Use threat indicator information and effective mitigations obtained from, at a minimum, open or commercial sources, and any DoD-provided sources, to guide and inform intrusion detection and threat hunting.
DiscussionThreat information related to specific threat events (e.g., TTPs, targets) that organizations have experienced, threat mitigations that organizations have found to be effective against certain types of threats, and threat intelligence (i.e., indications and warnings about threats that can occur) are sourced from and shared with trusted organizations. This threat information can be used by organizational Security Operations Centers (SOC) and incorporated into monitoring capabilities. Threat information sharing includes threat indicators, signatures, and adversary TTPs from organizations participating in threat-sharing consortia, government-commercial cooperatives, and government-government cooperatives (e.g., CERTCC, CISA/US-CERT, FIRST, ISAO, DIB CS Program). Unclassified indicators, based on classified information but which can be readily incorporated into organizational intrusion detection systems, are available to qualified nonfederal organizations from government sources.
One way to effectively leverage threat indicator information is to access human- or machine-readable threat intelligence feeds. Effectiveness may also require the organization to create TTPs in support of operational requirements, which will typically include defensive cyber tools supporting incident detection, alerts, incident response, and threat hunting. It is possible that this requirement will be implemented by a third-party managed service provider, and in that case, it will be necessary to carefully define the boundary and responsibilities between the OSC and the ESP to guarantee a robust implementation. It is also important that the OSC validate threat indicator integration into the defensive cyber toolset by being able to (1) implement mitigations for sample industry relevant indicators of compromise (e.g., IP address, file hash), (2) identify sample indicators of compromise across sample endpoints, and (3) identify sample indicators of compromise using analytical processes on a system data repository.
You are responsible for information security in your organization. You have maintained an effective intrusion detection capability for some time, but now you decide to introduce a threat hunting capability informed by internal and external threat intelligence [a,c,d,e]. You install a SIEM system that leverages threat information to provide functionality to:
- analyze logs, data sources, and alerts;
- query data to identify anomalies;
- identify variations from baseline threat levels;
- provide machine learning capabilities associated with the correlation of anomalous data characteristics across the enterprise; and
- categorize data sets based on expected data values.
Your team also manages an internal mitigation plan (playbook) for all known threats for your environment. This playbook is used to implement effective mitigation strategies across the environment [b]. Some of the mitigation strategies are developed by team members, and others are obtained by threat feed services.
Potential Assessment Considerations
- Which external sources has the organization identified as threat information sources [a]?
- Does the organization understand the TTPs of key attackers [c,d]?
- Does the organization deploy threat indicators to EDR systems, network intrusion detection systems, or both [c,d,e]?
- What actions does the organization implement when a threat alert/indicator is signaled [c,d,e]?
- Does the organization use internal threat capabilities within their existing security tools [e].
- How does the organization respond to a third-party notification of a threat indicator [e]?