CMMC Weekly Series #14
Posted on August 24, 2020 by Robert Goyette
Before jumping into the practices, let’s discuss the capability for this domain: to implement threat monitoring.
Take a minute and let it sink in: this is the only goal of the domain.
I think we all have a vague idea of what threat monitoring might be, but your imagination may be conjuring up cameras, TVs, and blinking lights, reminiscent of 80’s and 90’s thriller cinema. However, for most things cyber I find it beneficial to imagine the concept – threat monitoring – in a simpler and possibly more familiar setting than server racks, LED’s, and 1’s and 0’s.
Let’s use lifeguarding at the pool for our threat hunting metaphor. A lifeguard’s job is to make sure all people in and around the pool stay safe. One way they do this is by watching the people and surroundings looking for possible risks and then reacting to these threats – or preventing them with those shrill whistle bursts. Some of the threats that a lifeguard might look for are:
- Hazardous weather
- People running on the slippery pool deck
- Persons struggling to breath
- Diving in shallow water
Now let’s try and apply these ideas back to the cyber realm and more particularly to CMMC. CMMC focuses especially on the protection of information. Thus, as a cybersecurity professional trying to apply the CMMC framework, your job would be to make sure all information (including Controlled Unclassified Information, or CUI) on computer systems is protected. Just as in lifeguarding, one way to keep all information safe is to monitor computer systems and search for threats. Some threats you might monitor for are:
- User login attempts from unknown IP addresses.
- Large amounts of data being sent out or across the network.
- Unauthorized users attempting to access sensitive data.
- Malware being executed on an information system.
This list goes on (and on and on as the bad guys never rest), but I think we have a good idea of what some of the practices for this domain might be.
At this point, some of you readers might be thinking that this whole mental exercise is a waste of time and that you should just jump to the practices and start implementing them to get it over with. I think those people are wrong. Just like lifeguards that sit in the chair and swivel their heads, but don’t actively search, are wrong.
Yes, if you only see CMMC as a requirement that needs to be “checked off” in the fastest and cheapest way possible, then go ahead and implement these practices willy-nilly. Barring a by-the-book auditor, there’s no doubt some of you might get your accreditation.
However, the information you must safeguard will be less secure than that of those who really try to understand the goals of the CMMC domains. Maybe you don’t really care that much about the information, money is the real goal and you just need CMMC to bid on contracts. But when the next despot parades his new hardware and it strikes a creepy resemblance to our latest plane, ship or gadget, good luck convincing yourself they didn’t steal those designs from you.
This strikes at the very heart of CMMC: protect American interests, innovations and our people from the consequences of intellectual theft, namely capable foreign enemies. In short, try to understand the goals of the domain and the intentions behind the practices.
Enough preaching, on to the practices…
SA.3.169 – Receive and respond to cyber threat intelligence from information sharing forums and sources to communicate to stakeholders.
While in lifeguarding the threats won’t change much, the cybersecurity threats will change often. This practice wants you to constantly acquire and use the most current information on the changing threats to your organization. Some of these changing threats could be ongoing phishing campaigns, known malicious IP addresses, critical 0-days, and up to date tactics, techniques, and procedures of adversaries.
CMMC lists some sources you can use including US-CERT and ICS-CERT. I would also highly recommend getting a Twitter account and following people in the Infosec community as there are a slew of smart white-hats finding and sharing vulnerabilities all the time.
SA.4.171 – Establish and maintain a cyber threat hunting capability to search for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls.
The key to understanding this practice is the last 5 words: “threats that evade existing controls”. This is not another practice used to stop the threats from compromising systems but rather to detect when a system has been compromised. Establishing and maintaining a cyber threat hunting capability is no easy task and I’m not going to give a step by step guide for this. My one piece of advice here is you can’t just buy a tool to do this for you.
You can and should use tools to aid in the threat hunting, but you will need trained personnel as well. There’s no way to go cheap and plug in a single device for this one. As for the indicators of compromise, the MITRE ATT&CK matrix is a great foundation as is the threat intel you have gained from the last practice.
SA.4.173 – Design network and system security capabilities to leverage, integrate, and share indicators of compromise.
If you saw a failed login attempt on a single computer that wouldn’t raise any red flags. However, if you see the same account has a failed login attempt on all the systems in a domain that would be cause for concern. Aggregating and organizing information from all systems on a network will greatly aid in the ability to detect indicators of compromise more quickly and accurately. Also, if you have a threat hunting capability and your systems don’t integrate and share indicators of compromise (IOC’s) with each other, you aren’t arming your cyber threat hunters very well.
To accomplish this practice, you will probably want a robust log aggregation system which can handle information from all different types of systems. From there you will create dashboards that alert on IOC’s utilizing information from several different systems.