Practice SI.L3-3.14.6e Details

From CMMC Toolkit Wiki
Jump to navigation Jump to search

Source of Reference: The official CMMC Level 3 Assessment Guide from the Department of Defense Chief Information Officer (DoD CIO).

For inquiries and reporting errors on this wiki, please contact us. Thank you.

SI.L3-3.14.6E – THREAT-GUIDED INTRUSION DETECTION

SECURITY REQUIREMENT

Use threat indicator information and effective mitigations obtained from, at a minimum, open or commercial sources, and any DoD-provided sources, to guide and inform intrusion detection and threat hunting.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:

[ODP1] External organizations from which to obtain threat indicator information and effective mitigations are defined;
[a] Threat indicator information is identified;
[b] Effective mitigations are identified;
[c] Intrusion detection approaches are identified;
[d] Threat hunting activities are identified; and
[e] Threat indicator information and effective mitigations obtained from, at a minimum, open or commercial sources and any DoD-provided sources, are used to guide and inform intrusion detection and threat hunting.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine

[SELECT FROM: System and information integrity policy; information security program plan; procedures addressing security alerts, advisories, and directives; threat awareness program documentation; procedures addressing system monitoring; procedures for the threat awareness program; risk assessment results relevant to threat awareness; records of security alerts and advisories; system design documentation; security plan; system monitoring tools and techniques documentation; system configuration settings and associated documentation; system monitoring logs or records; system audit records; documentation on the cross-organization information-sharing capability; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel responsible for information security program planning and plan implementation; system/network administrators; organizational personnel responsible for the threat awareness program; organizational personnel responsible for the cross-organization information-sharing capability; organizational personnel responsible for information security; organizational personnel responsible for installing, configuring, and/or maintaining the system; organizational personnel security alerts and advisories; organizational personnel responsible for implementing, operating, maintaining, and using the system; organizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated; personnel with whom threat awareness information is shared by the organization; system developers].

Test

[SELECT FROM: Mechanisms supporting and/or implementing the threat awareness program; mechanisms supporting and/or implementing the cross-organization information-sharing capability; mechanisms supporting and/or implementing the system monitoring capability; mechanisms supporting and/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives; mechanisms supporting and/or implementing security directives; mechanisms supporting and/or implementing threat hunting; mechanisms supporting and/or implementing intrusion detection; mechanisms supporting and/or implementing the discovery, collection, distribution, and use of indicators of compromise].

DISCUSSION [NIST SP 800-172]

Threat information related to specific threat events (e.g., TTPs, targets) that organizations have experienced, threat mitigations that organizations have found to be effective against certain types of threats, and threat intelligence (i.e., indications and warnings about threats that can occur) are sourced from and shared with trusted organizations. This threat information can be used by organizational Security Operations Centers (SOC) and incorporated into monitoring capabilities. Threat information sharing includes threat indicators, signatures, and adversary TTPs from organizations participating in threat-sharing consortia, government-commercial cooperatives, and government-government cooperatives (e.g., CERTCC, CISA/US-CERT, FIRST, ISAO, DIB CS Program). Unclassified indicators, based on classified information but which can be readily incorporated into organizational intrusion detection systems, are available to qualified nonfederal organizations from government sources.

FURTHER DISCUSSION

One way to effectively leverage threat indicator information is to access human- or machine-readable threat intelligence feeds. Effectiveness may also require the organization to create TTPs in support of operational requirements, which will typically include defensive cyber tools supporting incident detection, alerts, incident response, and threat hunting. It is possible that this requirement will be implemented by a third-party managed service provider, and in that case, it will be necessary to carefully define the boundary and responsibilities between the OSC and the ESP to guarantee a robust implementation. It is also important that the OSC validate threat indicator integration into the defensive cyber toolset by being able to (1) implement mitigations for sample industry relevant indicators of compromise (e.g., IP address, file hash), (2) identify sample indicators of compromise across sample endpoints, and (3) identify sample indicators of compromise using analytical processes on a system data repository.

Example

You are responsible for information security in your organization. You have maintained an effective intrusion detection capability for some time, but now you decide to introduce a threat hunting capability informed by internal and external threat intelligence [a,c,d,e]. You install a SIEM system that leverages threat information to provide functionality to:

  • analyze logs, data sources, and alerts;
  • query data to identify anomalies;
  • identify variations from baseline threat levels;
  • provide machine learning capabilities associated with the correlation of anomalous data characteristics across the enterprise; and
  • categorize data sets based on expected data values.

Your team also manages an internal mitigation plan (playbook) for all known threats for your environment. This playbook is used to implement effective mitigation strategies across the environment [b]. Some of the mitigation strategies are developed by team members, and others are obtained by threat feed services.

Potential Assessment Considerations

  • Which external sources has the organization identified as threat information sources [a]?
  • Does the organization understand the TTPs of key attackers [c,d]?
  • Does the organization deploy threat indicators to EDR systems, network intrusion detection systems, or both [c,d,e]?
  • What actions does the organization implement when a threat alert/indicator is signaled [c,d,e]?
  • Does the organization use internal threat capabilities within their existing security tools [e]?
  • How does the organization respond to a third-party notification of a threat indicator [e]?

KEY REFERENCES

  • NIST SP 800-172 3.14.6e
Retrieved from "https://cmmcwiki.org/index.php?title=Practice_SI.L3-3.14.6e_Details&oldid=1251"