On September 23, 2020, the National Institute of Standards and Technology (NIST) released the first major update to Special Publication 800-53: Security and Privacy Controls for Information Systems and Organizations in more than seven years. This fifth significant revision included the addition of RA-10: Threat Hunting.
RA-10: Threat Hunting
Control:
Establish and maintain a cyber threat hunting capability to:
Search for indicators of compromise in organizational systems; and
Detect, track, and disrupt threats that evade existing controls; and
Employ the threat hunting capability [Assignment: organization-defined frequency].
Discussion: Threat hunting is an active means of cyber defense in contrast to the traditional protection measures such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses. Indications of compromise include unusual network traffic, unusual file changes, and the presence of malicious code. Threat hunting teams leverage existing threat intelligence and may create new threat intelligence, which is shared with peer organizations, Information Sharing and Analysis Organizations (ISAO), Information Sharing and Analysis Centers (ISAC), and relevant government departments and agencies.
Source: Security and Privacy Controls for Information Systems and Organizations
Take the parable of the blind men and the elephant where each man, having never seen or touched an elephant before, touches a different part. Based on where they touched, one describes it like a snake, another like a tree, and another like a wall. Threat hunting is similar because this tactic can mean different things to different people, which makes it difficult for organizations to differentiate vendors or evaluate the value of these services.
This is where the recognition of Threat Hunting by NIST as an official cybersecurity discipline comes into play. Not only does NIST give legitimacy to this emerging discipline, it provides guidance on key aspects of threat hunting for a standardized definition within the industry.
The key features of threat hunting are:
The objectives are:
NIST not only recognizes Threat Hunting as an official discipline within the context of “Security and Privacy Controls for Information Systems and Organizations,” but also gives guidance to organizations to “employ the threat hunting.” This highlights the need for threat hunting as a component of a robust and maturing cybersecurity program regardless of the size of your company. In addition, as cyber insurance becomes more prevalent and starts to become more stringent on which controls need to be in place, it is highly likely that threat hunting will be one of those controls.
As many organizations today struggle with the basics of implementing a cybersecurity program it can be daunting to think about implementing threat hunting within your organization. Many companies do not have the number of security professionals needed and end up wearing many hats, let alone the time or skillset needed to begin threat hunting.
This is where Avertium’s Managed Threat Hunting services can help. Our Managed Threat Hunting services combine knowledgeable and skilled threat hunters with high-touch and collaborative interactions with our customers. This allows our hunters to best learn about their environments and focus threat hunting on where it will matter most. This frees your team up to concentrate on securing your environment and responding to known incidents.
The Avertium Cyber Response Unit (CRU) provides a comprehensive point-in-time forensic assessment of your environment to identify current and historic evidence of comprise that evaded your existing security controls. A common scenario in which clients would want this would be with a merger and acquisition of another company before integrating the two environments together.
A Managed Threat Hunting solution with a designated threat hunter. This solution includes personalized onboarding with your designated threat hunter to establish a knowledge base of your environment. In addition, there are weekly collaborative touchpoint meetings with your threat hunter. In these meetings, you and your hunter will review the hunts, findings, and recommendations from the previous week as well as discuss your areas of concern to guide future hunts.
Interested in implementing threat hunting to enhance your organization's cybersecurity program but don't know where to start? Contact Avertium today to learn more about our Managed Threat Hunting services and how we can help you...