The NIST compliance framework consists of 5 core functions: identify, protect, detect, respond and recover. In my previous column, I mapped threat intelligence capabilities to the NIST core function of Identify. In this column, I will continue the discussion by mapping threat intelligence to the additional functions of Protect, Detect and Respond. By doing so, I will highlight how threat intelligence is critical when justifying budget, not only for governance, risk and compliance (GRC) personnel, but also for threat intelligence, incident response, security operations, CISO and third-party risk buyers.
Concerns such as data leakage, IOCs, credential theft, third-party vendor suppliers and the selling of intellectual property are all relevant to the NIST framework. As CTI teams prioritize the intelligence requirements of their business stakeholders, it is beneficial to provide context by mapping the impact of cybersecurity threat intelligence programs to the following NIST core functions.
PROTECT
Data Security
9) PR.DS-5: Protections against data leaks are implemented: Data leakage detection capabilities can be used to identify and remediate data leakage. Monitoring outbound connections and content going to file sharing or cloud services is typically a starting point.
Information Protection Processes and Procedures
10) PR.IP-12: A vulnerability management plan is developed and implemented: CTI providers typically provide a monitoring solution for vulnerability management (VM). Providing telemetry details on an attacker’s near real-time abilities to exploit vulnerabilities is differentiated than traditional, static VM tooling.
DETECT
Anomalies and Events
11) DE.AE-2: Detected events are analyzed to understand attack targets and methods: Proactively detect events and react during incident response activities to provide context and enrichment for investigations. Conducting threat group attribution is a common threat intelligence use case for reacting to an incident.
12) DE.AE-3: Event data are collected and correlated from multiple sources and sensors: Threat intelligence and managed service providers are a source for event data, context and enrichment. IOCs, compromised credentials and intellectual property theft are common event data sources.
Continuous Security Monitoring
13) DE.CM-1: The network is monitored to detect potential cybersecurity events: Similar to the previous bullet, CTI data and managed service providers monitor the external network and alerts on potential cyber security events that are relevant to your perimeter network and cloud services.
14) DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events: CTI tooling monitors the external digital footprint of key staff and VIPs to detect cybersecurity events. Personal identifiable information (PII) takedowns are common outcomes.
15) DE.CM-5: Unauthorized mobile code is detected: Mobile application monitoring detects unauthorized mobile code including any code posted to third party repositories (Github), cloud services or hosting providers (Linode).
16) DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events: CTI feeds and managed service providers can be used to monitor external service providers for potential cybersecurity events. For example, data leaks of third parties are a common breach for larger enterprises and can be monitored.
17) DE.CM-8: Vulnerability scans are performed: Similar to the above, CTI providers can enrich vulnerability scanners with greater context and external telemetry.
RESPOND
Response Planning
18) RS.RP-1: Response plan is executed during or after an incident: CTI providers can be used for the external investigation component of incident response plans. This is common to prepare for various ransomware actors.
Analysis
19) RS.AN-1: Notifications from detection systems are investigated: Not just limited to network devices, CTI and threat management functions augment incident response to alerts of security events and incidents.
Mitigation
20) RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks: CTI teams submit vulnerabilities validated in the wild to appreciate stakeholders for remediation.
Protecting, detecting and responding to cyber incidents is generally considered with the security operations team and incident responders using tools to protect endpoints and servers and remediate security incidents. While these are critical aspects to comply with NIST, threat intelligence squarely fits into these facets of NIST from an “outside the firewall” approach.
Related: Mapping Threat Intelligence to the NIST Compliance Framework Part 1
More from Landon Winkelvoss
- Mistakes by Threat Actors Lead to Disruption, Not Just Better Blocking
- Mapping Threat Intelligence to the NIST Compliance Framework Part 2
- Mapping Threat Intelligence to the NIST Compliance Framework
- Leveraging Managed Services to Optimize Your Threat Intelligence Program During an Economic Downturn
- The Advantages of Threat Intelligence for Combating Fraud
- Facilitating Convergence of Physical Security and Cyber Security With Open Source Intelligence
- Defending Your Business Against Russian Cyberwarfare
- Achieving Positive Outcomes With Multi-Domain Cyber and Open Source Intelligence
Latest News
- 14 Million Records Stolen in Data Breach at Latitude Financial Services
- Webinar Today: Understanding Hidden Third-Party Identity Access Risks
- Thousands Access Fake DDoS-for-Hire Websites Set Up by UK Police
- iOS Security Update Patches Exploited Vulnerability in Older iPhones
- Microsoft: No-Interaction Outlook Zero Day Exploited Since Last April
- US to Adopt New Restrictions on Using Commercial Spyware
- Hackers Earn Over $1 Million at Pwn2Own Exploit Contest
- GoAnywhere Zero-Day Attack Hits Major Orgs
