RA.L3-3.11.2e  

Reference: CMMC v2.13

Family: RA

Level Introduced: 3

Title: Threat Hunting

Practice:
Conduct cyber threat hunting activities on an on-going aperiodic basis or when indications warrant, to search for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls.

Further Discussion:
For this requirement, threat hunting is conducted on an on-going aperiodic basis. On-going aperiodic refers to activities that happen over and over but without an identifiable repeating pattern over time. For threat hunting, on-going activities take place in an automated manner (e.g., collecting logs, automated analysis, and alerts). Aperiodicity includes humans performing the hunt activities, which take place on an as-needed or as-planned basis.

APTs can penetrate an environment by means that defeat or avoid conventional monitoring methods and alert triggers—for example, by using zero-day attacks. Zero-day attacks become known only after the attack has happened and alerts are sent via threat intelligence feeds based on expert analysis. Because of the nature of zero-day attacks, automated alerts do not generally trigger when the event occurs but the activity is captured in system logs and forwarded for analysis and retention by the SIEM. Threat intelligence information is typically used by hunt teams to search SIEM systems, system event and security logs, and other components to identify activity that has already taken place on an environment. The hunt team will identify systems related to the event(s) and pass the case to Incident Response team for action on the event(s). The hunt team will also use indicators to identify smaller components of an attack and search for that activity, which may help uncover a broader attack on the environment.

Threat hunting can also look for anomalous behavior or activity based on an organization’s normal pattern of activity. Understanding the roles and information flows within an organization can help identify activity that might be indicative of adversary behavior before the adversary completes their attack or mission.

Example
You are the lead for your organization’s cyber threat hunting team. You have local and remote staff on the team to process threat intelligence. Your team is tied closely with the SOC and IR teams. Through a DoD (DC3) intelligence feed, you receive knowledge of a recent APT’s attacks on defense contractors. The intelligence feed provided the indicators of compromise for a zero-day attack that most likely started within the past month. After receiving the IOCs, you use a template for your organization to place the information in a standard format your team understands. You then email the information to your team members and place the information in your hunt team’s dashboard, which tracks all IOCs [a].

Your team starts by using the information to hunt for IOCs on the environment [b]. One of your team members quickly responds, providing information from the SIEM that an HR system’s logs show evidence that IOCs related to this threat occurred three days ago. The team contacts the owner of the system as they take the system offline into a quarantined environment. Your team pulls all logs from the system and clones the storage on the system. Members go through the logs to look for other systems that may be part of the APT’s attack [c]. While the team is cloning the storage system for evidence, you alert the IR team about the issue. After full forensics of the system, your team has verified your company has been hit by the APT, but nothing was taken and no additional attacks happened. You also alert DoD (DC3) about the finding and discuss the matter with them. There is an after action report and a briefing given to management to make them aware of the issue.

Potential Assessment Considerations
• Does the organization have a methodology for performing cyber threat hunting actions [b,c]?
• Has the organization defined all organizational systems within scope of cyber threat hunting, including valid and approved documentation for any organization systems that are not within scope [b,c]?
• Has the organization identified a specific set of individuals to perform cyber threat hunting [b,c]?
• Does the threat hunting team have qualified staff members using the threat feed information [b,c]?
• Does the threat hunting team use combinations of events to determine suspicious behaviors [b,c]?
• Does the organization have a documented list of trusted threat feeds that are used by their cyber hunt teams as the latest indicators of compromise during their efforts [a]?
• Does the organization have a clear methodology for processing threat feed information and turning it into actionable information they can use for their threat hunting approach [a]?

Source: CMMC v2.13