On Sept. 23, the National Institute of Standards and Technology (NIST) released the fifth major revision to Special Publication 800-53: Security and Privacy Controls for Information Systems and Organizations. This document has been downloaded millions of times since it was first published nine years ago. It has not had a major update like this in more than seven years. While there were several new additions in this revision, the one that the Secureworks Counter Threat Unit® (CTU) is most excited to see, and the focus of this blog post, is the addition of RA-10: Threat Hunting.
RA-10 Threat Hunting
a. Establish and maintain a cyber threat hunting capability to:
1. Search for indicators of compromise in organizational systems; and
2. Detect, track, and disrupt threats that evade existing controls; and
b. Employ the threat hunting capability [Assignment: organization-defined frequency].
Discussion: Threat hunting is an active means of cyber defense in contrast to the traditional protection measures such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses. Indications of compromise include unusual network traffic, unusual file changes, and the presence of malicious code. Threat hunting teams leverage existing threat intelligence and may create new threat intelligence, which is shared with peer organizations, Information Sharing and Analysis Organizations (ISAO), Information Sharing and Analysis Centers (ISAC), and relevant government departments and agencies.
Source: threat hunting official cybersecurity discipline