CMMC Practice RM.4.149
Catalog and periodically update threat profiles and adversary TTPs.
Bold Coast Security Guidance
For Level 4 compliance an organization must be mature enough to sustain a comprehensive Threat Intelligence Program. This program will consist of the practice of gathering threat intelligence from various government and industry sources (Level 1), having a clear policy requiring that various threat feeds are consumed by appropriate staff, and that actionable intelligence is acted-upon, and those actions are documented (Level 2), that there is a clear plan in pace to achieve the policy requirements (Level 3), and that the underlying intelligence made up of threat profiles, and the library of threat intelligence sources (feeds), e.g., US-Cert.gov, SANS, membership in any of several Information Sharing and Analysis Centers (National Council of ISACS www.nationalisacs.org), vendor feeds, etc.. The organization measures and assesses the effectiveness of its threat intelligence program. Which sources provided actionable intelligence more frequently, or more reliably? From which did we gain real knowledge about our environment? Once we understand where the value is coming from, we can pare-down our list of sources, and refine our use of threat intelligence, to understand more about the risk, to provide more dimension to our understanding of risk.
It is important to see threat intelligence through the lends of risk management. It's also important to know, that though many of these practices have their own independent identifier and subject, many of them group together into one organizational discipline. This is true of Risk Management.
Threat intelligence is threat information you can actually use. It either provides immediately useful technical information, responses to various threats being enacted in the Internet environment, or it provides knowledge that matures the organizations awareness of the risks it faces, and the many perspectives must be incorporated into a cohesive understanding of risk for the organization.
One method that more mature enterprises can use to protect its systems is to employ threat profiles and better understand adversary tools, techniques, and procedures (TTPs). This knowledge can be gained by threat feed information, training, and various frameworks available on the internet. By cataloging (or tracking) and updating threat profiles and adversary tools, techniques, and procedures , an organization can utilize this information when planning for enterprise updates, hunting for adversary activities on a network, and
unraveling a complicated attack incident that may have taken place.
This information is a critical component when planning incident response actions, analyzing alerts on systems, and knowing the most likely asset an adversary is going to go after based on the TTPs they perform. When someone wants to win against an opponent, they typically study their opponent’s techniques and tactics. This knowledge not only allows them to train properly for the event against that opponent, but it allows them to understand what the opponent is doing as well as what actions they’re about to take based on knowledge of their past actions. This information helps an organization to gain a cyber-advantage over the adversary. The purpose of creating threat profiles and adversary TTPs is to help identify and gain knowledge about an adversary that is trying to cause harm to your enterprise. Adversary goals include: accessing an enterprise to steal credentials, accessing proprietary
information, stealing technologies, and disrupting operations.