Requirement text: SA.4.171: Establish and maintain a cyber-threat hunting capability to search for
indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171B
Threat hunting is an active means of cyber defense in contrast to the traditional protection
measures such as firewalls, intrusion detection and prevention systems, quarantining
malicious code in sandboxes, and Security Information and Event Management (SIEM)
technologies and systems. Cyber threat hunting involves proactively searching
organizational systems, networks, and infrastructure for advanced threats. The objective is
to track and disrupt cyber adversaries as early as possible in the attack sequence and to
measurably improve the speed and accuracy of organizational responses. Indicators of
compromise are forensic artifacts from intrusions that are identified on organizational
systems at the host or network level, and can include unusual network traffic, unusual file
changes, and the presence of malicious code. Threat hunting teams use existing threat
intelligence and may create new threat information, which may be shared with peer
organizations, Information Sharing and Analysis Organizations (ISAO), Information Sharing
and Analysis Centers (ISAC), and relevant government departments and agencies. Threat
indicators, signatures, tactics, techniques, and procedures, and other indicators of
compromise may be available via government and non-government cooperatives including
Forum of Incident Response and Security Teams, United States Computer Emergency
Readiness Team, Defense Industrial Base Cybersecurity Information Sharing Program, and
CERT Coordination Center.
Support References:
• NIST SP 800-30 provides guidance on threat and risk assessments, risk analyses, and
risk modeling.
• NIST SP 800-160-2 provides guidance on systems security engineering and cyber
resiliency.
• NIST SP 800-150 provides guidance on cyber threat information sharing.
CMMC CLARIFICATION
In the cyber arena of today, adversaries are increasingly successful at getting into networks
and maintaining their access. Adversaries may be in your network from an attack that
happened years ago. In order to find adversaries in an enterprise an organization must
perform hunting for the latest TTPs used by the adversaries. In order to do this an
organization stands up a threat hunting team or contracts for one that uses a variety of
methods, such as log analysis, network traffic analysis, and threat intelligence in order to
look for indications that adversaries have been on a system (and may continue to be in
place). Once found, the threat hunting team must act quickly to remove the problem, report
the incident up the command chain, and continue to look for other pieces of evidence that an
adversary has been within the environment. After an incident is handled, then the team
should create indicators from what they learned and provide it back to the community in
order for others to benefit from the threat intelligence provided. This information could be
as simple as a file hash, IP address of the command and control server, a domain name, or
the actions that have happened on a system. All of these items can be rolled into an indicator
sharing component for others to ingest and benefit.
Example 1
Your organization’s cyber hunt team has noticed that bandwidth consumption at night has
spiked in the last few weeks and recognizes that this may indicate the presence of a cyber
adversary in the system. The hunt team takes advantage of all information available to them
in order to determine why bandwidth utilization at night has spiked. The team uses threat
intelligence about certain adversaries that perform exfiltration from networks. The team
searches through event and security logs to identify a specific piece of software running on
a system in a lab. They discover that the last person to use the system was a lab technician
who installed software on the system. This software was malicious, allowing the adversary
to access network files and perform exfiltration of information over the last few weeks. The
team quickly takes the system offline for analysis and identifies another system running the
same software. All impacted systems are taken offline for further analysis and the adversary
has been removed from the network.
Example 2
Your organization receives user complaints that their laptops are not able to access the
network. The information provided shows that the laptops are not connecting to resources
to provide them access. The hunt team utilizes threat intelligence that states certain threats
have been placing fake access points near organizations like yours in order to trick their
systems into connecting and attempting to perform an attack against the systems. The hunt
team utilizes this information to find fake access points within the area. Your organization
creates a new policy pushing “authorized” access point information to the user systems. All
offline systems are collected and provided this information, too. This prevents corporate
machines from accessing fake access points.
References
• Draft NIST SP 800-171B 3.11.2e
• NIST CSF v1.1 DE.CM-1, DE.CM-2, DE.CM-3, DE.CM-4, DE.CM-5, DE.CM-6, DE.CM.7, DE.CM-8
• NIST SP 800-53 Rev 4 PM-16