Reference: CMMC v2.13
Family: SI
Level Introduced: 3
Title: Threat-Guided Intrusion Detection
Practice:
Use threat indicator information and effective mitigations obtained from, at a minimum, open or commercial sources, and any DoD-provided sources, to guide and inform intrusion detection and threat hunting.
Further Discussion:
One way to effectively leverage threat indicator information is to access human- or machine-readable threat intelligence feeds. Effectiveness may also require the organization to create TTPs in support of operational requirements, which will typically include defensive cyber tools supporting incident detection, alerts, incident response, and threat hunting. It is possible that this requirement will be implemented by a third-party managed service provider, and in that case, it will be necessary to carefully define the boundary and responsibilities between the OSC and the ESP to guarantee a robust implementation. It is also important that the OSC validate threat indicator integration into the defensive cyber toolset by being able to (1) implement mitigations for sample industry relevant indicators of compromise (e.g., IP address, file hash), (2) identify sample indicators of compromise across sample endpoints, and (3) identify sample indicators of compromise using analytical processes on a system data repository.
Example
You are responsible for information security in your organization. You have maintained an effective intrusion detection capability for some time, but now you decide to introduce a threat hunting capability informed by internal and external threat intelligence [a,c,d,e]. You install a SIEM system that leverages threat information to provide functionality to:
• analyze logs, data sources, and alerts;
• query data to identify anomalies;
• identify variations from baseline threat levels;
• provide machine learning capabilities associated with the correlation of anomalous data characteristics across the enterprise; and
• categorize data sets based on expected data values.
Your team also manages an internal mitigation plan (playbook) for all known threats for your environment. This playbook is used to implement effective mitigation strategies across the environment [b]. Some of the mitigation strategies are developed by team members, and others are obtained by threat feed services.
Potential Assessment Considerations
• Which external sources has the organization identified as threat information sources [a]?
• Does the organization understand the TTPs of key attackers [c,d]?
• Does the organization deploy threat indicators to EDR systems, network intrusion detection systems, or both [c,d,e]?
• What actions does the organization implement when a threat alert/indicator is signaled [c,d,e]?
• Does the organization use internal threat capabilities within their existing security tools [e]?
• How does the organization respond to a third-party notification of a threat indicator [e]?
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
800-172 Requirements vDraft (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.