MON-11.3: Monitoring for Indicators of Compromise (IOC)
Automated mechanisms exist to identify and alert on Indicators of Compromise (IoC).
Control Question: Does the organization use automated mechanisms to identify and alert on Indicators of Compromise (IoC)?
General (16)
| Framework | Mapping Values |
|---|---|
| CSA CCM 4 | LOG-11 LOG-13 |
| CSA IoT SCF 2 | IAM-08 MON-01 MON-09 |
| GovRAMP High | SI-04(24) |
| ISO/SAE 21434 2021 | RQ-08-03 |
| ISO 27002 2022 | 5.7 |
| NIST 800-53 R4 | SI-4(24) |
| NIST 800-53 R5 (source) | SI-4(24) |
| NIST 800-53 R5 (NOC) (source) | SI-4(24) |
| NIST 800-171 R2 (source) | 3.14.7 |
| NIST 800-171 R3 (source) | 03.14.06.a.01 03.14.06.a.02 03.14.06.b 03.14.06.c |
| NIST 800-172 | 3.11.2e |
| NIST CSF 2.0 (source) | DE.CM |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | MON-11.3 |
| SCF CORE ESP Level 1 Foundational | MON-11.3 |
| SCF CORE ESP Level 2 Critical Infrastructure | MON-11.3 |
| SCF CORE ESP Level 3 Advanced Threats | MON-11.3 |
US (9)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | SITUATION-2.D.MIL2 SITUATION-2.E.MIL2 SITUATION-2.F.MIL2 SITUATION-2.G.MIL3 SITUATION-2.H.MIL3 SITUATION-2.I.MIL3 RESPONSE-1.D.MIL3 RESPONSE-1.E.MIL3 RESPONSE-1.F.MIL3 |
| US CMMC 2.0 Level 2 (source) | SI.L2-3.14.7 |
| US CMMC 2.0 Level 3 (source) | RA.L3-3.11.2E |
| US DHS CISA TIC 3.0 | 3.UNI.DTDIS |
| US DHS ZTCF | TRF-01 |
| US FedRAMP R4 | SI-4(24) |
| US FedRAMP R4 (high) | SI-4(24) |
| US IRS 1075 | SI-4(24) |
| US - CA CCPA 2025 | 7123(c)(8)(A) |
EMEA (2)
| Framework | Mapping Values |
|---|---|
| EMEA EU EBA GL/2019/04 | 3.4.5(38) 3.4.5(38)(a) 3.4.5(38)(b) 3.4.5(38)(c) |
| EMEA Germany Banking Supervisory Requirements for IT (BAIT) | 5.4 |
APAC (2)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0120 ISM-1091 |
| APAC Singapore MAS TRM 2021 | 11.3.5 |
Americas (2)
| Framework | Mapping Values |
|---|---|
| Americas Canada OSFI B-13 | 3.3.2 |
| Americas Canada ITSP-10-171 | 03.14.06.A.01 03.14.06.A.02 03.14.06.B 03.14.06.C |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to identify and alert on Indicators of Compromise (IoC).
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to identify and alert on Indicators of Compromise (IoC).
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to identify and alert on Indicators of Compromise (IoC).
Level 3 — Well Defined
Continuous Monitoring (MON) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Governs asset management that ensures compliance with requirements for asset management. o Leverages a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets. o Centrally collects logs and is protected according to the manufacturer’s security guidelines to protect the integrity of the event logs with cryptographic mechanisms. o Monitors the organization for Indicators of Compromise (IoC) and provides 24x7x365 near real-time alerting capability. o Is configured to alert incident response personnel of detected suspicious events such that incident responders can look to terminate suspicious events.
- An IT Asset Management (ITAM) function, or similar function:
- A Security Incident Event Manager (SIEM), or similar automated tool:
- Both inbound and outbound network traffic is monitored for unauthorized activities to identify prohibited activities and assist incident handlers with identifying potentially compromised systems.
Level 4 — Quantitatively Controlled
Continuous Monitoring (MON) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
Continuous Monitoring (MON) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
- Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.
Assessment Objectives
- MON-11.3_A01 anomalous or suspicious behavior is defined.
- MON-11.3_A02 Indicators of Compromise (IOC) are defined.
- MON-11.3_A03 sources that provide Indicators of Compromise (IOC) are defined.
- MON-11.3_A04 Indicators of Compromise (IOC) provided by sources are discovered.
- MON-11.3_A05 Indicators of Compromise (IOC) provided by sources are collected.
- MON-11.3_A06 unauthorized use of the system is identified through techniques and methods.
- MON-11.3_A07 internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information.
- MON-11.3_A08 internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization.
- MON-11.3_A09 personnel or roles to whom Indicators of Compromise (IOC) are to be distributed is/are defined.
- MON-11.3_A10 Indicators of Compromise (IOC) provided by sources are distributed to personnel or roles.
- MON-11.3_A11 personnel or roles to whom Indicators of Compromise (IOC) are to be distributed is/are defined.
- MON-11.3_A12 Indicators of Compromise (IOC) provided by sources are distributed to personnel or roles.
- MON-11.3_A13 organizational systems to search for Indicators of Compromise (IOC) are defined.
- MON-11.3_A14 effective mitigations are identified.
- MON-11.3_A15 intrusion detection approaches are identified.
- MON-11.3_A16 threat hunting activities are identified.
- MON-11.3_A17 advanced automation and analytics capabilities are used to predict and identify risks to organizations, systems and system components are identified.
- MON-11.3_A18 analysts are used to predict and identify risks to organizations, systems and system components are identified.
- MON-11.3_A19 advanced automation and analytics capabilities are employed in support of analysts to predict and identify risks to organizations, systems and system components.
- MON-11.3_A20 threat indicator information and effective mitigations obtained from external organizations are used to guide and inform intrusion detection and threat hunting.
Evidence Requirements
- E-IRO-02 Indicators of Compromise (IOC)
-
Documented evidence of defined Indicators of Compromise (IOC).
Incident Response - E-MON-07 Situational Awareness
-
Documented evidence of the organization leveraging knowledge of event log generation to gain situational awareness of cross-domain activities (e.g., technology issues, security events, policy violations, service provider activities, remote workforce activities, physical security events, etc.).
Event Log Monitoring
Technology Recommendations
Micro/Small
- Managed Security Services Provider (MSSP)
Small
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)
Medium
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)
- Extended Detection and Response (XDR)
Large
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)
- Extended Detection and Response (XDR)
Enterprise
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)
- Extended Detection and Response (XDR)