Threat Hunting Under SEBI CSCRF: What it is and How to Achieve Compliance

The Securities and Exchange Board of India (SEBI) has formulated the Cybersecurity and Cyber Resilience Framework (CSCRF) to strengthen the cybersecurity posture of Regulated Entities (REs) in the Indian securities market. The CSCRF aims to address ever-evolving cyber threats and ensure the resilience of REs against cybersecurity incidents and attacks. It achieves this by establishing standards and guidelines for enhancing cybersecurity and promoting robust cybersecurity practices.

Threat Hunting Requirements in the CSCRF

The CSCRF requires MIIs and Qualified REs to conduct threat hunting and compromise assessments regularly.

What is Threat Hunting?

Threat hunting is a proactive cybersecurity measure that goes beyond traditional security monitoring and incident response. It involves actively searching for and identifying potential threats that may have already bypassed existing security controls. Unlike incident response, which reacts to known alerts or incidents, threat hunting starts with a hypothesis or an indication of compromise and involves searching for evidence of malicious activity that may not have triggered any alarms.

How to Achieve Threat Hunting Compliance as part of CSCRF Compliance

The CSCRF recommends that REs establish and maintain appropriate security mechanisms, such as a Security Operations Centre (SOC), to facilitate continuous monitoring of security events and timely detection of anomalous activities. It also recommend using various threat intelligence sources to guide threat hunting efforts. These intelligence sources can provide insights into the latest attack techniques, adversary tactics, and indicators of compromise (IOCs), which can be used to develop hypotheses and guide the search for potential threats.

How CyberNX Can Help

CyberNX can help REs meet their threat hunting requirements and achieve overall CSCRF compliance: 

• Threat Hunting Expertise: CyberNX can conduct periodic Threat Hunting Activities through its experienced threat hunters with deep knowledge of adversary TTPs and advanced threat hunting techniques. These experts can help REs establish a threat hunting program tailored to their specific environment and risk profile.

• Use of Existing Tools : CyberNX can leverage on existing tools such as SIEM, EDR or log sources to build a threat hunting framework and provide insights into emerging threats and enable proactive threat detection and response.\

• Develop a Threat Hunting Program: To comply with SEBI CSCRF’s periodic threat hunting requirements, CyberNX can design and implement a tailored threat hunting program on a monthly, quarterly, or semi-annual basis. This program will focus on the latest attack vectors and indicators of compromise (IOCs) while formulating relevant hypotheses to guide threat-hunting activities according to the specified frequency.

Pre-Requisites for Threat Hunting

To conduct effective threat-hunting activities, customers must provide access to their SIEM and, ideally, EDR infrastructure. The key prerequisites are:

1. SIEM Infrastructure: CyberNX utilizes the existing SIEM infrastructure to analyze ingested logs, apply threat-hunting use cases, and develop relevant hypotheses for identifying potential threats.
2. EDR/XDR Infrastructure: CyberNX leverages the customer’s existing EDR/XDR solutions to process logs and execute targeted threat-hunting use cases.
3. Custom Tools: CyberNX deploys proprietary tools on the specified assets to support hypothesis creation and facilitate the execution of the threat-hunting exercise.

Frequently Asked Questions (FAQ): Threat Hunting

1. What is threat hunting?

Threat hunting is a proactive cybersecurity practice that involves actively searching for and identifying potential threats that may have already bypassed existing security controls. Unlike incident response, which reacts to known alerts or incidents, threat hunting starts with a hypothesis or an indication of compromise and involves searching for evidence of malicious activity that may not have triggered any alarms.

2. What are the benefits of conducting threat hunting?

Threat hunting offers several benefits, such as reducing attack surfaces, anticipating new attack vectors and improving an organisation’s ability to quickly deploy and integrate existing and new security controls and capabilities. Threat hunting can also improve the security posture of an organisation, helping the organisation stay ahead of emerging threats.

3. How often should organisations conduct threat hunting?

Organisations can choose to conduct threat hunting more frequently based on their specific security needs and risk tolerance. For example, the CSCRF mandates MIIs and Qualified REs to conduct threat hunting exercises quarterly.

4. What kind of tools and technologies are used in threat hunting?

Threat hunters can leverage various security tools and technologies to aid their investigations. For example, Security Information and Event Management (SIEM) systems can help aggregate and analyse security logs from various sources, enabling threat hunters to identify patterns and anomalies that may indicate malicious activity.

5. What is the role of threat intelligence in threat hunting?

Threat intelligence plays a crucial role in threat hunting by providing context and insights into the latest attack techniques, adversary tactics, and indicators of compromise (IOCs), which can be used to develop hypotheses and guide the search for potential threats.