See All Posts

Adversary Emulation

Grandpa’s New Shoes—or How Compliance Learned to Love Adversary Emulation

Published December 15, 2020

The alignment of NIST 800-53 and MITRE ATT&CK creates a unique opportunity for red, blue, and white teams to understand each other—and how they can work together to build a fully compliant and mature cybersecurity program. Read More

Introduction: Aligning two global cybersecurity frameworks, NIST 800-53 and MITRE ATT&CK

If you’re like most people who’ve spent any time in the world of cybersecurity, you’ve probably heard about what I like to call the “Grandfather of Cybersecurity Control Frameworks” – National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53. Now in it’s fifth major revision and having celebrated its 15th birthday, it is perhaps not a senior citizen in human age. But SP 800-53 has lived a functional lifetime with us, as our human lives are increasingly lived through digital experiences at work and at play. 

Septuagenarians are not often known for their fashion sense – and the same could be said of SP 800-53 and cybersecurity compliance. Often the land of detail orientation, painful manual audits and evidence production, many cybersecurity professionals, especially those new to the field, may take a dim view of the frameworks and the control objectives they specify. Yet that would be to overlook the value of experience and underestimate how much the NIST security control community has transformed cybersecurity for the better. 

The fact is, there is a lot of value to the frameworks that often gets passed over by those focused on the latest buzzword of the day, and it’s not value in the vein of Pink Floyd’s old aphorism, “You can’t have your pudding if you don’t eat your meat”, either. Through the enabling work of MITRE Engenuity and the Center for Threat-Informed Defense, the elder statesman of NIST 800-53 has gotten a rather snazzy new pair of shoes through a direct connection between it and the fashionable new kid on the block, MITRE ATT&CK.

So let’s talk about those new shoes, shall we?

Now that MITRE Engenuity’s Center for Threat-Informed Defense has brought these two frameworks together, it creates a unique opportunity for red, blue and white teams to all understand each other—and how their roles contribute to each other’s desired outcomes as part of an end-to-end cybersecurity program. How does the alignment between the NIST 800-53 framework and ATT&CK achieve this end?

  • Red teams can now direct their operations against a specific, known set of security controls. Red teams are traditionally responsible for testing the effectiveness of the organization’s defense security controls; the NIST framework clarifies the compliance implications of the red team’s activities. The red team can now understand not only how the defensive team’s technical controls can mitigate their behaviors, but also how those controls fit into the NIST 800-53 framework. 
  • Blue teams can now see clearly how their defense technologies support the organization’s security compliance. Blue teams are responsible for the design, operation, and management of the organization’s detection and response capabilities; armed with real data about their security program performance against NIST 800-53, the blue team can make adjustments to better meet its regulatory requirements and improve the organization’s overall audit readiness. 
  • White teams gain greater clarity from the NIST-ATT&CK alignment about the organization’s overall security performance. White teams often include an organization’s auditors, and they have traditionally depended on interviews and log entries for their audit evidence. This new approach streamlines audit processes through real performance data, allowing the white team and everyone in the organization to operate off the same page. Armed with clear performance data and a clear line-of-sight into the blue and red team’s automated defensive testing activities, white teams can better assess the organization’s overall security effectiveness and ensure regulatory success. 

How do you get yourself this new pair of shoes?

Easy. Through adoption of the AttackIQ Security Optimization Platform, our subscribers have access to Assessment Templates that make the power of this alignment simple to harness and use for all of the above use cases. Instead of the usual, slow cycle of evidence production, compliance can be demonstrated through evaluating and improving the security controls that are already in place. 

We’d love to show you how to make this happen. Come sign up for the AttackIQ Academy course on aligning NIST 800-53 to MITRE ATT&CK and learn all about how you too can be rocking the hottest kicks on the block.

TAGS:

Adversary Emulation , MITRE ATT&CK , NIST

About the Author

  • Mark Bagley
    Mark Bagley
    Mark Bagley, VP, Product Management, Mark brings over two decades of strategic and technical experience across product management, cybersecurity, network engineering, and data center environments. Before joining AttackIQ, he was the Vice President of Products at Verodin, now part of FireEye, where he led product management, software delivery and security threat research. Prior to Verodin, he held roles in Product Management at Cisco as well as other Product Management, Strategy, and Business Development roles at Symantec, Splunk, and EMC. Mark has worked with thousands of customers spanning over 20 countries in developing cybersecurity and data protection offerings for commercial and government organizations. Learn More