Back

Leverage cyber threat intelligence when employing Technical Surveillance Countermeasures.


CONTROL ID
12697
CONTROL TYPE
Technical Security
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain cyber threat intelligence tools., CC ID: 12696

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Predict and block a similar future attack; and (DE.AE-2.1(2), CRI Profile, v1.2)
  • Predict and block a similar future attack; and (DE.AE-2.1(2), Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Principle: Firms should use cyber threat intelligence to improve their ability to identify, detect and respond to cybersecurity threats. Effective practices include: - assigning responsibility for cybersecurity intelligence gathering and analysis at the organizational and individual levels; - establ… (Cyber Intelligence and Information Sharing, Report on Cybersecurity Practices)
  • Receive and respond to cyber threat intelligence from information sharing forums and sources and communicate to stakeholders. (SA.3.169, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities. (RM.4.150, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Receive and respond to cyber threat intelligence from information sharing forums and sources and communicate to stakeholders. (SA.3.169, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting. (SI.4.221, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Receive and respond to cyber threat intelligence from information sharing forums and sources and communicate to stakeholders. (SA.3.169, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities. (RM.4.150, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting. (SI.4.221, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Employ the threat hunting capability [Assignment: organization-defined frequency]. (RA-10b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Employ the threat hunting capability [Assignment: organization-defined frequency]. (RA-10b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Employ the threat hunting capability [Assignment: organization-defined frequency]. (RA-10b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Conduct cyber threat hunting activities [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined event]] to search for indicators of compromise in [Assignment: organization-defined systems] and detect, track, and disrupt threats that evade existing co… (3.11.2e, Enhanced Security Requirements for Protecting Controlled Unclassified Information, NIST SP 800-172)
  • Use threat indicator information and effective mitigations obtained from [Assignment: organization-defined external organizations] to guide and inform intrusion detection and threat hunting. (3.14.6e, Enhanced Security Requirements for Protecting Controlled Unclassified Information, NIST SP 800-172)
  • Assess all-source intelligence and recommend targets to support cyber operation objectives. (T0576, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Apply and utilize authorized cyber capabilities to enable access to targeted networks. (T0570, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Incorporate intelligence equities into the overall design of cyber operations plans. (T0630, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Apply analytic techniques to gain more target information. (T0653, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Conduct target research and analysis. (T0624, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Create comprehensive exploitation strategies that identify exploitable technical or operational vulnerabilities. (T0641, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Determine what technologies are used by a given target. (T0650, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Incorporate intelligence and counterintelligence to support plan development. (T0705, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Analyze target operational architecture for ways to gain access. (T0567, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Identify collection gaps and potential collection strategies against targets. (T0715, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Record information collection and/or environment preparation activities against targets during operations designed to achieve cyber effects. (T0804, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Apply cyber collection, environment preparation and engagement expertise to enable new exploitation and/or continued collection operations, or in support of customer requirements. (T0572, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Compile, integrate, and/or interpret all-source data for intelligence or vulnerability value with respect to specific targets. (T0606, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Maintain situational awareness of cyber-related intelligence requirements and associated tasking. (T0741, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Coordinate for intelligence support to operational planning activities. (T0575, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Use intelligence estimates to counter potential target actions. (T0640, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Identify critical target elements. (T0717, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Contextual Awareness and Analytic Monitoring capabilities are often provided by performance management and cybersecurity functions, including cyber situational awareness, anomaly detection, and performance monitoring. However, the off-the-shelf implementations of these functions are generally insuff… (3.1.5.1 ¶ 2, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • Incorporate intelligence equities into the overall design of cyber operations plans. (T0630, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Use intelligence estimates to counter potential target actions. (T0640, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Incorporate intelligence and counterintelligence to support plan development. (T0705, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Record information collection and/or environment preparation activities against targets during operations designed to achieve cyber effects. (T0804, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Maintain situational awareness of cyber-related intelligence requirements and associated tasking. (T0741, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Identify collection gaps and potential collection strategies against targets. (T0715, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Analyze target operational architecture for ways to gain access. (T0567, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Determine what technologies are used by a given target. (T0650, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Compile, integrate, and/or interpret all-source data for intelligence or vulnerability value with respect to specific targets. (T0606, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Apply cyber collection, environment preparation and engagement expertise to enable new exploitation and/or continued collection operations, or in support of customer requirements. (T0572, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Apply analytic techniques to gain more target information. (T0653, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Apply and utilize authorized cyber capabilities to enable access to targeted networks. (T0570, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Employ the threat hunting capability [Assignment: organization-defined frequency]. (RA-10b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ the threat hunting capability [Assignment: organization-defined frequency]. (RA-10b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)