Companies seeking lucrative contracts with the US Department of Defense (DoD) need to keep their cyberdefenses up to date. That’s why the final two levels of the Cybersecurity Maturity Model Certification (CMMC) focus mainly on advanced persistent threat solutions to account for the biggest and most complex threats to the Defense Industrial Base (DIB) sector.
Top Advanced Persistent Threat Solutions
As the name implies, advanced persistent threats (APTs) are some of the most challenging cybercrimes to deal with for DIB companies. Regardless, the CMMC, published by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)), handles these and all other threats across a system that grows increasingly complex in focus across five levels:
- Level 1 – Protect federal contract information (FCI)
- Level 2 – Prepare to protect controlled unclassified information (CUI)
- Level 3 – Protect CUI and prepare for advanced persistent threat detection
- Levels 4-5 – Shift focus from FCI and CUI to advanced persistent threat protection
The CMMC comprises 171 practices distributed across 17 cybersecurity domains. There are 41 practices directly related to APT, implemented across levels 4 and 5. We’ll break them all down in the sections below, adapted from CMMC Volume 1.02, published in March 2020.
Anti-APT Access Control (AC)
Anti-APT solutions begin at level 4 with three “AC” controls:
- AC.4.023 – Control flow of data between domains of security on connected systems
- AC.4.025 – Review and update permissions for access to CUI programs regularly
- AC.4.032 – Restrict remote access to organizational systems according to risk factors defined by the organization, including time, location, user, and network characteristics
Then, level 5 adds one final AC control:
- AC.5.024 – Identify risks of unidentified wireless access points connecting to networks
Anti-APT Asset Management (AM)
The second and final “AM” control is added at level 4:
- AM.4.226 – Employ at least one capability for discovery, identification, and inventory of systems by component, including but not limited to “type of OS,” “firmware level,” etc.
Anti-APT Audit and Accountability (AU)
Level 4 builds out other anti-APT solutions with two “AU” controls:
- AU.4.053 – Automate audit log analysis to facilitate immediate identification and mitigation of critical indicators and suspicious activity, as defined by the organization
- AU.4.054 – Review audit logs for both general and specific (e.g., per machine) activity
And there is one more AU control at level 5:
- AU.5.055 – Identify assets failing to audit or log and restore proper audits and logging
Anti-APT Awareness and Training (AT)
There two total anti-APT “AT” controls, both added at level 4:
- AT.4.059 – Hold and regularly update awareness training focused on recognition of and response(s) to social engineering, APT actors, breaches, and suspicious behaviors
- AT.4.060 – Train with practical exercises based on existing risks and dynamic feedback
Assess your cybersecurity
Anti-APT Configuration Management (CM)
Level 4 builds on anti-APT solutions with one “CM” control:
- CM.4.073 – Utilize “whitelisting” (deny all, permit by exception) and further vetting for apps
And level 5 also adds just one more CM control:
- CM.5.074 – Verify integrity of critical security software, as defined by the organization
Anti-APT Incident Response (IR)
Next, there are two “IR” anti-APT solutions added at level 4:
- IR.4.100 – Use up to date information on APTs to inform incident detection and response
- IR.4.101 – Facilitate 24/7 APT response capabilities with a security operations center
Then, level 5 adds another five IR controls:
- IR.5.106 – Utilize and secure transfer of forensic data in response to cyberattacks
- IR.5.102 – Respond with real-time manual and automated methods to irregular activities
- IR.5.108 – Maintain response team capable of responding to all issues within 24 hours
- IR.5.110 – Test technical and procedural capabilities with unannounced exercises
Anti-APT Recovery (RE)
There are no anti-APT “RE” practices at level 4, just one at level 5:
- RE.5.140 – Design data processing infrastructure to meet organizationally defined security requirements, including but not limited to continuity, redundancy, and availability
Anti-APT Risk Management (RM)
Level 4 adds 4 “RM” practices to combat APT:
- RM.4.149 – Maintain and regularly update a catalog of APT profiles and responses
- RM.4.150 – Use threat intelligence to inform the design of system architecture and practices
- RM.4.151 – Scan for unauthorized ports across defined internal and external boundaries
- RM.4.148 – Develop and maintain a plan for mitigating risks associated with supply chain
And level 5 builds on these with two more RM controls:
- RM.5.152 – Develop risk mitigation plan for exception for “non-whitelisted” software
- RM.5.155 – Assess defenses annually and update based on updated threat intelligence
Anti-APT Security Assessment (CA)
Level 4 adds more anti-APT solutions with three “CA” controls:
- CA.4.163 – Regularly update “roadmap” for continuous cybersecurity improvement
- CA.4.164 – Conduct regular penetration (pen) tests utilizing AI and human attackers
- CA.4.227 – Perform periodic, complex pen tests “red teaming” to prepare for APTs
Anti-APT Situational Awareness (SA)
And level 4 also adds the final two anti-APT “SA” controls:
- SA.4.171 – Establish a “threat hunting” team or function to identify and mitigate particular indicators of compromise common to APTs, that elude or evade existing controls
- SA.4.173 – Design networks for integrated production and sharing of APT intelligence
Anti-APT System and Communications Protection (SC)
Next, level 4 adds five “SC” controls:
- SC.4.197 – Utilize physical and logical means of partitioning and isolating information
- SC.4.228 – Isolate or partition network infrastructure defined as critical or high-value
- SC.4.199 – Block server requests from malicious domains using APT intelligence
- SC.4.202 – Analyze executable code that crosses organizationally defined boundaries
- SC.4.229 – Enforce categorization and filtering of URLs based on APT intelligence
And level 5 adds the last three SC practices:
- SC.5.198 – Monitor data packets passing through organizationally defined boundaries
- SC.5.230 – Enforce and ensure compliance with applicable port and protocol regulations
- SC.5.208 – Combine internally developed and externally available boundary protections
Anti-APT System and Information Integrity (SI)
Finally, level 4 X incorporates just one “SI” control:
- SI.4.221 – Use intelligence on both threat indicators and effective mitigation tactics to inform detection, analysis, and overall response to actual and potential attacks
And level 5 adds the very last anti-APT solutions across two AC controls:
- SI.5.222 – Minimize execution of typical commands that resemble threat indicators
- SI.5.223 – Monitor for and investigate all instances of irregular or suspicious activity
Professional Advanced Persistent Threat Protection
To reach CMMC compliance at all levels, your company will need to be assessed by a Certified Third-Party Assessment Organization (C3PAO), accredited by the CMMC Accreditation Body. The best C3PAOs offer certification and broader CMMC compliance advisory services tailored to your organization’s exact needs for DoD preferred contractor status.
RSI Security is that C3PAO; our talented team of experts, has helped DoD contractors keep their stakeholders and customers safe for over a decade. Ultimately, anti-APT solutions are one element of broader DoD-required cyberdefenses. Nevertheless, to see how powerful your advanced persistent threat solutions and cybersecurity can be, contact RSI Security today!