Threat hunting is an active means of cyber defense in contrast to traditional protection measures, such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses. Indications of compromise include unusual network traffic, unusual file changes, and the presence of malicious code. Threat hunting teams leverage existing threat intelligence and may create new threat intelligence, which is shared with peer organizations, Information Sharing and Analysis Organizations (ISAO), Information Sharing and Analysis Centers (ISAC), and relevant government departments and agencies.
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| RA-10 | Threat Hunting | Protects | T1068 | Exploitation for Privilege Escalation |
| RA-10 | Threat Hunting | Protects | T1190 | Exploit Public-Facing Application |
| RA-10 | Threat Hunting | Protects | T1195 | Supply Chain Compromise |
| RA-10 | Threat Hunting | Protects | T1195.001 | Compromise Software Dependencies and Development Tools |
| RA-10 | Threat Hunting | Protects | T1195.002 | Compromise Software Supply Chain |
| RA-10 | Threat Hunting | Protects | T1210 | Exploitation of Remote Services |
| RA-10 | Threat Hunting | Protects | T1211 | Exploitation for Defense Evasion |
| RA-10 | Threat Hunting | Protects | T1212 | Exploitation for Credential Access |