Rami Puzis,Polina Zilberman,Yuval Elovici

DOI: https://doi.org/10.48550/arXiv.2003.03663

2020-03-07

Cryptography and Security

Abstract:Attackers rapidly change their attacks to evade detection. Even the most sophisticated Intrusion Detection Systems that are based on artificial intelligence and advanced data analytic cannot keep pace with the rapid development of new attacks. When standard detection mechanisms fail or do not provide sufficient forensic information to investigate and mitigate attacks, targeted threat hunting performed by competent personnel is used. Unfortunately, many organization do not have enough security analysts to perform threat hunting tasks and today the level of automation of threat hunting is low. In this paper we describe a framework for agile threat hunting and forensic investigation (ATHAFI), which automates the threat hunting process at multiple levels. Adaptive targeted data collection, attack hypotheses generation, hypotheses testing, and continuous threat intelligence feeds allow to perform simple investigations in a fully automated manner. The increased level of automation will significantly boost the analyst's productivity during investigation of the harshest cases. Special Workflow Generation module adapts the threat hunting procedures either to the latest Threat Intelligence obtained from external sources (e.g. National CERT) or to the likeliest attack hypotheses generated by the Attack Hypotheses Generation module. The combination of Attack Hypotheses Generation and Workflows Generation enables intelligent adjustment of workflows, which react to emerging threats effectively.

Boubakr Nour,Makan Pourzandi,Rushaan Kamran Qureshi,Mourad Debbabi

DOI: https://doi.org/10.1109/tnsm.2024.3378972

2024-01-01

IEEE Transactions on Network and Service Management

Abstract:Threat hunting is a proactive security defense line exercised to uncover attacks that could circumvent conventional detection mechanisms. It is based on an iterative approach to generate, inspect, and revise attack hypotheses. The quality of these hypotheses is essential to prove/refute the existence of an attack. Today, attack hypotheses are often generated manually by security analysts. The generation process requires elusive expertise, is costly, and is prone to produce a large number of irrelevant hypotheses without considering the attack variants. In this paper, we address the aforementioned challenges by designing AUTOMA, a solution that automates the generation of relevant hypotheses and their variants using knowledge discovery. AUTOMA incorporates the system telemetry in combination with a knowledge base of existing attacks, techniques, and their relationships to mine the most relevant hypotheses. In order to increase the relevance of the generated hypotheses, AUTOMA examines these hypotheses by applying matching-based similarity, success, likelihood, and criticality evaluations. These evaluations are based on the past occurrences of the techniques part of a hypothesis in the system telemetry and the knowledge base. Additionally, AUTOMA uses sequence success, sequence alignment, and hierarchical similarity approach for generating potential attack variants of a hypothesis taking into account the dynamism and stealthiness of attackers in coming up with alternative attack steps. We extensively evaluate the effectiveness and efficiency of AUTOMA using a real dataset for 284 attack campaigns distributed over 57 advanced persistent threats. The obtained results show that AUTOMA is able to generate the relevant hypothesis (top 3), with a large reduction rate (up to 99%), and fast execution time (up to 8 minutes for proposing the relevant hypothesis and 10 seconds for variants generation).

computer science, information systems

Peng Gao,Fei Shao,Xiaoyuan Liu,Xusheng Xiao,Zheng Qin,Fengyuan Xu,Prateek Mittal,Sanjeev R. Kulkarni,Dawn Song

DOI: https://doi.org/10.1109/icde51399.2021.00024

2020-01-01

Abstract:Log-based cyber threat hunting has emerged as an important solution to counter sophisticated attacks. However, existing approaches require non-trivial efforts of manual query construction and have overlooked the rich external threat knowledge provided by open-source Cyber Threat Intelligence (OSCTI). To bridge the gap, we propose ThreatRaptor, a system that facilitates threat hunting in computer systems using OSCTI. Built upon system auditing frameworks, ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, (3) a query synthesis mechanism that automatically synthesizes a TBQL query for hunting, and (4) an efficient query execution engine to search the big audit logging data. Evaluations on a broad set of attack cases demonstrate the accuracy and efficiency of ThreatRaptor in practical threat hunting.

Zahra Jadidi,Yi Lu

DOI: https://doi.org/10.1109/access.2021.3133260

IF: 3.9

2021-01-01

IEEE Access

Abstract:An Industrial Control System (ICS) adversary often takes different actions to exploit vulnerabilities, pass the border between Information Technology (IT) and Operational Technology (OT) networks, and launch a targeted attack against OT networks. Detecting these threat actions in early phases before the final stage of the attacks can be executed against industrial endpoints can help prevent adversaries from achieving their goals. Threat hunting in IT networks has been previously studied, and several hunting methods have been proposed. However, these methods are not sufficient for ICSs, as the integration of industrial legacy systems with advanced IT networks has introduced new types of vulnerabilities and changed the behaviour of attacks. The lack of a unified hunting solution for integrated IT and OT networks is the gap that is considered in our paper. The contribution of this paper is an ICS Threat Hunting Framework (ICS-THF) which focuses on detecting cyber threats against ICS devices in the earliest phases of the attack lifecycle. ICS-THF consists of three stages, threat hunting triggers, threat hunting, and cyber threat intelligence. The threat hunting trigger stage identifies events or external resources that can trigger the hunting stage. The hunting stage uses a combination of the MITRE ATT&CK Matrix and a Diamond model of intrusion analysis to generate a hunting hypothesis and to predict the future behaviour of the adversary. This hypothesis will be validated by analysing Diamond models of threat actions. Finally, the cyber threat intelligence stage is responsible for generating Indicators of Compromise (IoCs) to be used for future threat hunting. The Black Energy 3 malware, PLC-Blaster malware, and SWaT dataset are used in this paper to evaluate the efficiency of the proposed framework.

Peng Gao,Fei Shao,Xiaoyuan Liu,Xusheng Xiao,Haoyuan Liu,Zheng Qin,Fengyuan Xu,Prateek Mittal,Sanjeev R. Kulkarni,Dawn Song

DOI: https://doi.org/10.1109/icde51399.2021.00309

2021-04-01

Abstract:Log-based cyber threat hunting has emerged as an important solution to counter sophisticated cyber attacks. However, existing approaches require non-trivial efforts of manual query construction and have overlooked the rich external knowledge about threat behaviors provided by open-source Cyber Threat Intelligence (OSCTI). To bridge the gap, we build ThreatRaptor, a system that facilitates cyber threat hunting in computer systems using OSCTI. Built upon mature system auditing frameworks, ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, (3) a query synthesis mechanism that automatically synthesizes a TBQL query from the extracted threat behaviors, and (4) an efficient query execution engine to search the big system audit logging data.

Ángel Casanova Bienzobas,Alfonso Sánchez-Macián

2023-10-06

Abstract:Threat hunting is a proactive methodology for exploring, detecting and mitigating cyberattacks within complex environments. As opposed to conventional detection systems, threat hunting strategies assume adversaries have infiltrated the system; as a result they proactively search out any unusual patterns or activities which might indicate intrusion attempts. Historically, this endeavour has been pursued using three investigation methodologies: (1) Hypothesis-Driven Investigations; (2) Indicator of Compromise (IOC); and (3) High-level machine learning analysis-based approaches. Therefore, this paper introduces a novel machine learning paradigm known as Threat Trekker. This proposal utilizes connectors to feed data directly into an event streaming channel for processing by the algorithm and provide feedback back into its host network. Conclusions drawn from these experiments clearly establish the efficacy of employing machine learning for classifying more subtle attacks.

Cryptography and Security

Dorel Yaffe,Danny Hendler

DOI: https://doi.org/10.1007/978-3-030-78086-9_29

2021-03-30

Abstract:In recent years malware has become increasingly sophisticated and difficult to detect prior to exploitation. While there are plenty of approaches to malware detection, they all have shortcomings when it comes to identifying malware correctly prior to exploitation. The trade-off is usually between false positives, causing overhead, preventing normal usage and the risk of letting the malware execute and cause damage to the target. We present a novel end-to-end solution for in-memory malicious activity detection done prior to exploitation by leveraging machine learning capabilities based on data from unique run-time logs, which are carefully curated in order to detect malicious activity in the memory of protected processes. This solution achieves reduced overhead and false positives as well as deployment simplicity. We implemented our solution for Windows-based systems, employing multi disciplinary knowledge from malware research, machine learning, and operating system internals. Our experimental evaluation yielded promising results. As we expect future sophisticated malware may try to bypass it, we also discuss how our solution can be extended to thwart such bypassing attempts.

Cryptography and Security,Machine Learning

Pankaj Kumar,Mohammad Wazid,D. P. Singh,Jaskaran Singh,Ashok Kumar Das,Youngho Park,Joel J. P. C. Rodrigues

DOI: https://doi.org/10.1002/spy2.312

2023-03-18

Security and Privacy

Abstract:Cyber threat hunting proactively searches for cyber threats, which are undetected by the traditional defense mechanisms. It scans deep to identify malicious programs (ie, malware) that escape from detection. It is important because sophisticated cyber threats can bypass the cyber security mechanisms. The performance of the cyber threat hunting can be improved through artificial intelligence (AI), especially, explainable AI (XAI), which adds trust component to the cyber threat hunting process. Due to the inclusion of XAI, the security experts get the full explanations of the detected threats as the working of the detection model in XAI is known. Information, like, which one is a threat, how it has been detected, and why it has been detected, can be obtained very easily due to the inclusion of XAI in the cyber threat hunting. Therefore, an XAI‐envisioned mechanism for cyber threat hunting has been proposed (in short, XAISM‐CTH). The network and threat models of XAISM‐CTH are designed and discussed. The conducted security analysis proves the security of XAISM‐CTH against various potential attacks. XAISM‐CTH also performs better than the other existing schemes. At the end, a practical implementation of XAISM‐CTH has been provided to observe its impact on the performance of the system.

Rami Sihwail,Khairuddin Omar,Khairul Akram Zainol Ariffin,Sanad Al Afghani,Khairul Zainol Ariffin

DOI: https://doi.org/10.3390/app9183680

2019-09-05

Applied Sciences

Abstract:The need to detect malware before it harms computers, mobile phones and other electronic devices has caught the attention of researchers and the anti-malware industry for many years. To protect users from malware attacks, anti-virus software products are downloaded on the computer. The anti-virus mainly uses signature-based techniques to detect malware. However, this technique fails to detect malware that uses packing, encryption or obfuscation techniques. It also fails to detect unseen (new) ones. This paper proposes an integrated malware detection approach that applies memory forensics to extract malicious artifacts from memory and combines them to features extracted during the execution of malware in a dynamic analysis. Pre-modeling techniques were also applied for feature engineering before training and testing the data set on the machine learning models. The experimental results show a significant improvement in both detection accuracy rate and false positive rate, 98.5% and 1.7% respectively, by applying the support vector machine. The results verify that our integrated analysis approach outperforms other analysis methods. In addition, the proposed approach overcomes the limitation of single path file execution in dynamic analysis by adding more relevant memory artifacts that can reveal the real intention of malicious files.

Mohammed Nasereddin,Raad Al-Qassas

DOI: https://doi.org/10.1007/s10207-024-00836-w

2024-03-17

International Journal of Information Security

Abstract:This paper introduces a new approach for examining and analyzing fileless malware artifacts in computer memory. The proposed approach offers the distinct advantage of conducting a comprehensive live analysis of memory without the need for periodic memory dumping. Once a new process arrives, log files are collected by monitoring the Event Tracing for Windows facility as well as listing the executables of the active process for violation detection. The proposed approach significantly reduces detection time and minimizes resource consumption by adopting parallel computing (programming), where the main software (Master) divides the work, organizes the process of searching for artifacts, and distributes tasks to several agents. A dataset of 17411 malware samples is used in the assessment of the new approach. It provided satisfactory and reliable results in dealing with at least six different process injection techniques including classic DLL injection, reflective DLL injection, process hollowing, hook injection, registry modifications, and .NET DLL injection. The detection accuracy rate has reached with a false-positive rate of . Moreover, the accuracy was monitored in the case of launching several malwares using different process injection techniques simultaneously, and the detector was able to detect them efficiently. Also, it achieved a detection time with an average of 0.052 msec per detected malware.

computer science, information systems, theory & methods, software engineering

Ahmed Aly,Shahrear Iqbal,Amr Youssef,Essam Mansour

DOI: https://doi.org/10.1109/tifs.2024.3396390

IF: 7.231

2024-05-14

IEEE Transactions on Information Forensics and Security

Abstract:The stealthy and persistent nature of Advanced Persistent Threats (APTs) makes them one of the most challenging cyber threats to uncover. Several systems adopted the development of provenance-graph-based security solutions to capture this persistent nature. Provenance graphs (PGs) represent system audit logs by connecting system entities using causal relations and information flows. Hunting APTs demands the processing of ever-growing large-scale PGs of audit logs for a wide range of activities over months or years, i.e., multi-terabyte graphs. Existing APT hunting systems are typically memory-based, which suffers colossal memory consumption, or disk-based, which suffers from performance hits. Therefore, these systems are hard to scale in terms of graph size or time performance. In this paper, we propose MEGR-APT, a scalable APT hunting system to discover suspicious subgraphs matching an attack scenario (query graph) published in Cyber Threat Intelligence (CTI) reports. MEGR-APT hunts APTs in a twofold process: (i) memory-efficient extraction of suspicious subgraphs as search queries over a graph database, and (ii) fast subgraph matching based on graph neural network (GNN) and our effective attack representation learning. We compared MEGR-APT with state-of-the-art (SOTA) APT systems using popular APT benchmarks, such as DARPA TC3 and OpTC. We also tested it using a real enterprise dataset. MEGR-APT achieves an order of magnitude reduction in memory consumption while achieving comparable performance to SOTA in terms of time and accuracy.

computer science, theory & methods,engineering, electrical & electronic

Syed Shakir Hameed Shah,Abd Rahim Ahmad,Norziana Jamil,Atta ur Rehman Khan

DOI: https://doi.org/10.3390/electronics11162579

IF: 2.9

2022-08-19

Electronics

Abstract:Malware has recently grown exponentially in recent years and poses a serious threat to individual users, corporations, banks, and government agencies. This can be seen from the growth of Advanced Persistent Threats (APTs) that make use of advance and sophisticated malware. With the wide availability of computer-automated tools such as constructors, email flooders, and spoofers. Thus, it is now easy for users who are not technically inclined to create variations in existing malware. Researchers have developed various defense techniques in response to these threats, such as static and dynamic malware analyses. These techniques are ineffective at detecting new malware in the main memory of the computer and otherwise require considerable effort and domain-specific expertise. Moreover, recent techniques of malware detection require a long time for training and occupy a large amount of memory due to their reliance on multiple factors. In this paper, we propose a computer vision-based technique for detecting malware that resides in the main computer memory in which our technique is faster or memory efficient. It works by taking portable executables in a virtual environment to extract memory dump files from the volatile memory and transform them into a particular image format. The computer vision-based contrast-limited adaptive histogram equalization and the wavelet transform are used to improve the contrast of neighboring pixel and to reduce the entropy. We then use the support vector machine, random forest, decision tree, and XGBOOST machine learning classifiers to train the model on the transformed images with dimensions of 112 × 112 and 56 × 56. The proposed technique was able to detect and classify malware with an accuracy rate of 97.01%. Its precision, recall, and F1-score were 97.36%, 95.65%, and 96.36%, respectively. Our finding shows that our technique in preparing dataset with more efficient features to be trained by the Machine Learning classifiers has resulted in significant performance in terms of accuracy, precision, recall, F1-score, speed and memory consumption. The performance has superseded most of the existing techniques in its unique approach.

engineering, electrical & electronic,computer science, information systems,physics, applied

Cheol-Gyu Yi,Young-Gab Kim

DOI: https://doi.org/10.1109/mcom.001.2300224

IF: 9.03

2024-10-11

IEEE Communications Magazine

Abstract:Cyber attackers are rapidly developing their attack tactics and techniques, and their threats already pose a great danger to the world. Using cyber threat intelligence, security analysts make attack reconstruction possible, and human analysts are mainly responsible for the analysis of security system alerts. A cyber threat hunting hypothesis typically addresses the type of threat being hunted and how it is discovered. In this study, we propose a five-step hypothesis generation model for cyber threat hunting. The proposed model leverages proactive indicators of attack (IOAs) and information technology (IT) asset information related to network security, and correlates them with indicators of compromise (IOCs), defines the structure of hypothesis, and presents the attack domains-based hypothesis generation method for the formation of complicated hypotheses. In addition, it provides an approach to prioritizing the hypotheses.

telecommunications,engineering, electrical & electronic

Phani Lanka,Khushi Gupta,Cihan Varol

DOI: https://doi.org/10.3390/electronics13132465

IF: 2.9

2024-06-25

Electronics

Abstract:Security adversaries are rampant on the Internet, constantly seeking vulnerabilities to exploit. The sheer proliferation of these sophisticated threats necessitates innovative and swift defensive measures to protect the vulnerable infrastructure. Tools such as honeypots effectively determine adversary behavior and safeguard critical organizational systems. However, it takes a significant amount of time to analyze these attacks on the honeypots, and by the time actionable intelligence is gathered from the attacker's tactics, techniques, and procedures (TTPs), it is often too late to prevent potential damage to the organization's critical systems. This paper contributes to the advancement of cybersecurity practices by presenting a cutting-edge methodology, capitalizing on the synergy between artificial intelligence and threat analysis to combat evolving cyber threats. The current research articulates a novel strategy, outlining a method to analyze large volumes of attacker data from honeypots utilizing large language models (LLMs) to assimilate TTPs and apply this knowledge to identify real-time anomalies in regular user activity. The effectiveness of this model is tested in real-world scenarios, demonstrating a notable reduction in response time for detecting malicious activities in critical infrastructure. Moreover, we delve into the proposed framework's practical implementation considerations and scalability, underscoring its adaptability in diverse organizational contexts.

engineering, electrical & electronic,computer science, information systems,physics, applied

Muhammad Rashid Naeem,Mansoor Khan,Ako Muhammad Abdullah,Fazal Noor,Muhammad Ijaz Khan,Muhammad Asghar Khan,Insaf Ullah,Shah Room

DOI: https://doi.org/10.1155/2022/9156514

2022-10-03

Mobile Information Systems

Abstract:With the introduction of 4G/5G Internet and the increase in the number of users, the malicious cyberattacks on computing devices have been increased making them vulnerable to external threats. High availability windows servers are designed to ensure delivery of consistent services such as business activities and e-services to their customers without any interruption. At the same time, a cyberattack on any of the clustered computer can put servers and customer devices in danger. A memory dump mechanism can capture the contents of memory in the event of a system or device crash such as corrupted files, damaged hardware, or irregular CPU power consumption. In this paper, we present a smart memory forensics scheme to recognize malicious attacks over high availability servers by capturing the memory dump of suspicious processes in the form of RGB visual images. Second, the local and global properties of malware images are captured using local binary patterns (LBP) and gray-level co-occurrence matrices (GLCM). A state-of-the-art t-distributed stochastic neighbor embedding scheme (t-SNE) is applied to reduce data dimensionality and improve the detection time of unknown malwares and their variants. An optimized CNN model is designed to predict malicious files harming servers or user devices. Throughout this study, we employed public data set of 4294 malicious samples covering malware variants and benign executables. A baseline is prepared to compare the performance of proposed model with state-of-the-art malware detection methods. The combined LBP + GLCM feature extraction along with t-SNE dimensionality reduction scheme further improved the detection accuracy by 98%, whereas the detection time is also increased by 73x. The overall performance shows that memory forensics is more effective for malware detection in terms accuracy and response time.

computer science, information systems,telecommunications

Imtiyaz Gulbarga Mohammad,Nurlan Shaidullaev,,

DOI: https://doi.org/10.17015/aas.2023.231.49

2023-01-30

Alatoo Academic Studies

Abstract:Memory analysis is essential for spotting malicious programs since it can record a variety of traits and behaviors. The detection rate and sophisticated malware obfuscation are two major challenges in malware detection, even though there has been a lot of research in the area. An effective framework that focuses on identifying obfuscation and hidden malware is desperately needed because advanced malware employs obfuscation and other tactics to avoid detection. The VolMemLyzer has been improved in this study to focus on hidden and obfuscated malware when used with a stacked ensemble machine learning model to build a framework for effectively identifying malware. It is one of the most updated memory feature extractors for learning systems.

Zichen Wang

DOI: https://doi.org/10.48550/arXiv.2212.05310

2022-12-10

Cryptography and Security

Abstract:Since the term "Cyber threat hunting" was introduced in 2016, there have been a rising trend of proactive defensive measure to create more cyber security. This research will look into peer reviewed literature on the subject of cyber threat hunting. Our study shows an increase in the field with methods of machine learning.\\ Keywords: Cyber threat, Cyber security, threat hunting , security system, data driven, Intel, analytic driven, TTPs

Zaid Almahmoud,Paul D Yoo,Omar Alhussein,Ilyas Farhat,Ernesto Damiani

DOI: https://doi.org/10.1038/s41598-023-35198-1

2023-05-17

Abstract:Traditionally, cyber-attack detection relies on reactive, assistive techniques, where pattern-matching algorithms help human experts to scan system logs and network traffic for known virus or malware signatures. Recent research has introduced effective Machine Learning (ML) models for cyber-attack detection, promising to automate the task of detecting, tracking and blocking malware and intruders. Much less effort has been devoted to cyber-attack prediction, especially beyond the short-term time scale of hours and days. Approaches that can forecast attacks likely to happen in the longer term are desirable, as this gives defenders more time to develop and share defensive actions and tools. Today, long-term predictions of attack waves are mostly based on the subjective perceptiveness of experienced human experts, which can be impaired by the scarcity of cyber-security expertise. This paper introduces a novel ML-based approach that leverages unstructured big data and logs to forecast the trend of cyber-attacks at a large scale, years in advance. To this end, we put forward a framework that utilises a monthly dataset of major cyber incidents in 36 countries over the past 11 years, with new features extracted from three major categories of big data sources, namely the scientific research literature, news, blogs, and tweets. Our framework not only identifies future attack trends in an automated fashion, but also generates a threat cycle that drills down into five key phases that constitute the life cycle of all 42 known cyber threats.

Rahmat Budiarto,Ahmad A. Alqarni,Mohammed Y. Alzahrani,Muhammad Fermi Pasha,Mohamed Fazil Mohamed Firdhous,Deris Stiawan

DOI: https://doi.org/10.32604/cmc.2022.019847

2022-01-01

Abstract:As nearly half of the incidents in enterprise security have been triggered by insiders, it is important to deploy a more intelligent defense system to assist enterprises in pinpointing and resolving the incidents caused by insiders or malicious software (malware) in real-time. Failing to do so may cause a serious loss of reputation as well as business. At the same time, modern network traffic has dynamic patterns, high complexity, and large volumes that make it more difficult to detect malware early. The ability to learn tasks sequentially is crucial to the development of artificial intelligence. Existing neurogenetic computation models with deep-learning techniques are able to detect complex patterns; however, the models have limitations, including catastrophic forgetfulness, and require intensive computational resources. As defense systems using deep-learning models require more time to learn new traffic patterns, they cannot perform fully online (on-the-fly) learning. Hence, an intelligent attack/malware detection system with on-the-fly learning capability is required. For this paper, a memory-prediction framework was adopted, and a simplified single cell assembled sequential hierarchical memory (s.SCASHM) model instead of the hierarchical temporal memory (HTM) model is proposed to speed up learning convergence to achieve on-the-fly learning. The s.SCASHM consists of a Single Neuronal Cell (SNC) model and a simplified Sequential Hierarchical Superset (SHS) platform. The s.SCASHM is implemented as the prediction engine of a user behavior analysis tool to detect insider attacks/anomalies. The experimental results show that the proposed memory model can predict users’ traffic behavior with accuracy level ranging from 72% to 83% while performing on-the-fly learning.

Alessandra Maciel Paz Milani,Arty Starr,Samantha Hill,Callum Curtis,Norman Anderson,David Moreno-Lumbreras,Margaret-Anne Storey

2024-08-08

Abstract:With security threats increasing in frequency and severity, it is critical that we consider the important role of threat hunters. These highly-trained security professionals learn to see, identify, and intercept security threats. Many recent works and existing tools in cybersecurity are focused on automating the threat hunting process, often overlooking the critical human element. Our study shifts this paradigm by emphasizing a human-centered approach to understanding the lived experiences of threat hunters. By observing threat hunters during hunting sessions and analyzing the rich insights they provide, we seek to advance the understanding of their cognitive processes and the tool support they need. Through an in-depth observational study of threat hunters, we introduce a model of how they build and refine their mental models during threat hunting sessions. We also present 23 themes that provide a foundation to better understand threat hunter needs and five actionable design propositions to enhance the tools that support them. Through these contributions, our work enriches the theoretical understanding of threat hunting and provides practical insights for designing more effective, human-centered cybersecurity tools.

Cryptography and Security,Human-Computer Interaction