Level 5 CMMC - CMMC Practices

RM.4.149  

Reference: CMMC 1.02

Family: RM

Level Introduced: 4

Practice:
Catalog and periodically update threat profiles and adversary TTPs.

CMMC Clarification:
This practice enables organizations to proactively increase their ability to include the adversary perspective in their cybersecurity planning and incident response. Organizations should know that setting up a security perimeter around their enterprise is no longer enough to keep that enterprise protected against the adversaries of today. Understanding the adversaries TTPs, and documenting how these techniques could be used against an organization is one of the first steps needed in order to keep the adversaries at bay. If an adversary gains access to an organization’s enterprise, knowledge of their actions, what their standard operating procedures are, and what they may be going after can be a key part in eradicating them from your enterprise. See practice IR.4.100 for use of this information.

Example 1
Your organization has recently received information from a threat feed that adversaries are seeking technical knowledge in the area your company specializes. Your cyber defense team is put on high alert to look for actions that look out of the ordinary. In order to properly identify these actions, they look in their folder for activities related to the specific threat actor that has been identified. Now, these TTPs can be used to help the cyber defense team identify and eradicate actions taken by the adversary.

Example 2
Your organization wants to utilize knowledge of the adversaries to help plan and protect the organization against cyber-attacks. Your organization signs up for threat feed services that provide updated information with respect to adversary TTPs. Your organization has individuals that receive this information and create a repository of threat profiles against your organization. These profiles are then used by various teams for planning cyber defenses for the organization. These same profiles are also used by the organizations Defensive Cyber Organization (DCO) to help monitor and protect the enterprise from adversary actions.

Additional Reading
National Council of ISACs: https://www.nationalisacs.org/
NSA/CSS Technical Cyber Threat Framework v2: https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/ctr-nsa-css-technical-cyber-threat-framework.pdf
ATT&CK: https://attack.mitre.org/
NIST Special Publication 800-150: Guide to Cyber Threat Information Sharing: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf

One method that more mature enterprises can use to protect its systems is to employ threat profiles and better understand adversary tools, techniques, and procedures (TTPs). This knowledge can be gained by threat feed information, training, and various frameworks available on the internet. By cataloging (or tracking) and updating threat profiles and adversary tools, techniques, and procedures, an organization can utilize this information when planning for enterprise updates, hunting for adversary activities on a network, and unraveling a complicated attack incident that may have taken place.

This information is a critical component when planning incident response actions, analyzing alerts on systems, and knowing the most likely asset an adversary is going to go after based on the TTPs they perform. When someone wants to win against an opponent, they typically study their opponent’s techniques and tactics. This knowledge not only allows them to train properly for the event against that opponent, but it allows them to understand what the opponent is doing as well as what actions they’re about to take based on knowledge of their past actions. This information helps an organization to gain a cyber-advantage over the adversary. The purpose of creating threat profiles and adversary TTPs is to help identify and gain knowledge about an adversary that is trying to cause harm to your enterprise. Adversary goals include: accessing an enterprise to steal credentials, accessing proprietary information, stealing technologies, and disrupting operations.

Source: CMMC v1.02

Source: CMMC v1.02