RA.L3-3.11.1e Threat Hunting
Employ threat intelligence, at a minimum from open or commercial sources, and any DoD-provided sources, as part of a risk assessment to guide and inform the development of organizational systems, security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.
Source: NIST SP 800-172 3.11.1e
Discussion: The constant evolution and increased sophistication of adversaries, especially the APT, makes it more likely that adversaries can successfully compromise or breach organizational systems. Accordingly, threat intelligence can be integrated into each step of the risk management process throughout the system development life cycle. This risk management process includes defining system security requirements, developing system and security architectures, selecting security solutions, monitoring (including threat hunting), and remediation efforts. [SP 800-30] provides guidance on risk assessments. [SP 800-39] provides guidance on the risk management process. [SP 800-160-1] provides guidance on security architectures and systems security engineering. [SP 800-150] provides guidance on cyber threat information sharing.
Assessment Objectives:
Determine if:
- [ODP1] Sources of threat intelligence are defined;
- [a] A risk assessment methodology is identified;
- [b] Threat intelligence, at a minimum from open or commercial sources, and any DoD-provided sources, are employed as part of a risk assessment to guide and inform the development of organizational systems and security architectures;
- [c] Threat intelligence, at a minimum from open or commercial sources, and any DoD-provided sources, are employed as part of a risk assessment to guide and inform the selection of security solutions;
- [d] Threat intelligence, at a minimum from open or commercial sources, and any DoD-provided sources, are employed as part of a risk assessment to guide and inform system monitoring activities;
- [e] Threat intelligence, at a minimum from open or commercial sources, and any DoD-provided sources, are employed as part of a risk assessment to guide and inform threat hunting activities; and
- [f] Threat intelligence, at a minimum from open or commercial sources, and any DoD-provided sources, are employed as part of a risk assessment to guide and inform response and recovery activities.
Examine: [SELECT FROM: Information security program plan; risk assessment policy; threat awareness program documentation; procedures for the threat awareness program; security planning policy and procedures; procedures addressing organizational assessments of risk; threat hunting program documentation; procedures for the threat hunting program; risk assessment results relevant to threat awareness; threat hunting results; list or other documentation on the cross-organization, information-sharing capability; security plan; risk assessment; risk assessment results; risk assessment reviews; risk assessment updates; contingency planning policy; contingency plan; incident response policy; incident response plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel responsible for information security program planning and plan implementation; organizational personnel responsible for the threat awareness and threat hunting programs; organizational personnel responsible for risk assessments; organizational personnel responsible for the cross-organization, information-sharing capability; organizational personnel responsible for information security; organizational personnel responsible for contingency planning; organizational personnel responsible for incident response; personnel with whom threat awareness information is shared by the organization].
Test: [SELECT FROM: Mechanisms supporting and/or implementing the threat awareness program; mechanisms supporting and/or implementing the cross-organization, information-sharing capability; mechanisms supporting and/or implementing the threat hunting program; mechanisms for conducting, documenting, reviewing, disseminating, and updating risk assessments; mechanisms supporting and/or implementing contingency plans; mechanisms supporting and/or implementing incident response plans].
SPRS Score: 1
POA&M Allowed: No