On Sept. 23, the National Institute of Standards and Technology (NIST) released the fifth major revision to Special Publication 800-53: Security and Privacy Controls for Information Systems and Organizations. This document has been downloaded millions of times since it was first published nine years ago. It has not had a major update like this in more than seven years. While there were several new additions in this revision, the one that the Secureworks Counter Threat Unit® (CTU) is most excited to see, and the focus of this blog post, is the addition of RA-10: Threat Hunting.
RA-10 Threat Hunting
a. Establish and maintain a cyber threat hunting capability to:
1. Search for indicators of compromise in organizational systems; and
2. Detect, track, and disrupt threats that evade existing controls; and
b. Employ the threat hunting capability [Assignment: organization-defined frequency].
Discussion: Threat hunting is an active means of cyber defense in contrast to the traditional protection measures such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses. Indications of compromise include unusual network traffic, unusual file changes, and the presence of malicious code. Threat hunting teams leverage existing threat intelligence and may create new threat intelligence, which is shared with peer organizations, Information Sharing and Analysis Organizations (ISAO), Information Sharing and Analysis Centers (ISAC), and relevant government departments and agencies.
In this blog post, we are going to give an opinion on what this “hat tip” to threat hunting means for this area as a discipline, as well as what it means for organizations. Additionally, we want you to understand how Secureworks can help companies who want to learn how to implement threat hunting, supplement their own threat hunting programs, or partner with us as a threat hunting provider.
What this means for threat hunting
This news means a couple of things, really. It further legitimizes threat hunting as its own, separate discipline; serves as an authoritative, non-biased source for the definition of threat hunting; and it reinforces the need for companies to “know thyself” by emphasizing the need to look on your own network based on knowledge of your detection gaps... and use that information to improve.
First, it is exciting to see threat hunting get formal recognition as its own capability like incident response, cyber threat intelligence, risk management, etc. While threat hunting has gained momentum and popularity over the past decade, were you to strike up a conversation with a cybersecurity professional who has been in the field for any significant amount of time, the first thing they would tell you is, “threat hunting is not new.”
That does not make something unimportant in the greater landscape, though. Case in point: about eight years ago, you might have heard someone tell you “cloud is not new.” But does anyone doubt cloud’s force and importance today?
An evolution in technology does not need to be brand new for it to need its own name with its own set of dedicated resources. In the last 10 years, threat hunting has evolved enough to need to be a stand-alone function in security. Adversaries have gotten more sophisticated, a significant increase in the reliance on technology has occurred, and networks have moved beyond the protection of business-owned infrastructure.
The words “threat hunting” appear in every EDR (Endpoint Detection Response), MDR (Managed Detection and Response), threat intel product, security podcast, and security conference. In fact, SANS (SysAdmin Audit Network Security) has created threat hunting training, led a threat hunting summit, and published a threat hunting survey every year for the past three years.
So why is it that in the most recent SANS threat hunting survey, one of the key findings was,
"Results demonstrate that confusion still exists about what respondents believe constitutes threat hunting and how to properly approach threat hunting”
This question brings us to the next major benefit of having threat hunting as a control in SP 800-53: helping to standardize on a definition of threat hunting from a non-biased resource.
Who better to standardize something than a standardizing body?
To begin, let’s look at parts a.1 and a.2
a.1. Search for indicators of compromise in organizational systems
The term “indicators of compromise” (also known as IOCs for short), has 2 primary meanings: one broad and one more specific. In the broad sense, indicators of compromise are pieces of evidence on your hosts, endpoints, network or in your logs that tells you that you have been compromised. The other, more granular way IOC is used is to mean IP addresses, hash values, domain names, and other specific values that are known to be associated with a threat. The latter definition came from the fact that most intelligence reports were heavily populated with the more granular IOCs.
What NIST is referring to is the broader sense. That is supported by this excerpt from the article’s discussion section...
“Indications of compromise include unusual network traffic, unusual file changes, and the presence of malicious code”
Either way, Threat Hunting is searching for indicators of compromise. So, that becomes the first part of our definition.
Now to point a.2:
a.2. Detect, track, and disrupt threats that evade existing controls
To detect track and disrupt threats that “evade existing controls” means that you are looking for indicators of compromise before they raise an alert. This is an important distinction from incident response. This point is further solidified in NIST’s description section.
“Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats.”
So, now we can add to our definition the point that threat hunting is proactive. It is on your own assets, on your own network—and this can include cloud. How could threats be evading controls if they are not on your network?
So long as we are here, an aside: Looking for evidence that you have been breached, such as historical incidents, data found on public sites, or weaknesses in your network that might have been breached is considered a “lead” for Threat Hunting. But until you prove or disprove that a threat is there, you have not completed the Threat Hunting process.
As icing on the cake, it is exciting to see that in the discussion section, they add...
“The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses.”
If you look a little closer, you will see this new, more official definition closely matches Secureworks’ own mission statement for Threat Hunting.
“To proactively and iteratively discover current or historical threats that evade existing security mechanisms and to use that information to improve cyber resilience.”
What this means for your organization
SP 800-53 has been downloaded millions of times by government and non-government entities alike. It is commonly used as a foundation to build or improve security, privacy, and supply chain risk management programs. With the addition of threat hunting as a SP 800-53 control, expect lots of added content surrounding threat hunting and many executives to begin posing the question, “what is our plan to implement threat hunting?”
This question is not an easy one to answer because the approach you take to threat hunting will vary from organization to organization. There is not a turnkey solution to transform your SOC overnight. Threat hunting begins with ingesting internal and external intel insights about the threats to your organization and your preparedness against them. It is implemented gradually over time, and focuses on developing the data analysis skills, investigative skills, and data engineering requirements of your organization. Luckily, whether you want to build your own threat hunting program or partner with someone who can either supplement your threat hunting or do all the heavy lifting for you, Secureworks is here to help.
How Secureworks can help
A managed threat hunting service provides organizations an opportunity to be proactive and identify unknown and novel compromise activity, so the organization can concentrate on fortifying the environments and responding to known incidents. Our managed threat hunting services combine high-touch interactions and collaboration with the customer to learn about their environments and focus hunting efforts where it matters most.
Continuous Threat Hunting - Secureworks provides all Managed Detection and Response (MDR) customer with continuous Threat Hunting. This continuous threat hunting uses threat indicator, hypothesis, and analytics-driven hunting.
Threat Hunting Assessment - The Secureworks Threat Hunting Assessment is a point-in-time, 30-day comprehensive and intensive evaluation of your environment to identify unknown compromise activity and cyber threats that can evade your security controls.
Active Threat Hunting - A Managed Threat Hunting solution with dedicated team and lead threat hunter. This solution starts with personalized onboarding, including an assessment to establish a knowledge repository of the environment.
Threat Hunting Workshops – The Secureworks’ Threat Hunting workshop is a jumpstart for organizations seeking to institute or mature an internal threat hunting team. This workshop, available with the Incident Management Retainer Workshop & Exercises offerings, covers the methodology, technology, and analytical skills that are essential for an effective threat hunting operation.
Secureworks offers a condensed version of our Threat Hunting Fundamentals Workshop for free on our site. https://www.secureworks.com/resources/wc-threat-hunting-virtual-workshop
Want to know more about Secureworks Threat Hunting products and services? Talk with an Expert