Requirement text: RM.4.149: Catalog and periodically update threat profiles and adversary TTPs.
DISCUSSION FROM SOURCE: CMMC
One method that more mature enterprises can use to protect its systems is to employ threat
profiles and better understand adversary tools, techniques, and procedures (TTPs). This
knowledge can be gained by threat feed information, training, and various frameworks
available on the internet. By cataloging (or tracking) and updating threat profiles and
adversary tools, techniques, and procedures, an organization can utilize this information
when planning for enterprise updates, hunting for adversary activities on a network, and
unraveling a complicated attack incident that may have taken place.
This information is a critical component when planning incident response actions, analyzing
alerts on systems, and knowing the most likely asset an adversary is going to go after based
on the TTPs they perform. When someone wants to win against an opponent, they typically
study their opponent’s techniques and tactics. This knowledge not only allows them to train
properly for the event against that opponent, but it allows them to understand what the
opponent is doing as well as what actions they’re about to take based on knowledge of their
past actions. This information helps an organization to gain a cyber-advantage over the
adversary. The purpose of creating threat profiles and adversary TTPs is to help identify and
gain knowledge about an adversary that is trying to cause harm to your enterprise.
Adversary goals include: accessing an enterprise to steal credentials, accessing proprietary
information, stealing technologies, and disrupting operations.
CMMC CLARIFICATION
This practice enables organizations to proactively increase their ability to include the
adversary perspective in their cybersecurity planning and incident response. Organizations
should know that setting up a security perimeter around their enterprise is no longer enough
to keep that enterprise protected against the adversaries of today. Understanding the
adversaries TTPs, and documenting how these techniques could be used against an
organization is one of the first steps needed in order to keep the adversaries at bay. If an
adversary gains access to an organization’s enterprise, knowledge of their actions, what their
standard operating procedures are, and what they may be going after can be a key part in
eradicating them from your enterprise. See practice IR.4.100 for use of this information.
Example 1
Your organization has recently received information from a threat feed that adversaries are
seeking technical knowledge in the area your company specializes. Your cyber defense team
is put on high alert to look for actions that look out of the ordinary. In order to properly
identify these actions, they look in their folder for activities related to the specific threat actor
that has been identified. Now, these TTPs can be used to help the cyber defense team identify
and eradicate actions taken by the adversary.
Example 2
Your organization wants to utilize knowledge of the adversaries to help plan and protect the
organization against cyber-attacks. Your organization signs up for threat feed services that
provide updated information with respect to adversary TTPs. Your organization has
individuals that receive this information and create a repository of threat profiles against
your organization. These profiles are then used by various teams for planning cyber
defenses for the organization. These same profiles are also used by the organizations
Defensive Cyber Organization (DCO) to help monitor and protect the enterprise from
adversary actions.
ADDITIONAL READING
References
• CMMC
• NIST CSF v1.1 DE.AE-2
• CERT RMM v1.2 VAR:SG2.SP1