RA.L3-3.11.2e
-
Requirement
Conduct cyber threat hunting activities on an on-going aperiodic basis or when indications warrant, to search for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls.
-
Discussion
Threat hunting is an active means of defense that contrasts with traditional protection measures, such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management (SIEM) technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses. Indicators of compromise are forensic artifacts from intrusions that are identified on organizational systems at the host or network level and can include unusual network traffic, unusual file changes, and the presence of malicious code.
Threat hunting teams use existing threat intelligence and may create new threat information, which may be shared with peer organizations, Information Sharing and Analysis Organizations (ISAO), Information Sharing and Analysis Centers (ISAC), and relevant government departments and agencies. Threat indicators, signatures, tactics, techniques, procedures, and other indicators of compromise may be available via government and non-government cooperatives, including Forum of Incident Response and Security Teams, United States Computer Emergency Response Team, Defense Industrial Base Cybersecurity Information Sharing Program, and CERT Coordination Center.
[NIST SP 800-30] provides guidance on threat and risk assessments, risk analyses, and risk modeling. [NIST SP 800-160-2] provides guidance on systems security engineering and cyber resiliency. [NIST SP 800-150] provides guidance on cyber threat information sharing.
-
Further Discussion
For this requirement, threat hunting is conducted on an ongoing aperiodic basis. Ongoing aperiodic refers to activities that happen over and over but without an identifiable repeating pattern over time. For threat hunting, ongoing activities take place in an automated manner (e.g., collecting logs, automated analysis, and alerts). Aperiodicity includes humans performing the hunt activities, which take place on an as-needed or as-planned basis.
APTs can penetrate an environment by means that defeat or avoid conventional monitoring methods and alert triggers—for example, by using zero-day attacks. Zero-day attacks become known only after the attack has happened and alerts are sent via threat intelligence feeds based on expert analysis. Because of the nature of zero-day attacks, automated alerts do not generally trigger when the event occurs but the activity is captured in system logs and forwarded for analysis and retention by the SIEM. Threat intelligence information is typically used by hunt teams to search SIEM systems, system event and security logs, and other components to identify activity that has already taken place on an environment. The hunt team will identify systems related to the event(s) and pass the case to Incident Response team for action on the event(s). The hunt team will also use indicators to identify smaller components of an attack and search for that activity, which may help uncover a broader attack on the environment.
Threat hunting can also look for anomalous behavior or activity based on an organization’s normal pattern of activity. Understanding the roles and information flows within an organization can help identify activity that might be indicative of adversary behavior before the adversary completes their attack or mission.
Example
You are the lead for your organization’s cyber threat hunting team. You have local and remote staff on the team to process threat intelligence. Your team is tied closely with the SOC and IR teams. Through a DoD (DC3) intelligence feed, you receive knowledge of a recent APT’s attacks on defense contractors. The intelligence feed provided the indicators of compromise for a zero-day attack that most likely started within the past month. After receiving the IOCs, you use a template for your organization to place the information in a standard format your team understands. You then email the information to your team members and place the information in your hunt team’s dashboard, which tracks all IOCs [a].
Your team starts by using the information to hunt for IOCs on the environment [b]. One of your team members quickly responds, providing information from the SIEM that an HR system’s logs show evidence that IOCs related to this threat occurred three days ago. The team contacts the owner of the system as they take the system offline into a quarantined environment. Your team pulls all logs from the system and clones the storage on the system. Members go through the logs to look for other systems that may be part of the APT’s attack [c]. While the team is cloning the storage system for evidence, you alert the IR team about the issue. After full forensics of the system, your team has verified your company has been hit by the APT, but nothing was taken and no additional attacks happened. You also alert DoD (DC3) about the finding and discuss the matter with them. There is an after action report and a briefing given to management to make them aware of the issue.
Potential Assessment Considerations
- Does the organization have a methodology for performing cyber threat hunting actions [b,c]?
- Has the organization defined all organizational systems within scope of cyber threat hunting, including valid and approved documentation for any organization systems that are not within scope [b,c]?
- Has the organization identified a specific set of individuals to perform cyber threat hunting [b,c]?
- Does the threat hunting team have qualified staff members using the threat feed information [b,c]?
- Does the threat hunting team use combinations of events to determine suspicious behaviors [b,c]?
- Does the organization have a documented list of trusted threat feeds that are used by their cyber hunt teams as the latest indicators of compromise during their efforts [a]?
- Does the organization have a clear methodology for processing threat feed information and turning it into actionable information they can use for their threat hunting approach [a]?
NIST 800-172A Assessment Guidance
CMMC Training
Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!