Level 5 CMMC - CMMC Practices

IR.5.102  

Reference: CMMC 1.02

Family: IR

Level Introduced: 5

Practice:
Use a combination of manual and automated, real-time responses to anomalous activities that match incident patterns.

CMMC Clarification:
To gain an advantage the organization should have pre-defined steps to reduce the risk from someone conducting a known pattern of malicious activity. The steps could be a manual checklist or automated series of actions using scripts or other technology. Organizations may call these pre-defined or automated lists a playbook or runbook. They help to establish a formalized incident response that can be performed. Organizations should balance the speed of response against the possibility of unintended side-effects in determining whether automated responses are appropriate.

Example
You are the security operations center (SOC) lead for your organization. Recently your organization has had a problem with staff inserting personal USB drives in their computers. The SOC has had to wait for the Helpdesk notification to respond. To reduce the response time to these incidents you build a workflow to respond to the use of personal USBs. First you identify the USB events from the host detection tool. The events are forwarded to the SOC event management application. Once identified, you create an alert that is triggered when the USB event is detected. You create a script to call the host detection management API to block further use of a personal USB.

Additional Reading
NIST Computer Security Incident Handling Guide: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
Integrated Adaptive Cyber Defense: https://www.iacdautomate.org/

Response activities are necessary because the defenders of an organization’s information technology tend to be at a disadvantage compared to the attacker. Defenders must maintain awareness of the latest vulnerabilities, be aware of the vulnerabilities in the organization, have the vulnerabilities remediated, and respond if an attacker finds a vulnerability before it is remediated. Once a vulnerability is discovered, the attacker tends to operates faster than a defender can match. To reduce the time to mitigate an organization should have plans in place to mitigate an attack. Plans must be comprehensive of manual and automated responses.

Source: CMMC v1.02

IR-4 (1)

INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES

Description:
The organization employs automated mechanisms to support the incident handling process.

Supplemental Guidance:
Automated mechanisms supporting incident handling processes include, for example, online incident management systems.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02