CMMC Requirement RA.L3-3.11.2E – Threat Hunting: Conduct cyber threat hunting activities on an on-going aperiodic basis or when indications warrant, to search for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls.
Links to Publicly Available Resources – Coming Soon
This publication provides guidelines for establishing and participating in cyber threat information sharing relationships. This guidance helps organizations establish information sharing goals, identify cyber threat information sources, scope information sharing activities, develop rules that control the publication and distribution of threat information, engage with existing sharing communities, and make effective use of threat information in support of the organization’s overall cybersecurity practices. NIST Special Publication (SP) 800-160, Volume 2, focuses on cyber resiliency engineering—an emerging specialty systems engineering discipline applied in conjunction with systems security engineering and resilience engineering to develop survivable, trustworthy secure systems. This NIST Special Publication provides guidance for conducting risk assessments.
Threat hunting is an active means of defense that contrasts with traditional protection measures, such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management (SIEM) technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses. Indicators of compromise are forensic artifacts from intrusions that are identified on organizational systems at the host or network level and can include unusual network traffic, unusual file changes, and the presence of malicious code.
Threat hunting teams use existing threat intelligence and may create new threat information, which may be shared with peer organizations, Information Sharing and Analysis Organizations (ISAO), Information Sharing and Analysis Centers (ISAC), and relevant government departments and agencies. Threat indicators, signatures, tactics, techniques, procedures, and other indicators of compromise may be available via government and non-government cooperatives, including Forum of Incident Response and Security Teams, United States Computer Emergency Response Team, Defense Industrial Base Cybersecurity Information Sharing Program, and CERT Coordination Center.
[NIST SP 800-30] provides guidance on threat and risk assessments, risk analyses, and risk modeling. [NIST SP 800-160-2] provides guidance on systems security engineering and cyber resiliency. [NIST SP 800-150] provides guidance on cyber threat information sharing.
Further Discussion
For this requirement, threat hunting is conducted on an on-going aperiodic basis. On-going aperiodic refers to activities that happen over and over but without an identifiable repeating pattern over time. For threat hunting, on-going activities take place in an automated manner(e.g., collecting logs, automated analysis, and alerts). Aperiodicity includes humans performing the hunt activities, which take place on an as-needed or as-planned basis.
APTs can penetrate an environment by means that defeat or avoid conventional monitoring methods and alert triggers—for example, by using zero-day attacks. Zero-day attacks become known only after the attack has happened and alerts are sent via threat intelligence feeds based on expert analysis. Because of the nature of zero-day attacks, automated alerts do not generally trigger when the event occurs but the activity is captured in system logs and forwarded for analysis and retention by the SIEM. Threat intelligence information is typically used by hunt teams to search SIEM systems, system event and security logs, and other components to identify activity that has already taken place on an environment. The hunt team will identify systems related to the event(s) and pass the case to Incident Response team for action on the event(s). The hunt team will also use indicators to identify smaller components of an attack and search for that activity, which may help uncover a broader attack on the environment.
Threat hunting can also look for anomalous behavior or activity based on an organization’s normal pattern of activity. Understanding the roles and information flows within an organization can help identify activity that might be indicative of adversary behavior before the adversary completes their attack or mission.