Do you act on threat intelligence about active ransomware groups (TTPs, IOCs, exposed credentials)?
Demonstrate that the organization systematically ingests ransomware threat intelligence and translates it into timely defensive actions including IOC blocking, credential remediation, detection rule updates, and vulnerability prioritization.
Description
What this control does
This control ensures the organization actively consumes, analyzes, and operationalizes threat intelligence feeds focused on ransomware campaigns, including tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and exposed credentials tied to known threat actors. Security teams must translate raw intelligence into concrete defensive actions such as updating detection rules, blocking indicators, rotating compromised credentials, and prioritizing patching for exploited vulnerabilities. Effective operationalization reduces dwell time and prevents known attack patterns from succeeding against the environment.
Control objective
What auditing this proves
Demonstrate that the organization systematically ingests ransomware threat intelligence and translates it into timely defensive actions including IOC blocking, credential remediation, detection rule updates, and vulnerability prioritization.
Associated risks
Risks this control addresses
- Ransomware operators exploit known vulnerabilities or credentials exposed in breaches before the organization acts on available threat intelligence
- Security tools fail to detect or block known ransomware IOCs (file hashes, C2 domains, IP addresses) because intelligence feeds are not consumed or operationalized
- Threat actors leverage documented TTPs that remain undetected due to missing or outdated detection logic aligned with current campaigns
- Compromised employee or service account credentials circulating on dark web forums or breach databases are not identified and rotated, enabling initial access
- Security teams expend effort investigating incidents that could have been prevented with timely application of available threat intelligence
- Lack of prioritization for vulnerabilities actively exploited by ransomware groups leads to delayed patching and increased attack surface
- Incident response is slower and less effective due to unfamiliarity with current ransomware group behaviors and tooling
Testing procedure
How an auditor verifies this control
- Inventory all threat intelligence sources subscribed to or accessed by the security team, including commercial feeds, ISAC memberships, open-source platforms, and vendor advisories focused on ransomware
- Review documented processes or runbooks describing how ransomware threat intelligence is triaged, analyzed, and assigned for action
- Select three recent ransomware campaigns or groups active within the past 90 days and verify the organization received relevant intelligence about them
- For each selected campaign, trace IOCs (domains, IPs, file hashes, registry keys) from intelligence reports to security tool configurations such as firewall block lists, EDR threat feeds, SIEM correlation rules, or email gateway filters
- Examine credential monitoring tools or services and verify exposed organizational credentials from breach databases or dark web sources were identified and resulted in password resets or account disablement
- Review detection engineering artifacts (SIEM rules, EDR policies, IDS signatures) updated within the past quarter and confirm alignment with documented TTPs from active ransomware groups
- Interview security analysts to assess their awareness of current ransomware threat landscape and verify they can describe recent campaigns, targeted industries, and typical attack chains
- Validate that vulnerability management prioritization includes input from ransomware threat intelligence, and confirm actively exploited CVEs are expedited for patching beyond standard SLA timelines