Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.
Threat intelligence (See RM.4.149 and SA.3.169) provides for an organization with a better understanding of the adversaries and their TTPs. This understanding helps an organization plan, design, architect, and integrate solutions in a manner that will help thwart adversary activities. This understanding should be used to design the enterprise architecture as well as the endpoint monitoring capabilities and to plan threat hunting actions. Threat intelligence can be very valuable when an organization is building their defensive playbook. Having defensive response and recovery actions planned prior to an attack taking place is key to having efficient and timely defensive cyber operation actions. Practice IR.4.100 requires a similar use of adversary knowledge for incident response and execution. Example 1 Your organization recently started subscribing to a threat feed service to gain valuable intelligence on adversary actions and what is currently happening against other organizations. Based on information gained from this service, your DCO team utilizes the information to hunt for adversary TTPs received from the service every day. This information helps provide up-to-date TTPs, and it also provide the latest adversarial actions taking place across other organizations subscribing to the threat feed, as well. This information is invaluable in molding your architecture towards specific threats as the information is received. Example 2 Your new threat feed has recently sent out information that states a specific action against a specific vendor solution is underway at various organizations similar to your own. This information is passed to your DCO team for hunting operations, and the architecture team utilizes it to make small adjustments to the organizations enterprise architecture that prevents similar tactics from being successful in your environment.
DRAFT NIST SP 800-171B The constantly changing and increased sophistication of adversaries, especially the advanced persistent threat (APT), makes it more likely that adversaries can successfully compromise or breach organizational systems. Accordingly, threat intelligence can be integrated into and inform each step of the risk management process throughout the system development life cycle. This includes defining system security requirements, developing system and security architectures, selecting security solutions, monitoring (including threat hunting) and remediation efforts. Support References: • NIST SP 800-30 provides guidance on risk assessments. NIST SP 800-39 provides guidance on the risk management process. NIST SP 800-160-1 provides guidance on security architectures and systems security engineering. NIST SP 800-150 provides guidance on cyber threat information sharing.
NIST CSF v1.1 ID.RA-2, ID.RA-3
Draft NIST SP 800-171B 3.11.1e