Requirement text: SI.4.221: Use threat indicator information relevant to the information and systems
being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171B
The constantly changing and increasing sophistication of adversaries, especially the
advanced persistent threat (APT), make it essential that threat information relating to
specific threat events (e.g., TTP, targets) that organizations have experienced, mitigations
that organizations have found are effective against certain types of threats, and threat
intelligence (i.e., indications and warnings about threats that can occur) be sourced from and
shared with trusted organizations. This information can be used by organizational Security
Operations Centers (SOC) and incorporated into monitoring capabilities. Threat information
sharing includes threat indicators, signatures, and adversary TTP from organizations
participating in various threat-sharing consortia, government-commercial cooperatives, and
government-government cooperatives (e.g., CERTCC, US-CERT, FIRST, ISAO, DIB CS
Program). Unclassified indicators, based on classified information but which can be readily
incorporated into organizational intrusion detection systems, are available to qualified
nonfederal organizations from government sources.
CMMC CLARIFICATION
When conducting cyberattacks the attackers tend to operate using certain patterns of
behavior or exploit capabilities. This collection of patterns and capabilities are known as
Tactics, Techniques, and Procedures (TTP). An organization can build their knowledge of
attacker TTPs by participating in Information Sharing and Analysis Centers (ISAC) for their
industry. An ISAC collects cyber threat information relevant to the industry and its members
in order to improve the cyber posture of that industry. Based on the lines of business an
organization may consider more than one ISAC. An organization may also acquire TTPs
through commercial providers in order to integrate into various technologies.
Example
You are the manager of the Security Operations Center (SOC) and have recently added a role
to perform cyber threat hunting. You have been tasked to set up the process for the SOC.
You first identify relevant sources of threat information for the organization. You have the
organization join the National Defense ISAC and begin to interact with peers in the ISAC. You
capture events in your organization and share the TTPs with your peers. In return, they
share new TTPs with you. After downloading the TTPs, you build queries against the SOC’s
central repository for recurring searches. You also acquire a commercial threat indicator
feed of suspicious domains, known malware hashes, and IP addresses. You use these to
supplement a custom intrusion detection system.
ADDITIONAL READING
NIST Special Publication 800-150: Guide to Cyber Threat Information Sharing:
Homeland Security Systems Engineering & Development Institute Cyber Threat Modeling:
References
• Draft NIST SP 800-171B 3.14.6e
• NIST CSF v1.1 ID.RA-2, ID.RA-3