SI.4.221 Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting.

CMMC Practice SI.4.221: Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting.

Links to Publicly Available Resources

CMMC CLARIFICATION (Ref CMMC – Appendix B)

When conducting cyberattacks the attackers tend to operate using certain patterns of behavior or exploit capabilities. This collection of patterns and capabilities are known as Tactics, Techniques, and Procedures (TTP). An organization can build their knowledge of attacker TTPs by participating in Information Sharing and Analysis Centers (ISAC) for their industry. An ISAC collects cyber threat information relevant to the industry and its members in order to improve the cyber posture of that industry. Based on the lines of business an organization may consider more than one ISAC. An organization may also acquire TTPs through commercial providers in order to integrate into various technologies.