NIST Wants Feedback on Draft Guidance About Developing Cyber Resilient Systems

The National Institute of Standards and Technology (NIST) has published an important update to its guidance on creating cyber-resilient systems.

The draft of the revised guidance NIST Special Publication 800-160, Volume 2, Revision 1: Developing Cyber-Resilient Systems: A Systems Security Engineering Approach – has been published which consists of updates to show the evolving tactics, techniques, and procedures (TTPs) of cyber threat actors, who are currently performing more dangerous attacks, with the usage of ransomware.

Companies once were able to put their assets on perimeter security and penetration resistance, but now these measures are not as efficient as they used to in preventing attacks. A contemporary approach is currently necessary to build more resilience into IT systems. Measures must be undertaken to restrict an attacker’s ability to cause damage to infrastructure and proceed laterally inside networks.

NIST explained that the document gives recommendations on how to restrict the problems that adversaries can cause by interfering with their lateral motion, escalating their work factor, and lowering their time on target.

Hackers could obtain access to internal systems despite the advanced perimeter defenses set up, as the latest cyberattacks on JBS Foods, Colonial Pipeline, and Kaseya have demonstrated. The preliminary attack vector can be a phishing email, the attack of an unpatched application vulnerability, or possibly a supply chain attack. All these strategies can be employed to circumvent traditional security and get a foothold in the system. It is consequently crucial for security measures to be enforced to restrict the hurt that may be caused, which for a lot of companies will call for enhancements to their identification, response, and recovery abilities.

The approach currently recommended by NIST is more consistent with zero trusts, where it should be believed that an attacker has actually acquired access to systems and software programs. Companies consequently must develop resiliency into their IT systems to make sure that they are continuing to operate to a satisfactory level to carry on to support mission-critical business functions.

NIST fellow Ron Ross explains that what needs to be achieved is a system that is ‘cyber resilient’ or a system that’s adequately robust where it can go on to operating and supporting critical missions in company functions – although it’s not in the best state or even in rather of a degraded condition.

The guidance updates include three important areas:

  • Up-to-date controls that help cyber resiliency, consistent with the suggestions specified in NIST Special Publication SP 800-53, Revision 5 – Security and Privacy Controls for Information Systems and Organizations.
  • The development of one threat taxonomy for companies consistent with MITRE’s Adversarial Tactics, Techniques, and Common Knowledge [ATT&CK] platform.
  • The inclusion of comprehensive mapping and evaluation of cyber resiliency implementation which help NIST SP 800-53 controls and the MITRE ATT&CK framework strategies, mitigations, and candidate mitigations.

NIST’s cyber resiliency methods were merged with the MITRE ATT&CK framework due to the high degree of usage of the MITRE ATT&CK framework, having the goal of streamlining the approach to creating more resilient programs.

The guidance document was modified by NIST supervisory computer scientist Victoria Pillitteri, NIST Fellow Ron Ross, and Richard Graubart, Rosalie McQuaid, and Deborah Bodeau of MITRE.

NIST is accepting responses regarding the draft edition of the guidance document up to September 20, 2021. The finalized version of the guidance is going to be released before the end of the year.