Design network and system security capabilities to leverage, integrate, and share indicators of compromise.
Most cyber-defense solutions provide an API (Application Programming Interface) that allows an organization to automate updates to solutions for IoC blocking, hunting, or other mitigation. By automating the process, the organization will remove the likelihood of a human mistyping an entry, and it greatly reduces the time for insertion into the security solution as compared to manual entry. Example 1 Your organization uses a cyber intelligence service and as information comes in, bad domains are provided that an organization would not want their assets visiting. Once received, the information is pushed to the corporate firewall, proxy server, and DNS services for blocking, and reducing the gap between receiving the information and the time it takes to block any access to the bad domains. This stops users from accessing potentially malicious files from the domains provided. Example 2 The organization receives information that a specific attack probe is being launched from a foreign system. The threat report identifies the country codes and IP structure for the attack machines. Your intelligence processing solution collects this information and then adds the IP addresses to the block list of your corporate firewall. Within ten minutes after the automated process updated the firewall you receive logs of the attempts against the corporate website. The logs show the attempt but the details show the attempts were blocked. All of this took place without human intervention and prevented the attack from being successful.
CMMC Sharing IoCs (Indicators of Compromise) to systems across an enterprise strengthens an organization’s ability to thwart adversaries. Designing an organization’s security architecture to integrate and share IoCs rapidly increases the likelihood of stopping an attack that is happening at machine speed. Machine speed attacks are attacks that are happening in real-time and use automation to increase the speed at which the attack spreads and performs actions. Effective sharing requires that intelligence services as well as internal resources process IoC information and provide it to the necessary systems in order to act on the information quickly.
NIST SP 800-53 Rev 4 SI-4(24)