NIST Updates Guidance on Developing Cyber Resilient Systems
The National Institute of Standards and Technology (NIST) has released a major update to its guidance on developing cyber-resilient systems.
A draft version of the updated guidance – NIST Special Publication 800-160, Volume 2, Revision 1: Developing Cyber-Resilient Systems: A Systems Security Engineering Approach – has been released which includes updates to reflect the changing tactics, techniques, and procedures (TTPs) of cyber threat actors, who are now conducting more destructive attacks, including the use of ransomware.
Organizations used to be able to focus their resources on perimeter defenses and penetration resistance; however, these measures are no longer as effective as they once were at preventing attacks. A modern approach is now required which requires more resilience to be built into IT systems, which requires measures to be taken to limit the ability of an attacker to damage infrastructure and move laterally within networks.
“The document provides suggestions on how to limit the damage that adversaries can inflict by impeding their lateral movement, increasing their work factor, and reducing their time on target,” explained NIST.
Hackers can gain access to internal networks even with sophisticated perimeter defenses in place, as recent cyberattacks on Colonial Pipeline, JBS Foods, and Kaseya have shown. The initial attack vector could be a phishing email, the exploitation of an unpatched software vulnerability, or even a supply chain attack. All these methods could be used to bypass traditional defenses and gain a foothold in the network. It is therefore critical for safeguards to be implemented to limit the harm that can be caused, which for many organizations will require improvements to their detection, response, and recovery capabilities.
The approach now advocated by NIST is more in line with zero trust, where it must be assumed that an attacker has already gained access to the network, applications, and systems. Organizations therefore need to build in resiliency into their IT systems to ensure that they will continue to function to a sufficient degree to continue to support mission critical business operations.
“What we want to achieve is a system that we call ‘cyber resilient’ or a system that is sufficiently resilient where it can continue to operate and support critical missions in business operations – even if it’s not in a perfect state or even in somewhat of a degraded state,” said NIST fellow Ron Ross.
The updates to the guidance cover three key areas:
- Updated controls that support cyber resiliency, in line with the recommendations detailed in NIST Special Publication SP 800-53, Revision 5 – Security and Privacy Controls for Information Systems and Organizations.
- The creation of a single threat taxonomy for organizations in line with MITRE’s Adversarial Tactics, Techniques, and Common Knowledge [ATT&CK] framework.
- The addition of detailed mapping and analysis of cyber resiliency implementation which support NIST SP 800-53 controls and the MITRE ATT&CK framework techniques, mitigations, and candidate mitigations.
NIST’s cyber resiliency techniques were combined with the MITRE ATT&CK framework because of the high level of adoption of the MITRE ATT&CK framework, with the aim being to simplify the approach to building more resilient systems.
The guidance document was updated by NIST Fellow Ron Ross, NIST supervisory computer scientist Victoria Pillitteri, and Richard Graubart, Deborah Bodeau, and Rosalie McQuaid of MITRE.
NIST is seeking feedback on the draft version of the guidance document until September 20, 2021. The final version of the guidance is due to be published before year end.