Level 5 CMMC - CMMC Practices

SA.4.171  

Reference: CMMC 1.02

Family: SA

Level Introduced: 4

Practice:
Establish and maintain a cyber threat hunting capability to search for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls.

CMMC Clarification:
In the cyber arena of today, adversaries are increasingly successful at getting into networks and maintaining their access. Adversaries may be in your network from an attack that happened years ago. In order to find adversaries in an enterprise an organization must perform hunting for the latest TTPs used by the adversaries. In order to do this an organization stands up a threat hunting team or contracts for one that uses a variety of methods, such as log analysis, network traffic analysis, and threat intelligence in order to look for indications that adversaries have been on a system (and may continue to be in place). Once found, the threat hunting team must act quickly to remove the problem, report the incident up the command chain, and continue to look for other pieces of evidence that an adversary has been within the environment. After an incident is handled, then the team should create indicators from what they learned and provide it back to the community in order for others to benefit from the threat intelligence provided. This information could be as simple as a file hash, IP address of the command and control server, a domain name, or the actions that have happened on a system. All of these items can be rolled into an indicator sharing component for others to ingest and benefit.

Example 1
Your organization’s cyber hunt team has noticed that bandwidth consumption at night has spiked in the last few weeks and recognizes that this may indicate the presence of a cyber adversary in the system. The hunt team takes advantage of all information available to them in order to determine why bandwidth utilization at night has spiked. The team uses threat intelligence about certain adversaries that perform exfiltration from networks. The team searches through event and security logs to identify a specific piece of software running on a system in a lab. They discover that the last person to use the system was a lab technician who installed software on the system. This software was malicious, allowing the adversary to access network files and perform exfiltration of information over the last few weeks. The team quickly takes the system offline for analysis and identifies another system running the same software. All impacted systems are taken offline for further analysis and the adversary has been removed from the network.

Example 2
Your organization receives user complaints that their laptops are not able to access the network. The information provided shows that the laptops are not connecting to resources to provide them access. The hunt team utilizes threat intelligence that states certain threats have been placing fake access points near organizations like yours in order to trick their systems into connecting and attempting to perform an attack against the systems. The hunt team utilizes this information to find fake access points within the area. Your organization creates a new policy pushing “authorized” access point information to the user systems. All offline systems are collected and provided this information, too. This prevents corporate machines from accessing fake access points.

3.11.2e

Conduct cyber threat hunting activities [Selection (one or more): [Assignment: organization835 defined frequency]; [Assignment: organization-defined event]] to search for indicators of compromise in [Assignment: organization-defined systems] and detect, track, and disrupt threats that evade existing controls.

Discussion:
Threat hunting is an active means of cyber defense that contrasts with the traditional protection measures, such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management (SIEM) technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses. Indicators of compromise are forensic artifacts from intrusions that are identified on organizational systems at the host or network level and can include unusual network traffic, unusual file changes, and the presence of malicious code.

Threat hunting teams use existing threat intelligence and may create new threat information, which may be shared with peer organizations, Information Sharing and Analysis Organizations (ISAO), Information Sharing and Analysis Centers (ISAC), and relevant government departments and agencies. Threat indicators, signatures, tactics, techniques, procedures, and other indicators of compromise may be available via government and non-government cooperatives, including Forum of Incident Response and Security Teams, the United States Computer Emergency Readiness Team, the Defense Industrial Base Cybersecurity Information Sharing Program, and the CERT Coordination Center. The skills and expertise to conduct threat hunting are often only available through external service providers.

[SP 800-30] provides guidance on threat and risk assessments, risk analyses, and risk modeling. [SP 800-160-2] provides guidance on systems security engineering and cyber resiliency. [SP 800-150] provides guidance on cyber threat information sharing.

Source: NIST Special Publication 800-172 (Draft)

PM-16

THREAT AWARENESS PROGRAM

Description:
The organization implements a threat awareness program that includes a cross-organization information-sharing capability.

Supplemental Guidance:
Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it is becoming more likely that adversaries may successfully breach or compromise organizational information systems. One of the best techniques to address this concern is for organizations to share threat information. This can include, for example, sharing threat events (i.e., tactics, techniques, and procedures) that organizations have experienced, mitigations that organizations have found are effective against certain types of threats, threat intelligence (i.e., indications and warnings about threats that are likely to occur). Threat information sharing may be bilateral (e.g., government-commercial cooperatives, government-government cooperatives), or multilateral (e.g., organizations taking part in threat-sharing consortia). Threat information may be highly sensitive requiring special agreements and protection, or less sensitive and freely shared. Related controls: PM-12, PM-16.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02