CMMC Requirement SI.L3-3.14.6E – Threat-Guided Intrusion Detection: Use threat indicator information and effective mitigations obtained from, at a minimum, open or commercial sources, and any DoD-provided sources, to guide and inform intrusion detection and threat hunting.
Links to Publicly Available Resources – Coming Soon
Threat information related to specific threat events (e.g., TTPs, targets) that organizations have experienced, threat mitigations that organizations have found to be effective against certain types of threats, and threat intelligence (i.e., indications and warnings about threats that can occur) are sourced from and shared with trusted organizations. This threat information can be used by organizational Security Operations Centers (SOC) and incorporated into monitoring capabilities. Threat information sharing includes threat indicators, signatures, and adversary TTPs from organizations participating in threat-sharing consortia, government-commercial cooperatives, and government-government cooperatives (e.g., CERTCC, CISA/US-CERT, FIRST, ISAO, DIB CS Program). Unclassified indicators, based on classified information but which can be readily incorporated into organizational intrusion detection systems, are available to qualified nonfederal organizations from government sources.
Further Discussion
One way to effectively leverage threat indicator information is to access human- or machine-readable threat intelligence feeds. Effectiveness may also require the organization to create TTPs in support of operational requirements, which will typically include defensive cyber tools supporting incident detection, alerts, incident response, and threat hunting. It is possible that this requirement will be implemented by a third-party managed service provider, and in that case, it will be necessary to carefully define the boundary and responsibilities between the OSC and the ESP to guarantee a robust implementation. It is also important that the OSC validate threat indicator integration into the defensive cyber toolset by being able to (1) implement mitigations for sample industry relevant indicators of compromise (e.g., IP address, file hash), (2) identify sample indicators of compromise across sample endpoints, and (3) identify sample indicators of compromise using analytical processes on a system data repository.