CMMC Practice IR.4.100
Use knowledge of attacker tactics, techniques, and procedures in incident response planning and execution.
Bold Coast Security Guidance
Joining an industry ISAC will increase your capabilities for detecting and responding to an incident several times over. The intelligence shared among members can be fed into your IDS/IPS, SIEMS, and other tools used for threat detection. Additional resources may be available to your organization from the tools you have put in place. Most SIEM, anti-malware, and firewall vendors also share specific TTP information directly with their customers.
You should identify in your Incident Response Plans exactly which ISACs you are a member of and appropriate contact information. This could be useful if the primary contact with the ISAC at your organization is on vacation during an incident!
This practice requires that an organization explicitly consider the attacker’s perspective in implementing the organization’s incident response capability. The information necessary to do so can be from public sources, from government, or from third -party threat intelligence organizations. Specially, it is not the intent of this practice to require an internal, organizational threat intelligence capability . See practice RM.4.149 for the creation of this information.