CMMC Practice SA.4.171: Establish and maintain a cyber-threat hunting capability to search for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
In the cyber arena of today, adversaries are increasingly successful at getting into networks and maintaining their access. Adversaries may be in your network from an attack that happened years ago. In order to find adversaries in an enterprise an organization must perform hunting for the latest TTPs used by the adversaries. In order to do this an organization stands up a threat hunting team or contracts for one that uses a variety of methods, such as log analysis, network traffic analysis, and threat intelligence in order to look for indications that adversaries have been on a system (and may continue to be in place). Once found, the threat hunting team must act quickly to remove the problem, report the incident up the command chain, and continue to look for other pieces of evidence that an adversary has been within the environment. This information could be as simple as a file hash, IP address of the command and control server, a domain name, or the actions that have happened on a system. All of these items can be rolled into an indicator sharing component for others to ingest and benefit.