Level 5 CMMC - CMMC Practices

IR.5.106  

Reference: CMMC 1.02

Family: IR

Level Introduced: 5

Practice:
In response to cyber incidents, utilize forensic data gathering across impacted systems, ensuring the secure transfer and protection of forensic data.

CMMC Clarification:
The security operations center (whether in-house or outsourced) must have the necessary forensic data to develop situational awareness across the organization’s infrastructure. One solution identifies and collects security relevant system events, data, or images using an agent on the system. The agent transfers the events in real-time over a secure channel to a protected network enclave. Other solutions require physical access to the machine from which the data is gathered.

Many individual system security tools such as anti-virus or endpoint detection and response (EDR) tools can create logs, access system information in real-time, or image memory for secure transfer to a central management server. These logs would allow a SOC to begin the investigation. The SOC should also consider software tools used to push software or patches to systems. This would provide an on-demand capability for the SOC to send a security application when needed for forensic data collection.

Example
You are responsible for security operations at your organization. You implement a central log collection tool and configure your organization’s laptops and desktops to send syslog and security event logs to this tool. The tool is used by the SOC staff to monitor for abnormal activity. When suspicious activity is detected, the SOC has access to an open source utility you have installed to collect additional forensic information from a target laptop or desktop about operating system process creation, network connections, and changes to files. This additional capability complements the security application forensic data.

Additional ReadingNIST Computer Security Incident Handling Guide: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
NIST Special Publication 800-86 Guide to Integrating Forensics Techniques into Incident Response: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf

Organizations need to have the ability to gather attack forensics as part of responding to security incidents. During a cyberattack an attacker may seek to hide the activities taken to gain access, maintain persistence, and perform reconnaissance of an organization’s networks. However, in the course of their activities the attackers will leave artifacts that indicate their presence. This could be a local event indicating a system login, files associated with malware, or processes running in the system memory. To avoid detection an attacker may erase local logs or delete files. To allow for a thorough investigation the security operations center (SOC) should seek to collect forensic data from systems in real-time and be able to collect volatile data such as system memory when needed. Collection of the forensic data should be protected during transit and storage.

Source: CMMC v1.02

AU-12

AUDIT GENERATION

Description:
The information system:
    a. Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components];
    b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and
    c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

Supplemental Guidance:
Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02