Use knowledge of attacker tactics, techniques, and procedures in incident response planning and execution.
When conducting cyberattacks the attackers (or actors) tend to operate using certain patterns of behavior or exploit capabilities. These patterns and capabilities are known as Tactics, Techniques, and Procedures (TTPs). Knowledge of adversarial TTPs permits an organization to develop the right protective measures and responses to address a potential attack. An organization can build their knowledge of attacker TTPs by participating in Information Sharing and Analysis Centers (ISAC) for their industry. An ISAC collects cyber threat information relevant to the industry and its members in order to improve the cyber posture of that industry. Based on the lines of business an organization may consider more than one ISAC. Example You are a manager. Your organization develops cutting edge technology for the aerospace and defense industry. Recent news indicates the industry is facing increased cyberattacks. Several peers share with you that they have experienced these attacks. To better understand the threats, you enroll the organization in the Aviation and National Defense ISACs. As part of the ISACs, you receive reports that help inform your organizational defenses. You attend ISAC meetings where peers share TTPs and best practices. Using what you learned, you conduct open source research on the Internet for additional information about attackers and how they conduct their operations. You use all of this information to improve incident response planning for the organization.
This practice requires that an organization explicitly consider the attacker’s perspective in implementing the organization’s incident response capability. The information necessary to do so can be from public sources, from government, or from third-party threat intelligence organizations. Specially, it is not the intent of this practice to require an internal, organizational threat intelligence capability. See practice RM.4.149 for the creation of this information.