NIST Guidance Focuses on Creating 'Cyber Resiliency'Updated Security Approach Designed to Mitigate Ransomware, Nation-State Attack Risks
As ransomware and nation-state attacks have become more destructive, older methods of protecting networks and infrastructure, such as perimeter defenses and penetration resistance, can no longer protect organizations' assets and data.
"Even with doing everything right and having the total resources to put all those safeguards and countermeasures in place, adversaries are not static - they are constantly evolving. They are dynamic, well-resourced and smart," says Ron Ross, a fellow at the National Institute of Standards and Technology. He's the co-author of a draft of an updated NIST publication that addresses these issues and suggests new ways to defend networks against attacks.
The document, called Draft NIST Special Publication 800-160, Volume 2, Revision 1, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, advocates moving away from perimeter-based defenses and focusing more on building resilient IT systems that can withstand a modern attack by limiting the damage an attacker can inflict on a network or the infrastructure.
This approach falls under NIST's definition of "cyber resiliency," which the agency defines as the "ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber resources."
Assuming the Worst
Ross notes that the idea of cyber resiliency assumes that the attacker or attackers have either already gained access to a system - NIST defines a system as a conglomeration of hardware, software and firmware - or will gain access to a system at some point.
"What we want to achieve is a system that we call 'cyber resilient' or a system that is sufficiently resilient where it can continue to operate and support critical missions in business operations - even if it's not in a perfect state or even in somewhat of a degraded state," Ross says. "It's hard to pull off because nobody likes to assume that the adversaries have gotten the best them and have gotten inside the system. But that's the reality we are facing today."
The updated draft document is also designed to complement other NIST publications, including those that address system and software life cycle management, systems security engineering and risk management.
NIST is soliciting comments and feedback about the updated SP 800-160 cyber resiliency document now through Sept. 20. A final update to the document should be published by the end of the year, Ross notes.
The NIST draft document sounds themes that are similar to those in a presentation Jen Easterly, the new director of the Cybersecurity and Infrastructure Security Agency, gave at Black Hat 2021 on Thursday, says Tim Wade, a former U.S. Air Force officer who is now the director of the CTO team at security firm Vectra AI (see: CISA's Easterly Unveils Joint Cyber Defense Collaborative).
"The shift in focus from prevention toward resilience has been critical for some time now, and the messaging around this necessity has been amplified as recently as last week with Easterly's Black Hat 2021 keynote calling for federal and community partnership in the face of the failures of prevention and the need for detection, response and recovery capabilities," Wade says.
The updated draft of NIST SP 800-160, which was written by Ross and other NIST staffers, along with experts from the nonprofit MITRE Corp., works from the assumption that an attacker - whether it's a cybercriminal gang, a nation-state group or even a malicious insider - has breached a network or an application and is already inside the infrastructure of the targeted organization.
"What we want to achieve is a system that we call 'cyber resilient' or a system that is sufficiently resilient where it can continue to operate and support critical missions in business operations - even if it's not in a perfect state or even in somewhat of a degraded state."
—Ron Ross, NIST Fellow
This type of attack can happen in many ways, including a breach caused by a phishing email that is opened, or a much more sophisticated supply chain attack, such as when Russian-linked attackers compromised SolarWinds (see: SolarWinds Attackers Accessed US Attorneys' Office Emails).
The draft NIST SP 800-160 paper then offers a series of tools, techniques and approaches that security teams and CISOs can deploy to counter attacks by building more resiliency into networks, including older systems that have already been deployed or new ones built from scratch.
The document includes three major recommendations:
- Update those controls that support cyber resiliency and align those to be consistent with another NIST document called SP 800-53, Revision 5, which is the agency's catalog for Security and Privacy Controls for Information Systems and Organizations;
- Create a single threat taxonomy that organizations can use, which is based on the MITRE Adversarial Tactics, Techniques and Common Knowledge, aka ATT&CK, framework;
- Offer approaches to implement these cyber resiliency techniques that support both the SP 800-53, Revision 5 and the MITRE ATT&CK framework.
Ross notes that NIST decided to pair its cyber resiliency playbook with the MITRE ATT&CK framework to help simplify the approach because so many organizations are moving toward greater adoption of this framework.
"The community at large seems to be moving more toward the MITRE ATT&CK framework as a standardized way to look at how adversaries act, so it was more of a simplification for our customers," Ross says.
The document also demonstrates how cyber resiliency works with "zero trust" architectures to limit attacks and prevent attackers from moving laterally throughout the network, especially through deploying techniques such as network segmentation.
"If you're having that segmentation where you have the different domains, and you're breaking those down into smaller and smaller segments, and you can now apply virtualization techniques - where you can refresh that software very rapidly - you can flush out all the malicious code at a very rapid rate," Ross says.
A Different Approach
Earlier this year, CISA signaled that it was starting to take the approach that NIST outlines in the draft NIST SP 800-160 document, especially when it comes to moving away from perimeter defenses.
In a June letter to Sen. Ron Wyden, D-Ore., about the SolarWinds attack, Brandon Wales, who was then CISA's acting director, wrote that the agency was moving its Einstein intrusion detection system deeper into federal networks to better detect supply chain attacks after its failure to spot the espionage campaign that targeted SolarWinds and its customers, including federal agencies.
Moving Einstein deeper into federal networks, rather than just having it on the perimeter, will allow it to pick up data from endpoints, such as servers and workstations, Wales wrote in the letter (see: CISA Shifting Einstein Detection System Deeper Into Networks).