THR-08: Tainting
Mechanisms exist to embed false data or steganographic data in files to enable the organization to determine if data has been exfiltrated and provide a means to identify the individual(s) involved.
Control Question: Does the organization embed false data or steganographic data in files to enable the organization to determine if data has been exfiltrated and provide a means to identify the individual(s) involved?
General (6)
| Framework | Mapping Values |
|---|---|
| NIST 800-53 R5 (source) | SI-20 |
| NIST 800-53 R5 (NOC) (source) | SI-20 |
| NIST 800-161 R1 | SI-20 |
| NIST 800-161 R1 Flow Down | SI-20 |
| NIST 800-161 R1 Level 2 | SI-20 |
| NIST 800-161 R1 Level 3 | SI-20 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to embed false data or steganographic data in files to enable the organization to determine if data has been exfiltrated and provide a means to identify the individual(s) involved.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to embed false data or steganographic data in files to enable the organization to determine if data has been exfiltrated and provide a means to identify the individual(s) involved.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to embed false data or steganographic data in files to enable the organization to determine if data has been exfiltrated and provide a means to identify the individual(s) involved.
Level 3 — Well Defined
Threat Management (THR) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Subscribes to threat feeds to maintain situational awareness of emerging threats. o Develops Indicators of Exposure (IOE) to better understand potential attack vectors that attackers could use to attack the organization. o Implements a Threat Awareness Program (TAP) that includes a cross-organization information-sharing capability. o Implements a “threat hunting” capability to actively identify internal threats.
- A Security Operations Center (SOC), or similar function:
- An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, integrated team of cybersecurity, IT, data privacy and business function representatives that can execute coordinated incident response operations, including a cross-discipline incident handling capability.
- Cybersecurity personnel enable security awareness training on recognizing and reporting potential indicators of insider threat.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to embed false data or steganographic data in files to enable the organization to determine if data has been exfiltrated and provide a means to identify the individual(s) involved.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to embed false data or steganographic data in files to enable the organization to determine if data has been exfiltrated and provide a means to identify the individual(s) involved.
Assessment Objectives
- THR-08_A01 the systems or system components with data or capabilities to be embedded are defined.
- THR-08_A02 data or capabilities are embedded in systems or system components to determine if organizational data has been exfiltrated or improperly removed from the organization.