Level 5 CMMC - CMMC Practices

SI.4.221  

Reference: CMMC 1.02

Family: SI

Level Introduced: 4

Practice:
Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting.

CMMC Clarification:
When conducting cyberattacks the attackers tend to operate using certain patterns of behavior or exploit capabilities. This collection of patterns and capabilities are known as Tactics, Techniques, and Procedures (TTP). An organization can build their knowledge of attacker TTPs by participating in Information Sharing and Analysis Centers (ISAC) for their industry. An ISAC collects cyber threat information relevant to the industry and its members in order to improve the cyber posture of that industry. Based on the lines of business an organization may consider more than one ISAC. An organization may also acquire TTPs through commercial providers in order to integrate into various technologies.

Example
You are the manager of the Security Operations Center (SOC) and have recently added a role to perform cyber threat hunting. You have been tasked to set up the process for the SOC. You first identify relevant sources of threat information for the organization. You have the organization join the National Defense ISAC and begin to interact with peers in the ISAC. You capture events in your organization and share the TTPs with your peers. In return, they share new TTPs with you. After downloading the TTPs, you build queries against the SOC’s central repository for recurring searches. You also acquire a commercial threat indicator feed of suspicious domains, known malware hashes, and IP addresses. You use these to supplement a custom intrusion detection system.

Additional Reading
National Council of ISACs: https://www.nationalisacs.org/
ATT&CK: https://attack.mitre.org/
NIST Special Publication 800-150: Guide to Cyber Threat Information Sharing: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf
Homeland Security Systems Engineering & Development Institute Cyber Threat Modeling: https://www.mitre.org/sites/default/files/publications/pr_18-1174-ngci-cyber-threat- modeling.pdf

3.14.6e

Use threat indicator information and effective mitigations obtained from [Assignment: organization-defined external organizations] to guide and inform intrusion detection and threat hunting.

Discussion:
Threat information related to specific threat events (e.g., TTPs, targets) that organizations have experienced, threat mitigations that organizations have found to be effective against certain types of threats, and threat intelligence (i.e., indications and warnings about threats that can occur) are sourced from and shared with trusted organizations. This threat information can be used by organizational Security Operations Centers (SOC) and incorporated into monitoring capabilities. Threat information sharing includes threat indicators, signatures, and adversary TTPs from organizations participating in threat-sharing consortia, government-commercial cooperatives, and government-government cooperatives (e.g., CERTCC, US-CERT, FIRST, ISAO, DIB CS Program). Unclassified indicators, based on classified information but which can be readily incorporated into organizational intrusion detection systems, are available to qualified nonfederal organizations from government sources.

Source: NIST Special Publication 800-172 (Draft)

Source: CMMC v1.02