CMMC Practice IR.5.106
In response to cyber incidents, utilize forensic data gathering across impacted systems, ensuring the secure transfer and protection of forensic data.
Bold Coast Security Guidance
This practice codifies your SIEM solution as a key component in detecting and alerting for an event. It also sets forth a requirement to have tools available, preferably on-demand, which allows an investigator to capture key data from hosts when malicious activity is detected. A third-party SOC should have this capability and tools at its disposal and you should verify this when doing your due-diligence and interviewing prospective vendors, including how they deploy the tool and safeguard it from misuse.
Organizations need to have the ability to gather attack forensics as part of responding to security incidents. During a cyber-attack an attacker may seek to hide the activities taken to
gain access, maintain persistence, and perform reconnaissance of an organization’s networks. However, in the course of their activities the attackers will leave artifacts that indicate their presence. This could be a local event indicating a system login, files associated with malware, or processes running in the system memory. To avoid detection an attacker may erase local logs or delete files. To allow for a thorough investigation the security operations center (SOC) should seek to collect forensic data from systems in real-time and be able to collect volatile data such as system memory when needed. Collection of the forensic data should be protected during transit and storage.