Level 5 CMMC - CMMC Practices

SA.4.173  

Reference: CMMC 1.02

Family: SA

Level Introduced: 4

Practice:
Design network and system security capabilities to leverage, integrate, and share indicators of compromise.

CMMC Clarification:
Most cyber-defense solutions provide an API (Application Programming Interface) that allows an organization to automate updates to solutions for IoC blocking, hunting, or other mitigation. By automating the process, the organization will remove the likelihood of a human mistyping an entry, and it greatly reduces the time for insertion into the security solution as compared to manual entry.

Example 1
Your organization uses a cyber intelligence service and as information comes in, bad domains are provided that an organization would not want their assets visiting. Once received, the information is pushed to the corporate firewall, proxy server, and DNS services for blocking, and reducing the gap between receiving the information and the time it takes to block any access to the bad domains. This stops users from accessing potentially malicious files from the domains provided.

Example 2
The organization receives information that a specific attack probe is being launched from a foreign system. The threat report identifies the country codes and IP structure for the attack machines. Your intelligence processing solution collects this information and then adds the IP addresses to the block list of your corporate firewall. Within ten minutes after the automated process updated the firewall you receive logs of the attempts against the corporate website. The logs show the attempt but the details show the attempts were blocked. All of this took place without human intervention and prevented the attack from being successful.

Sharing IoCs (Indicators of Compromise) to systems across an enterprise strengthens an organization’s ability to thwart adversaries. Designing an organization’s security architecture to integrate and share IoCs rapidly increases the likelihood of stopping an attack that is happening at machine speed. Machine speed attacks are attacks that are happening in real-time and use automation to increase the speed at which the attack spreads and performs actions. Effective sharing requires that intelligence services as well as internal resources process IoC information and provide it to the necessary systems in order to act on the information quickly.

Source: CMMC v1.02

SI-4 (24)

INFORMATION SYSTEM MONITORING | INDICATORS OF COMPROMISE

Description:
The information system discovers, collects, distributes, and uses indicators of compromise.

Supplemental Guidance:
Indicators of compromise (IOC) are forensic artifacts from intrusions that are identified on organizational information systems (at the host or network level). IOCs provide organizations with valuable information on objects or information systems that have been compromised. IOCs for the discovery of compromised hosts can include for example, the creation of registry key values. IOCs for network traffic include, for example, Universal Resource Locator (URL) or protocol elements that indicate malware command and control servers. The rapid distribution and adoption of IOCs can improve information security by reducing the time that information systems and organizations are vulnerable to the same exploit or attack.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02