Receive and respond to cyber threat intelligence from information sharing forums and sources and communicate to stakeholders.
Establish relationships with external organizations to gather cyber threat intelligence. Periodically review the sources of intelligence to ensure they are up-to-date and relevant [a]. Cyber threat intelligence from external sources should inform situational awareness activities within the organization. Relevant external threat intelligence is reviewed and communicated to stakeholders within the organization for appropriate action if needed [c].
To enhance situational awareness activities, leverage external sources for cybersecurity threat intelligence. Establish a relationship with external organizations, or periodically survey relevant sources, to ensure you are receiving up-to-date threat intelligence information pertinent to your organization.
To enhance situational awareness activities within the organization, leverage external sources for cybersecurity threat information. Establish a relationship with external organizations, or periodically survey relevant sources, to ensure you are receiving up-to-date threat intelligence information pertinent to your organization. Examples of sources include US-CERT, various critical infrastructure sector ISACs, ICS-CERT, industry associations, vendors, and federal briefings.
Threat information is reviewed and, if applicable to your organization, communicated to the appropriate stakeholders for action.
CMMC GUIDE FURTHER DISCUSSION
Cyber threat intelligence may include:
- attacker methodologies, tools, and tactics;
- indicators of specific malware;
- details of specific attacks; and
- high-level information on changing threats [a]. Examples of cyber threat intelligence sources include:
- Department of Homeland Security (ICS-CERT, US-CERT);
- Information Sharing and Analysis Centers (ISACs);
- DoD Defense Industrial Base (DIB) Collaborative Information Sharing Environment (DCISE);
- vendors’ notifications;
- industry groups (e.g., Internet Storm Center, Nextgov, ThreatWatch); and
- law enforcement (e.g., FBI, InfraGard, IC3) [a].
Examples of procedures the organization may implement to effectively receive, respond to, and communicate cyber threat intelligence may include:
- source identification,
- monitoring frequency,
- threat identification,
- threat validation and analysis,
- threat communication,
- procedures for the identification of stakeholders,
- stakeholder communication requirements, and
- tools and techniques for communication [b,c].
An organization may respond to threat intelligence with actions like updating firewall rules, issuing advisories to users, or providing new indicators of compromise to incident response personnel.
This practice, SA.3.169, which ensures receiving and responding to cyber threat intelligence, is a baseline practice for the following practices: IR.2.096, RM.2.141, and RM.3.144. These practices benefit from the use of cyber threat intelligence.
You are in charge of IT operations for your company. Part of your role is to ensure you are aware of up-to-date cyber threat intelligence information so you can properly perform risk assessments and vulnerability analyses. To do this, you join a defense sector ISAC, and sign- up for alerts from US-CERT. You use information you receive from these external entities to update your threat profiles, vulnerability scans, and risk assessments. Also, you use these sources to gather best practices for informing your employees of potential threats and disseminate the information throughout your organization to the appropriate stakeholders.