Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Threat Intelligence

Mapping Threat Intelligence to the NIST Compliance Framework Part 2

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Threat intelligence Platforms

The NIST compliance framework consists of 5 core functions: identify, protect, detect, respond and recover. In my previous column, I mapped threat intelligence capabilities to the NIST core function of Identify. In this column, I will continue the discussion by mapping threat intelligence to the additional functions of Protect, Detect and Respond.  By doing so, I will highlight how threat intelligence is critical when justifying budget, not only for governance, risk and compliance (GRC) personnel, but also for threat intelligence, incident response, security operations, CISO and third-party risk buyers.

Concerns such as data leakage, IOCs, credential theft, third-party vendor suppliers and the selling of intellectual property are all relevant to the NIST framework. As CTI teams prioritize the intelligence requirements of their business stakeholders, it is beneficial to provide context by mapping the impact of cybersecurity threat intelligence programs to the following NIST core functions.

PROTECT

Data Security

9) PR.DS-5: Protections against data leaks are implemented: Data leakage detection capabilities can be used to identify and remediate data leakage. Monitoring outbound connections and content going to file sharing or cloud services is typically a starting point.

Information Protection Processes and Procedures

10) PR.IP-12: A vulnerability management plan is developed and implemented: CTI providers typically provide a monitoring solution for vulnerability management (VM). Providing telemetry details on an attacker’s near real-time abilities to exploit vulnerabilities is differentiated than traditional, static VM tooling.

Advertisement. Scroll to continue reading.

DETECT

Anomalies and Events

11) DE.AE-2: Detected events are analyzed to understand attack targets and methods: Proactively detect events and react during incident response activities to provide context and enrichment for investigations. Conducting threat group attribution is a common threat intelligence use case for reacting to an incident.

12) DE.AE-3: Event data are collected and correlated from multiple sources and sensors: Threat intelligence and managed service providers are a source for event data, context and enrichment. IOCs, compromised credentials and intellectual property theft are common event data sources.

Continuous Security Monitoring

13) DE.CM-1: The network is monitored to detect potential cybersecurity events: Similar to the previous bullet, CTI data and managed service providers monitor the external network and alerts on potential cyber security events that are relevant to your perimeter network and cloud services.

14) DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events: CTI tooling monitors the external digital footprint of key staff and VIPs to detect cybersecurity events. Personal identifiable information (PII) takedowns are common outcomes.

15) DE.CM-5: Unauthorized mobile code is detected: Mobile application monitoring detects unauthorized mobile code including any code posted to third party repositories (Github), cloud services or hosting providers (Linode).

16) DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events: CTI feeds and managed service providers can be used to monitor external service providers for potential cybersecurity events. For example, data leaks of third parties are a common breach for larger enterprises and can be monitored.

17) DE.CM-8: Vulnerability scans are performed: Similar to the above, CTI providers can enrich vulnerability scanners with greater context and external telemetry.

RESPOND

Response Planning

18) RS.RP-1: Response plan is executed during or after an incident: CTI providers can be used for the external investigation component of incident response plans. This is common to prepare for various ransomware actors.

Analysis

19) RS.AN-1: Notifications from detection systems are investigated: Not just limited to network devices, CTI and threat management functions augment incident response to alerts of security events and incidents.

Mitigation

20) RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks: CTI teams submit vulnerabilities validated in the wild to appreciate stakeholders for remediation.

Protecting, detecting and responding to cyber incidents is generally considered with the security operations team and incident responders using tools to protect endpoints and servers and remediate security incidents. While these are critical aspects to comply with NIST, threat intelligence squarely fits into these facets of NIST from an “outside the firewall” approach.

Related: Mapping Threat Intelligence to the NIST Compliance Framework Part 1

Written By

Landon Winkelvoss is Co-founder and VP of Security Strategy at Nisos.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cybercrime

Deepfakes, left unchecked, are set to become the cybercriminals’ next big weapon

Cybercrime

The top five categories of Bad Bot attacks are fake account creation, account takeovers, scraping, account management, and in-product abuse.

Threat Intelligence

A new research report discusses the five most exploited vulnerabilities of 2022, and the five key risks that security teams should consider.