibility across the Department of Defense Informa-
tion Network (DODIN).
John Hickey, DISA’s cyber development executive, underscores in the DISA online article the need for industry to
deliver integrated security capabilities. Along those lines,
officials tout milCloud 2.0, a commercial-grade private cloud
being built exclusively for defense customers. The system is
expected to increase security, save money and reduce the number of separate clouds serving the defense community.
In the area of identity management, DISA is working on
derived credentials and form-factor initiatives to support
mobile devices, including tablets and laptops. Adversaries,
regardless of their origins, are going after credentials, which
give them access to key information. Whether they gain
entry through phishing activities or as insiders, the credentials are the literal keys. Once in, the intruders will move
laterally through the networks to seek out stronger credentials for further access, the online article explains.
The concept of cyber hunting always has been a part of protecting the Defense Department’s networks, but it originally
The Evolution of the Cyber Hunter
DISA matures its skill in stalking network threats.
BY GEORGE I.