While some officials have expressed a strong desire for automated tools in the way of cyber defense to operate and respond at a cyber speed, a more offensive tactic involves hunt teams.
These hunt teams are real people that actively seek out threats on the network for expulsion.
Ryan Gunst, program manager at Space and Naval Warfare Systems Command, while noting he is not well versed in the hunt aspect of cyber defense, said one of the promises of hunt teams is the ability to move around resources and human capital. During a panel discussion at the annual MilCom conference in Baltimore, Maryland, on Thursday, he said hunt teams can place individuals solely involved in administrative work into an operational space where they can join the defensive against cyberthreats.
Gunst's fellow panelist, Neal Ziring, technical director for the U.S. National Security Agency's capabilities division, explained how hunt teams fuse the human-machine relationship as it applies to automation.
"Eventually, we want the hunters to be able to train the machine to do some stuff for them. Hunters do some of the same [operations] or the same activities," Ziring said. "They'd like to be able to say: 'This is the third time today I've been doing this. Hey, automation tool, hey, orchestration tool, just do it for me' … in order to gain scale. So really this technology and the frameworks that we're talking about here are complimentary to advanced hunt operations by turning it in from hunting in a dense forest where I can see an effect 10 feet around me to hunting out on the Savanna where I can see a mile in every direction. Complementary, not replacement."
In this vein, hunt teams do rely on tools to aid their mission. David Mihelcic, chief technology officer at the Defense Information Systems Agency (DISA), explainedduring an AFCEA-hosted breakfast in June that there are several opportunities for industry to supply these hunt tools, which could be used "on a persistent basis to look across the information that’s available in the network to look for adversaries."
"I think we’re going to need these hunt tools for our day-to-day systems and cyber administrators so essentially they can, on a regular basis, try to use the data out of the network to identify adversaries and then pass that along to the [cyber protection teams] to actively eject them from the network," he said.
"The biggest change both in [the Department of Defense] and the commercial world … is we're going out and hunting for the enemy on a daily basis. So we have teams that are looking at that — cyber protection teams," John Hickey, DISA's cyber development executive, saidat a January AFCEA-hosted breakfast.
Hunt teams, as their mission would indicate, are trained with an offensive mindset despite being on the defensive side of cyber. "They use threat intelligence that that we’ve gotten from our offensive folks to actually defend and develop tool[s] [and look] for signs of an adversary" on the network, Curtis Dukes, deputy national manager for national security systems at the NSA, saidin October. "Basically what we were finding was is that we needed a certain skill set to be able to be looking hard on our networks for an adversary, because we may not be able to see them from the boundary so we needed teams that could actually deploy tools and techniques in that regard."
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.
