Level 5 CMMC - CMMC Practices

IR.4.100  

Reference: CMMC 1.02

Family: IR

Level Introduced: 4

Practice:
Use knowledge of attacker tactics, techniques, and procedures in incident response planning and execution.

CMMC Clarification:
When conducting cyberattacks the attackers (or actors) tend to operate using certain patterns of behavior or exploit capabilities. These patterns and capabilities are known as Tactics, Techniques, and Procedures (TTP). Knowledge of adversarial TTPs permits an organization to develop the right protective measures and responses to address a potential attack.

An organization can build their knowledge of attacker TTPs by participating in Information Sharing and Analysis Centers (ISAC) for their industry. An ISAC collects cyber threat information relevant to the industry and its members in order to improve the cyber posture of that industry. Based on the lines of business an organization may consider more than one ISAC.

Example
You are a manager. Your organization develops cutting edge technology for the aerospace and defense industry. Recent news indicates the industry is facing increased cyberattacks. Several peers share with you that they have experienced these attacks. To better understand the threats, you enroll the organization in the Aviation and National Defense ISACs. As part of the ISACs, you receive reports that help inform your organizational defenses. You attend ISAC meetings where peers share TTPs and best practices. Using what you learned, you conduct open source research on the Internet for additional information about attackers and how they conduct their operations. You use all of this information to improve incident response planning for the organization.

Additional Reading
National Council of ISACs: https://www.nationalisacs.org/
NSA/CSS Technical Cyber Threat Framework v2: https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional- resources/ctr-nsa-css-technical-cyber-threat-framework.pdf
ATT&CK: https://attack.mitre.org/
NIST Special Publication 800-150: Guide to Cyber Threat Information Sharing: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf

This practice requires that an organization explicitly consider the attacker’s perspective in implementing the organization’s incident response capability. The information necessary to do so can be from public sources, from government, or from third-party threat intelligence organizations. Specially, it is not the intent of this practice to require an internal, organizational threat intelligence capability. See practice RM.4.149 for the creation of this information.

Source: CMMC v1.02

Source: CMMC v1.02