Connect with us

Hi, what are you looking for?


Threat Intelligence

Mapping Threat Intelligence to the NIST Compliance Framework

Enhancing cybersecurity and compliance programs with actionable intelligence that adds insight can easily justify the investment and growth of threat intelligence programs.

Threat Landscape

Threat intelligence is critical for compliance personnel to justify budgets for governance, risk and compliance (GRC) 

It is estimated that compliance drives 50% of the spend in the cybersecurity industry. Recently, some of our customer, defender-side colleagues indicated that threat intelligence was not typically  considered within compliance frameworks. The main reason for this was noisy data feeds, a lack of identifiable metrics, and the lack of actionable intelligence related to the customer’s pain points.

Using the NIST Framework, organizations assess their current security posture, agree to organizational goals, understand their gaps and develop plans to optimize their security posture. We used this framework to show how threat intelligence is critical for compliance personnel to justify budgets for governance, risk and compliance (GRC) and how it is also important for CISOs and security practitioners responsible for incident response, security operations, and third-party risk. This column is the first in a two part series and will focus on the NIST frameworks for “identify”.


Asset Management

1) ID.AM-4: External information systems are cataloged. Service providers continuously monitor external digital footprints, identifying new assets and new services. Open RDP ports, shadow IT devices operating outside of firewall policy and unauthorized file shares communicating with your environment are three of the most common use cases for monitoring the perimeter, or external attack surface management.

Risk Assessment

Advertisement. Scroll to continue reading.

2) ID.RA-1: Asset vulnerabilities are identified and documented. While this sub-category is generally intended for internal assets being monitored for misconfiguration, external assets also need to be continuously monitored and assessed to identify vulnerabilities and determine the probability of an actor exploiting those vulnerabilities.

3) ID.RA-2: Cyber threat intelligence is received from information-sharing forums and sources. Threat intelligence and managed service providers can use access to the dark web and open-source forums, including social media, to collect information about potential threats. This is typically done by crawling the web to identify stolen credentials on the darkweb, find social media impersonations, assess physical threats to personnel or facilities, identify negative brand and reputation sentiment and, if necessary, engage directly with threat actors.

4) ID.RA-3: Threats, both internal and external, are identified and documented. External threats could range from ransomware groups targeting an organization to cyber criminals selling access to an organization’s data. Intelligence providers can assist with potential insider threats by monitoring externally for malicious activity (e.g. employees selling access or data on criminal forums) and unauthorized file sharing.

5) ID.RA-4: Potential business impacts and likelihoods are identified. Intelligence can identify the likelihood of external threat activity and provide context. For example, context can be provided around specific ransomware families and determine if detection tools can identify their payloads short of encrypting files. This context can be considered in the overall business impact analysis.

6) ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk. Threats, vulnerabilities, and likelihood of threats can be included in threat landscape assessments to help determine the overall risk to businesses. For example, a threat landscape should cover global geopolitical activity focused on an enterprise’s business locations. Of particular interest is activity involving cyber, physical, insider, crypto/digital and supply chain threats related to critical vendors. The intelligence goal is to identify current and escalating threats so leaders can adapt as threats change.

Supply Chain Management

7) ID.SC-2: Suppliers and third-party partners are identified, prioritized, and assessed using a cyber supply chain risk assessment process. Threat intelligence providers monitor the internet using attack surface and reputation monitoring tools for critical suppliers. After ranking suppliers high, medium and low, an enterprise should conduct threat intelligence monitoring and RFI responses for critical suppliers where data and services reside outside of an enterprise’s perimeter (ex. MSPs) and could present a higher probability of compromise.

8) ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluation to confirm they are meeting their contractual obligations. Ideally, threat intelligence providers and managed service providers would continuously monitor the internet to ensure that audits, test results and questionnaires are valid. Vendor questionnaires should be considered a starting point in third party risk assessment for legal and compliance purposes. However, these questionnaires should be validated and contextualized with threat intelligence, particularly for high risk vendors.

As discussed, enhancing cybersecurity and compliance programs with actionable intelligence that complements and adds insight can easily justify the investment and growth of threat intelligence programs. It is a valuable approach that should be employed by more enterprise organizations.

The next article in this series will focus on how to mold threat intelligence to conform with the NIST cybersecurity framework sub-categories “Protect”, “Detect”, and “Respond”.

Written By

Landon Winkelvoss is Co-founder and VP of Security Strategy at Nisos.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.

Cloud Security

The U.S. government’s cybersecurity agency ships a new tool to help network defenders hunt for signs of compromise in Microsoft’s Azure and M365 cloud...