Establish and maintain a cyber threat hunting capability to search for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls.
In the cyber arena of today, adversaries are increasingly successful at getting into networks and maintaining their access. Adversaries may be in your network from an attack that happened years ago. In order to find adversaries in an enterprise an organization must perform hunting for the latest TTPs used by the adversaries. In order to do this an organization stands up a threat hunting team or contracts for one that uses a variety of methods, such as log analysis, network traffic analysis, and threat intelligence in order to look for indications that adversaries have been on a system (and may continue to be in place). Once found, the threat hunting team must act quickly to remove the problem, report the incident up the command chain, and continue to look for other pieces of evidence that an adversary has been within the environment. After an incident is handled, then the team should create indicators from what they learned and provide it back to the community in order for others to benefit from the threat intelligence provided. This information could be as simple as a file hash, IP address of the command and control server, a domain name, or the actions that have happened on a system. All of these items can be rolled into an indicator sharing component for others to ingest and benefit. Example 1 Your organization’s cyber hunt team has noticed that bandwidth consumption at night has spiked in the last few weeks and recognizes that this may indicate the presence of a cyber adversary in the system. The hunt team takes advantage of all information available to them in order to determine why bandwidth utilization at night has spiked. The team uses threat intelligence about certain adversaries that perform exfiltration from networks. The team searches through event and security logs to identify a specific piece of software running on a system in a lab. They discover that the last person to use the system was a lab technician who installed software on the system. This software was malicious, allowing the adversary to access network files and perform exfiltration of information over the last few weeks. The team quickly takes the system offline for analysis and identifies another system running the same software. All impacted systems are taken offline for further analysis and the adversary has been removed from the network. Example 2 Your organization receives user complaints that their laptops are not able to access the network. The information provided shows that the laptops are not connecting to resources to provide them access. The hunt team utilizes threat intelligence that states certain threats have been placing fake access points near organizations like yours in order to trick their systems into connecting and attempting to perform an attack against the systems. The hunt team utilizes this information to find fake access points within the area. Your organization creates a new policy pushing “authorized” access point information to the user systems. All offline systems are collected and provided this information, too. This prevents corporate machines from accessing fake access points.
DRAFT NIST SP 800-171B Threat hunting is an active means of cyber defense in contrast to the traditional protection measures such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management (SIEM) technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses. Indicators of compromise are forensic artifacts from intrusions that are identified on organizational systems at the host or network level, and can include unusual network traffic, unusual file changes, and the presence of malicious code. Threat hunting teams use existing threat intelligence and may create new threat information, which may be shared with peer organizations, Information Sharing and Analysis Organizations (ISAO), Information Sharing and Analysis Centers (ISAC), and relevant government departments and agencies. Threat indicators, signatures, tactics, techniques, and procedures, and other indicators of compromise may be available via government and non-government cooperatives including Forum of Incident Response and Security Teams, United States Computer Emergency Readiness Team, Defense Industrial Base Cybersecurity Information Sharing Program, and CERT Coordination Center. Support References: NIST SP 800-30 provides guidance on threat and risk assessments, risk analyses, and risk modeling. NIST SP 800-160-2 provides guidance on systems security engineering and cyber resiliency. NIST SP 800-150 provides guidance on cyber threat information sharing.
NIST SP 800-53 Rev 4 PM-16
NIST CSF v1.1 DE.CM-1, DE.CM-2, DE.CM-3, DE.CM-4, DE.CM-5, DE.CM-6, DE.CM.7, DE.CM-8
Draft NIST SP 800-171B 3.11.2e