Requirement text: SA.4.173: Design network and system security capabilities to leverage, integrate, and
share indicators of compromise.
DISCUSSION FROM SOURCE: CMMC
Sharing IoCs (Indicators of Compromise) to systems across an enterprise strengthens an
organization’s ability to thwart adversaries. Designing an organization’s security
architecture to integrate and share IoCs rapidly increases the likelihood of stopping an attack
that is happening at machine speed. Machine speed attacks are attacks that are happening in
real-time and use automation to increase the speed at which the attack spreads and performs
actions. Effective sharing requires that intelligence services as well as internal resources
process IoC information and provide it to the necessary systems in order to act on the
information quickly.
CMMC CLARIFICATION
Most cyber-defense solutions provide an API (Application Programming Interface) that
allows an organization to automate updates to solutions for IoC blocking, hunting, or other
mitigation. By automating the process, the organization will remove the likelihood of a
human mistyping an entry, and it greatly reduces the time for insertion into the security
solution as compared to manual entry.
Example 1
Your organization uses a cyber intelligence service and as information comes in, bad
domains are provided that an organization would not want their assets visiting. Once
received, the information is pushed to the corporate firewall, proxy server, and DNS services
for blocking, and reducing the gap between receiving the information and the time it takes
to block any access to the bad domains. This stops users from accessing potentially malicious
files from the domains provided.
Example 2
The organization receives information that a specific attack probe is being launched from a
foreign system. The threat report identifies the country codes and IP structure for the attack
machines. Your intelligence processing solution collects this information and then adds the
IP addresses to the block list of your corporate firewall. Within ten minutes after the
automated process updated the firewall you receive logs of the attempts against the
corporate website. The logs show the attempt but the details show the attempts were
blocked. All of this took place without human intervention and prevented the attack from
being successful.
References
• CMMC
• NIST SP 800-53 Rev 4 SI-4(24)