What is NIST?

NIST is the U.S. National Institute of Standards and Technology. Formerly the National Bureau of Standards, NIST is responsible for maintaining and promoting technology measurement and standards in the U.S. The organization was founded in 1901 and is a non-regulatory federal agency within the U.S. Department of Commerce. The aim of NIST is to promote U.S. innovation and industrial competitiveness.

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework is a comprehensive, digestible framework of cybersecurity best practices. Originally intended for U.S. public and private sector organizations, through a collaborative multi-stakeholder process, the “NIST Framework” has evolved into a leading reference for cybersecurity controls worldwide.

The NIST Framework originates in a set of standards and guidelines published by NIST in 2005 as recommended approaches for federal agencies to apply to cyber risk management. This document, “Recommended Security Controls for Federal Information Systems”, known as Special Publication 800-53, was also widely adopted by businesses in a diverse range of industries given the lack of broader standards at the time.

The evolution of Special Publication 800-53 into the NIST Framework was in part driven by the failure of the U.S. Cybersecurity Act, which was rejected by Congress in 2012. In 2018, following consultation with businesses and the cybersecurity industry, NIST published version 1.1 of the Framework. Updates included guidance around self-assessments, supply chain risks, and vulnerability disclosures.

How Can Organizations Use the NIST Cybersecurity Framework?

The NIST Framework helps organizations understand their cybersecurity risks inclusive of threats, vulnerabilities, and impacts. The framework also provides details on how organizations can mitigate risks using customized measures.

For enterprises that have experienced a successful cyberattack, The NIST Framework also provides recommendations on how to respond and recover, with direction on analyzing root causes of attacks/vulnerabilities and how to address them.

The substance of the NIST 800-53 Framework lies in the 18 Control Families it covers, which include diverse areas of cybersecurity from Access Control to System and Service Acquisition. The Control Families house the Controls themselves, as well as any Control Enhancements that have been established to offer more prescriptive guidance on how a given Control should be implemented.

How Does MITRE ATT&CK® Align with the NIST Framework?

Administered by the MITRE Corporation, MITRE ATT&CK is a globally accessible repository of adversary tactics and techniques based on real-world observations. The ATT&CK Framework is used for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

MITRE ATT&CK complements the NIST Framework, which does not list actionable tactics, techniques, and procedures (TTPs). In providing a list of standard controls, NIST is one side of the security coin, with ATT&CK’s list of TTPs the other.

By creating a comprehensive and open, curated set of mappings between NIST Framework controls and ATT&CK techniques, defense teams in enterprises can focus on how the controls relate to adversary TTPs of most relevance to them. This alignment marries a threat-informed approach to defense, focused on adversaries’ likely behaviors, to the world’s leading security control regulatory framework.

What are the Benefits of Using the NIST Framework in Combination with MITRE ATT&CK?

The alignment of the NIST Cybersecurity Framework with MITRE ATT&CK enables organizations to leverage a complete threat-informed defense. NIST provides a list of controls that are of use to “blue” teams (i.e., defenders) within organizations, whereas ATT&CK comprises the TTPs that “red” teams (i.e., attackers) can use to try and penetrate their organization’s defenses. Combined, they enable a “purple” team approach whereby blue and red teams work together to ensure the highest levels of security are in place across the enterprise.

Aligning the two frameworks allows for the fusion of risk management and threat management. That approach delivers benefits to all elements of an organization’s security team:

  • Red teams can direct their operations against a specific, known set of security controls. The red team can now understand not only how the defensive team’s technical controls can mitigate their behaviors, but also how those controls fit into the NIST 800-53 framework.
  • Blue teams can see how their defense technologies support the organization’s security compliance. With real data about their security program performance against NIST 800-53, the blue team can adjust its controls to better meet regulatory requirements and improve the organization’s overall audit readiness.
  • White teams gain greater clarity from the NIST-ATT&CK alignment about the organization’s overall security performance (white teams often include an organization’s auditors, and they have traditionally depended on interviews and log entries for their audit evidence).

The integrated NIST-ATT&CK perspective provides security leaders with clarity about overall program readiness in relation to known threats and the existence of compensating security controls for all the relevant NIST 800-53 Control Families. The net result is that the organization better understands where gaps exist—and where the organization may benefit from additional security investments to better adhere to specific Control Families. With that information, security leaders can prioritize investments and make longer-term budgeting and resource-allocation decisions.

How Can Organizations Operationalize the NIST and ATT&CK Frameworks?

One way for security teams to derive value from the NIST and ATT&CK frameworks is to integrate them into an automated testing platform. Doing so enables security leaders to measure and test the effectiveness of their internal controls in detecting and responding to threats described by ATT&CK. They can simultaneously determine the degree to which their people, processes, and technologies comply with NIST requirements.

The alignment and operationalization of NIST and MITRE ATT&CK mean that businesses and government agencies can move beyond compliance to understanding the true effectiveness of their security controls. Using an automated testing platform, organizations can repeatedly stress-test NIST-compliant controls using real-world scenarios, greatly improving their overall security posture.

Historically, resource limitations have presented challenges to organizations looking to build purple teams. Only large, regulated organizations such as investment banks or the military have been able to build holistic programs spanning security control compliance and cyberthreat intelligence. However, the advent of automated breach and attack simulation platforms mean that it is now possible for all organizations to combine the NIST Framework and MITRE ATT&CK in a unified, threat-informed approach.

Additional Resources

CISO’s Guide to NIST Security Control Compliance

Aligning the ATT&CK framework with the NIST security control structure helps close gaps in an organization’s security ecosystem.
Cybersnacks Episode 3: MITRE ATT&CK and NIST 800-53

Tune in to find out how red, blue and white teams each can play a part in compliance mapping and enforcement, and how AttackIQ’s Security Optimization Platform helps each team perform its roles and responsibilities.
RiskyBiz Podcast: Mapping NIST 800-53 to MITRE ATT&CK

Carl Wright and Jonathan Reiber joined the show to talk through their work in mapping NIST 800-53 to the MITRE ATT&CK framework.