CMMC Practice SI.4.221

Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting.


CMMC Version 1.02, pg. 291

Bold Coast Security Guidance

This practice continues to build upon IR.4.100 & RM.4.149, namely the inclusion of threat information from the appropriate outside sources when managing organizational information system flaws. Since this is a maturity level 4 practice, you will already have a policy document in which to add a statement regarding the use of ISAC information to update your awareness for the latest Tactics, Techniques, and Procedures (TTP) information. Your plan should reflect the exact sources of your information, who is responsible for obtaining the information, and any costs associated with those subscriptions, if any. You can measure the effectiveness of this practice by noting how often you include TPP information from your sources in your briefings, SOC team bulletins, or add them to your internal detection mechanisms. If you use them very little, you should consider other sources of information.

Discussion From Source

DRAFT NIST SP 800-171B The constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), make it essential that threat information relating to specific threat events (e.g., TTP, targets) that organizations have experienced, mitigations that organizations have found are effective against certain types of threats, and threat intelligence (i.e., indications and warnings about threats that can occur) be sourced from and shared with trusted organizations. This information can be used by organizational Security Operations Centers (SOC) and incorporated into monitoring capabilities. Threat information sharing includes threat indicators, signatures, and adversary TTP from organizations participating in various threat-sharing consortia, government-commercial cooperatives, and government-government cooperatives (e.g., CERTCC, US-CERT, FIRST, ISAO, DIB CS Program). Unclassified indicators, based on classified information but which can be readily incorporated into organizational intrusion detection systems, are available to qualified non-federal organizations from government sources.