Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system discovers, collects, distributes, and uses indicators of compromise.
NIST 800-53 (r4) Supplemental Guidance:
Indicators of compromise (IOC) are forensic artifacts from intrusions that are identified on organizational information systems (at the host or network level). IOCs provide organizations with valuable information on objects or information systems that have been compromised. IOCs for the discovery of compromised hosts can include for example, the creation of registry key values. IOCs for network traffic include, for example, Universal Resource Locator (URL) or protocol elements that indicate malware command and control servers. The rapid distribution and adoption of IOCs can improve information security by reducing the time that information systems and organizations are vulnerable to the same exploit or attack.
NIST 800-53 (r5) Discussion:
Indicators of compromise (IOC) are forensic artifacts from intrusions that are identified on organizational systems at the host or network level. IOCs provide valuable information on systems that have been compromised. IOCs can include the creation of registry key values. IOCs for network traffic include Universal Resource Locator or protocol elements that indicate malicious code command and control servers. The rapid distribution and adoption of IOCs can improve information security by reducing the time that systems and organizations are vulnerable to the same exploit or attack. Threat indicators, signatures, tactics, techniques, procedures, and other indicators of compromise may be available via government and non-government cooperatives, including the Forum of Incident Response and Security Teams, the United States Computer Emergency Readiness Team, the Defense Industrial Base Cybersecurity Information Sharing Program, and the CERT Coordination Center.
38North Guidance:
Meets Minimum Requirement:
Configure and deploy solution(s) to discover, collect, distribute, and use indicators of compromise.
Best Practice: None
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Configurations of solution(s) (e.g., security tools, firewalls, etc.) that discover, collect, distribute, and use indicators of compromise.
CSP Implementation Tips: None
Page updated
Report abuse