Reference: CMMC 1.02
Level Introduced: 5
In response to cyber incidents, utilize forensic data gathering across impacted systems, ensuring the secure transfer and protection of forensic data.
The security operations center (whether in-house or outsourced) must have the necessary forensic data to develop situational awareness across the organizationâ€™s infrastructure. One solution identifies and collects security relevant system events, data, or images using an agent on the system. The agent transfers the events in real-time over a secure channel to a protected network enclave. Other solutions require physical access to the machine from which the data is gathered.
Many individual system security tools such as anti-virus or endpoint detection and response (EDR) tools can create logs, access system information in real-time, or image memory for secure transfer to a central management server. These logs would allow a SOC to begin the investigation. The SOC should also consider software tools used to push software or patches to systems. This would provide an on-demand capability for the SOC to send a security application when needed for forensic data collection.
You are responsible for security operations at your organization. You implement a central log collection tool and configure your organizationâ€™s laptops and desktops to send syslog and security event logs to this tool. The tool is used by the SOC staff to monitor for abnormal activity. When suspicious activity is detected, the SOC has access to an open source utility you have installed to collect additional forensic information from a target laptop or desktop about operating system process creation, network connections, and changes to files. This additional capability complements the security application forensic data.
Additional ReadingNIST Computer Security Incident Handling Guide: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
NIST Special Publication 800-86 Guide to Integrating Forensics Techniques into Incident Response: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf
Organizations need to have the ability to gather attack forensics as part of responding to security incidents. During a cyberattack an attacker may seek to hide the activities taken to gain access, maintain persistence, and perform reconnaissance of an organizationâ€™s networks. However, in the course of their activities the attackers will leave artifacts that indicate their presence. This could be a local event indicating a system login, files associated with malware, or processes running in the system memory. To avoid detection an attacker may erase local logs or delete files. To allow for a thorough investigation the security operations center (SOC) should seek to collect forensic data from systems in real-time and be able to collect volatile data such as system memory when needed. Collection of the forensic data should be protected during transit and storage.
Source: CMMC v1.02
The information system:
a. Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components];
b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and
c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7.