CMMC Practice SA.4.171

Establish and maintain a cyber-threat hunting capability to search for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls.


CMMC Version 1.02, pg. 241

Bold Coast Security Guidance

For Level 4 compliance, an organization must have a means of measuring the aspects of its program that are part of the monitoring and review practices. Threat Intelligence programs mature into both the gathering of information that is actionable from various sources, and also a proactive practice of looking for indicators of compromise. One not mentioned explicitly above is the existence of a new persistence mechanism on the network. Persistence mechanisms are the means software uses to survive a reboot of a system where all the volatile data (data that is eliminated when power is cut) is lost. Malicious software wants to become persistent in computers, which can also make it persistent on a network. There are several third-party solutions available now that include a threat hunting component.

Discussion From Source

DRAFT NIST SP 800-171B Threat hunting is an active means of cyber defense in contrast to the traditional protection measures such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management (SIEM) technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses. Indicators of compromise are forensic artifacts from intrusions that are identified on organizational systems at the host or network level, and can include unusual network traffic, unusual file changes, and the presence of malicious code. Threat hunting teams use existing threat intelligence and may create new threat information, which may be shared with peer organizations, Information Sharing and Analysis Organizations (ISAO), Information Sharing and Analysis Centers (ISAC), and relevant government departments and agencies . Threat indicators, signatures, tactics, techniques, and procedures, and other indicators of compromise may be available via government and non- government cooperatives including Forum of Incident Response and Security Teams, United States Computer Emergency Readiness Team, Defense Industrial Base Cybersecurity Information Sharing Program, and CERT Coordination Center. Support References: • NISTSP 800-30 provides guidance on threat and risk assessments, risk analyses, and risk modeling. • NIST SP 800-160-2 provides guidance on systems security engineering and cyber resiliency. • NIST SP 800-150 provides guidance on cyber threat information sharing.