System and Information Integrity (SI)

SI.L3-3.14.6E – THREAT-GUIDED INTRUSION DETECTION

Use threat indicator information and effective mitigations obtained from, at a minimum, open or commercial sources, and any DoD-provided sources, to guide and inform intrusion detection and threat hunting.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:

[ODP1] External organizations from which to obtain threat indicator information and effective mitigations are defined;

[a] Threat indicator information is identified;

[b] Effective mitigations are identified;

[c] Intrusion detection approaches are identified;

[d] Threat hunting activities are identified; and

[e] Threat indicator information and effective mitigations obtained from, at a minimum, open or commercial sources and any DoD-provided sources, are used to guide and inform intrusion detection and threat hunting.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine

One way to effectively leverage threat indicator information is to access human- or machine- readable threat intelligence feeds. Effectiveness may also require the organization to create TTPs in support of operational requirements, which will typically include defensive cyber tools supporting incident detection, alerts, incident response, and threat hunting. It is possible that this requirement will be implemented by a third-party managed service provider, and in that case, it will be necessary to carefully define the boundary and responsibilities between the OSC and the ESP to guarantee a robust implementation. It is also important that the OSC validate threat indicator integration into the defensive cyber toolset by being able to (1) implement mitigations for sample industry relevant indicators of compromise (e.g., IP address, file hash), (2) identify sample indicators of compromise across sample endpoints, and (3) identify sample indicators of compromise using analytical processes on a system data repository.

Example

You are responsible for information security in your organization. You have maintained an effective intrusion detection capability for some time, but now you decide to introduce a threat hunting capability informed by internal and external threat intelligence [a,c,d,e]. You install a SIEM system that leverages threat information to provide functionality to:

• analyze logs, data sources, and alerts;

• query data to identify anomalies;

• identify variations from baseline threat levels;

• provide machine learning capabilities associated with the correlation of anomalous data characteristics across the enterprise; and

• categorize data sets based on expected data values.

Your team also manages an internal mitigation plan (playbook) for all known threats for your environment. This playbook is used to implement effective mitigation strategies across the environment [b]. Some of the mitigation strategies are developed by team members, and others are obtained by threat feed services.

Potential Assessment Considerations

  • Which external sources has the organization identified as threat information sources [a]?

  • Does the organization understand the TTPs of key attackers [c,d]?

  • Does the organization deploy threat indicators to EDR systems, network intrusion detection systems, or both [c,d,e]?

  • What actions does the organization implement when a threat alert/indicator is signaled [c,d,e]?

  • Does the organization use internal threat capabilities within their existing security tools [e]?

  • How does the organization respond to a third-party notification of a threat indicator [e]?

KEY REFERENCES

NIST SP 800-172 3.14.6e

FURTHER DISCUSSION

It is important that the organization has a repeatable penetration testing capability, regardless of who performs the penetration testing. This requirement entails performing tests against components of the organization’s architecture to identify cyber weaknesses and vulnerabilities. It does not mean everything in the architecture requires penetration testing. This requirement provides findings and mitigation strategies that benefit the organization and help create a stronger environment against adversary efforts. It may be beneficial for the organization to define the scope of penetration testing. The organization’s approach may involve hiring an expert penetration testing team to perform testing on behalf of the organization. When an organization has penetration testing performed, either by an internal team or external firm, they should establish rules of engagement and impose limits on what can be performed by the penetration test team(s).

Ensuring the objectivity of the test team is important as well. Potential conflicts of interest, such as having internal testers report directly or indirectly to network defenders or an external test team contracted by network defense leadership, must be carefully managed by organizational leadership.

Reports on the findings should be used by the organization to determine where to focus funding, staffing, training, or technical improvements for future mitigation strategies.

Example

You are responsible for information security in your organization. Leveraging a contract managed by the CIO, you hire an external expert penetration team annually to test the security of the organization’s enclave that stores and processes CUI [a,c]. You hire the same firm annually or on an ad hoc basis when significant changes are made to the architecture or components that affect security [b,c].

Potential Assessment Considerations

  • Does the organization have internal team members who possess the proper level of expertise to perform a valued penetration testing effort [b]?

  • If the penetration testing is performed by an internal team, are the individuals performing the testing objectively [b]?

  • Is a penetration testing final report provided to the internal team responsible for organizational defense?

  • If previous penetration tests have been conducted, can the organization provide samples of penetration test plans, findings reports, and mitigation guidance based on the findings [a,b,c]?

KEY REFERENCES

• NIST SP 800-172 3.12.1e