CMMC IR.5.102 - Use Manual and Automated Responses to Incidents

CMMC IR.5.102 - Use Manual and Automated Responses to Incidents

Requirement text: IR.5.102: Use a combination of manual and automated, real-time responses to
anomalous activities that match incident patterns.

DISCUSSION FROM SOURCE: CMMC
Response activities are necessary because the defenders of an organization’s information
technology tend to be at a disadvantage compared to the attacker. Defenders must maintain
awareness of the latest vulnerabilities, be aware of the vulnerabilities in the organization,
have the vulnerabilities remediated, and respond if an attacker finds a vulnerability before
it is remediated. Once a vulnerability is discovered, the attacker tends to operates faster than
a defender can match. To reduce the time to mitigate an organization should have plans in
place to mitigate an attack. Plans must be comprehensive of manual and automated
responses.

CMMC CLARIFICATION
To gain an advantage the organization should have pre-defined steps to reduce the risk from
someone conducting a known pattern of malicious activity. The steps could be a manual
checklist or automated series of actions using scripts or other technology. Organizations
may call these pre-defined or automated lists a playbook or runbook. They help to establish
a formalized incident response that can be performed. Organizations should balance the
speed of response against the possibility of unintended side-effects in determining whether
automated responses are appropriate.

Example
You are the security operations center (SOC) lead for your organization. Recently your
organization has had a problem with staff inserting personal USB drives in their computers.
The SOC has had to wait for the Helpdesk notification to respond. To reduce the response
time to these incidents you build a workflow to respond to the use of personal USBs. First
you identify the USB events from the host detection tool. The events are forwarded to the
SOC event management application. Once identified, you create an alert that is triggered
when the USB event is detected. You create a script to call the host detection management
API to block further use of a personal USB.

ADDITIONAL READING
NIST Computer Security Incident Handling Guide: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
Integrated Adaptive Cyber Defense: https://www.iacdautomate.org/

References 
• CMMC
• NIST SP 800-53 Rev 4 IR-4(1)

    • Related Articles

    • CMMC IR.5.110 - Perform Unannounced Incident Responses Exercises

      Requirement text: IR.5.110: Perform unannounced operational exercises to demonstrate technical and procedural responses. DISCUSSION FROM SOURCE: CMMC An organization is stronger against a cyber-attack when the incident response capability is proven ...

    • CMMC IR.2.097 - Perform Root Cause Analysis on Incidents

      Requirement text: IR.2.097: Perform root cause analysis on incidents to determine underlying causes. DISCUSSION FROM SOURCE: CERT RMM V1.2 Post-incident review is a formal part of the incident closure process. The organization conducts a formal ...

    • CMMC IR.3.098 - Track, Document and Report Incidents

      Requirement text: IR.3.098: Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Tracking and documenting system security ...

    • CMMC IR.2.096 - Develop Incident Response Procedures

      Requirement text: IR.2.096: Develop and implement responses to declared incidents according to predefined procedures. DISCUSSION FROM SOURCE: CERT RMM V1.2 Responding to an organizational incident is often dependent on proper advance planning by the ...

    • CMMC IR.2.092 - Establish an Operational Incident-handling Capability

      Requirement text: IR.2.092: Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recover, and user response activities. DISCUSSION FROM SOURCE: DRAFT NIST SP ...