The NIST compliance framework consists of 5 core functions: identify, protect, detect, respond and recover. In my previous column, I mapped threat intelligence capabilities to the NIST core function of Identify. In this column, I will continue the discussion by mapping threat intelligence to the additional functions of Protect, Detect and Respond. By doing so, I will highlight how threat intelligence is critical when justifying budget, not only for governance, risk and compliance (GRC) personnel, but also for threat intelligence, incident response, security operations, CISO and third-party risk buyers.
Concerns such as data leakage, IOCs, credential theft, third-party vendor suppliers and the selling of intellectual property are all relevant to the NIST framework. As CTI teams prioritize the intelligence requirements of their business stakeholders, it is beneficial to provide context by mapping the impact of cybersecurity threat intelligence programs to the following NIST core functions.
PROTECT
Data Security
9) PR.DS-5: Protections against data leaks are implemented: Data leakage detection capabilities can be used to identify and remediate data leakage. Monitoring outbound connections and content going to file sharing or cloud services is typically a starting point.
Information Protection Processes and Procedures
10) PR.IP-12: A vulnerability management plan is developed and implemented: CTI providers typically provide a monitoring solution for vulnerability management (VM). Providing telemetry details on an attacker’s near real-time abilities to exploit vulnerabilities is differentiated than traditional, static VM tooling.
DETECT
Anomalies and Events
11) DE.AE-2: Detected events are analyzed to understand attack targets and methods: Proactively detect events and react during incident response activities to provide context and enrichment for investigations. Conducting threat group attribution is a common threat intelligence use case for reacting to an incident.
12) DE.AE-3: Event data are collected and correlated from multiple sources and sensors: Threat intelligence and managed service providers are a source for event data, context and enrichment. IOCs, compromised credentials and intellectual property theft are common event data sources.
Continuous Security Monitoring
13) DE.CM-1: The network is monitored to detect potential cybersecurity events: Similar to the previous bullet, CTI data and managed service providers monitor the external network and alerts on potential cyber security events that are relevant to your perimeter network and cloud services.
14) DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events: CTI tooling monitors the external digital footprint of key staff and VIPs to detect cybersecurity events. Personal identifiable information (PII) takedowns are common outcomes.
15) DE.CM-5: Unauthorized mobile code is detected: Mobile application monitoring detects unauthorized mobile code including any code posted to third party repositories (Github), cloud services or hosting providers (Linode).
16) DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events: CTI feeds and managed service providers can be used to monitor external service providers for potential cybersecurity events. For example, data leaks of third parties are a common breach for larger enterprises and can be monitored.
17) DE.CM-8: Vulnerability scans are performed: Similar to the above, CTI providers can enrich vulnerability scanners with greater context and external telemetry.
RESPOND
Response Planning
18) RS.RP-1: Response plan is executed during or after an incident: CTI providers can be used for the external investigation component of incident response plans. This is common to prepare for various ransomware actors.
Analysis
19) RS.AN-1: Notifications from detection systems are investigated: Not just limited to network devices, CTI and threat management functions augment incident response to alerts of security events and incidents.
Mitigation
20) RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks: CTI teams submit vulnerabilities validated in the wild to appreciate stakeholders for remediation.
Protecting, detecting and responding to cyber incidents is generally considered with the security operations team and incident responders using tools to protect endpoints and servers and remediate security incidents. While these are critical aspects to comply with NIST, threat intelligence squarely fits into these facets of NIST from an “outside the firewall” approach.
Related: Mapping Threat Intelligence to the NIST Compliance Framework Part 1
