Security Experts:

Connect with us

Hi, what are you looking for?


Threat Intelligence

Mapping Threat Intelligence to the NIST Compliance Framework Part 2

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

UK Government Funding of $3 Billion and VC investment in UK Quantum

The NIST compliance framework consists of 5 core functions: identify, protect, detect, respond and recover. In my previous column, I mapped threat intelligence capabilities to the NIST core function of Identify. In this column, I will continue the discussion by mapping threat intelligence to the additional functions of Protect, Detect and Respond.  By doing so, I will highlight how threat intelligence is critical when justifying budget, not only for governance, risk and compliance (GRC) personnel, but also for threat intelligence, incident response, security operations, CISO and third-party risk buyers.

Concerns such as data leakage, IOCs, credential theft, third-party vendor suppliers and the selling of intellectual property are all relevant to the NIST framework. As CTI teams prioritize the intelligence requirements of their business stakeholders, it is beneficial to provide context by mapping the impact of cybersecurity threat intelligence programs to the following NIST core functions.


Data Security

9) PR.DS-5: Protections against data leaks are implemented: Data leakage detection capabilities can be used to identify and remediate data leakage. Monitoring outbound connections and content going to file sharing or cloud services is typically a starting point.

Information Protection Processes and Procedures

10) PR.IP-12: A vulnerability management plan is developed and implemented: CTI providers typically provide a monitoring solution for vulnerability management (VM). Providing telemetry details on an attacker’s near real-time abilities to exploit vulnerabilities is differentiated than traditional, static VM tooling.


Anomalies and Events

11) DE.AE-2: Detected events are analyzed to understand attack targets and methods: Proactively detect events and react during incident response activities to provide context and enrichment for investigations. Conducting threat group attribution is a common threat intelligence use case for reacting to an incident.

12) DE.AE-3: Event data are collected and correlated from multiple sources and sensors: Threat intelligence and managed service providers are a source for event data, context and enrichment. IOCs, compromised credentials and intellectual property theft are common event data sources.

Continuous Security Monitoring

13) DE.CM-1: The network is monitored to detect potential cybersecurity events: Similar to the previous bullet, CTI data and managed service providers monitor the external network and alerts on potential cyber security events that are relevant to your perimeter network and cloud services.

14) DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events: CTI tooling monitors the external digital footprint of key staff and VIPs to detect cybersecurity events. Personal identifiable information (PII) takedowns are common outcomes.

15) DE.CM-5: Unauthorized mobile code is detected: Mobile application monitoring detects unauthorized mobile code including any code posted to third party repositories (Github), cloud services or hosting providers (Linode).

16) DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events: CTI feeds and managed service providers can be used to monitor external service providers for potential cybersecurity events. For example, data leaks of third parties are a common breach for larger enterprises and can be monitored.

17) DE.CM-8: Vulnerability scans are performed: Similar to the above, CTI providers can enrich vulnerability scanners with greater context and external telemetry.


Response Planning

18) RS.RP-1: Response plan is executed during or after an incident: CTI providers can be used for the external investigation component of incident response plans. This is common to prepare for various ransomware actors.


19) RS.AN-1: Notifications from detection systems are investigated: Not just limited to network devices, CTI and threat management functions augment incident response to alerts of security events and incidents.


20) RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks: CTI teams submit vulnerabilities validated in the wild to appreciate stakeholders for remediation.

Protecting, detecting and responding to cyber incidents is generally considered with the security operations team and incident responders using tools to protect endpoints and servers and remediate security incidents. While these are critical aspects to comply with NIST, threat intelligence squarely fits into these facets of NIST from an “outside the firewall” approach.

Related: Mapping Threat Intelligence to the NIST Compliance Framework Part 1

Written By

Landon Winkelvoss is Co-founder and VP of Security Strategy at Nisos.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.

Threat Intelligence

Enhancing cybersecurity and compliance programs with actionable intelligence that adds insight can easily justify the investment and growth of threat intelligence programs.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Incident Response

CISA has released a free and open source tool that makes it easier to map an attacker’s TTPs to the Mitre ATT&CK framework.