Does your organization conduct regular threat hunting activities to proactively identify potential threat actors in your environment?
Explanation
Threat hunting involves proactively searching through networks, endpoints, and datasets to detect malicious activities or indicators of compromise that may have evaded existing security solutions.
This practice helps identify advanced persistent threats, insider threats, or zero-day exploits that automated tools might miss. Effective threat hunting combines automated tools with human analysis to investigate anomalies, unusual patterns, or suspicious behaviors.
Evidence of threat hunting could include documented threat hunting procedures, reports from previous threat hunting exercises showing methodology and findings, logs of hunting activities, or dashboards from threat hunting platforms. These documents should demonstrate a systematic approach to searching for threats rather than just responding to alerts.
Implementation Example
Perform threat hunting to look for signs of threat actors within the environment
ID: ID.RA-03.157
Context
- Function
- ID: IDENTIFY
- Category
- ID.RA: Risk Assessment
- Sub-Category
- Internal and external threats to the organization are identified and recorded
Related questions
- Does your organization implement vulnerability management tools to detect unpatched software and misconfigurations?
- Does your organization regularly conduct security architecture reviews to identify and remediate design and implementation weaknesses?
- Does your organization conduct security reviews, analysis, or testing of internally developed software to identify vulnerabilities in design, code, and default configurations?
- Has your organization conducted a comprehensive physical security assessment of all facilities housing critical computing assets within the past 12 months?
- Does your organization actively monitor cyber threat intelligence sources for information about new vulnerabilities in your products and services?
- Does your organization regularly conduct vulnerability assessments of business processes and procedures to identify potential cybersecurity weaknesses?

