Achieve Cybersecurity Compliance Effectiveness With AttackIQ

Validating NIST 800-53 and DoD’s CMMC with MITRE ATT&CK and AttackIQ

Cybersecurity frameworks are the key starting point for any organization that wants to meet regulatory and contractual obligations and demonstrate security readiness to leadership. Still, compliance is hard, and every organization struggles to prove it.

Today, you can change the game by using AttackIQ’s Security Optimization Platform and the MITRE ATT&CK framework to validate security control compliance, beginning with NIST 800-53 and the Defense Department’s Cybersecurity Maturity Model (CMMC).

Why is this a big deal, and how does AttackIQ help?

Over the last decade, the cybersecurity compliance landscape has grown increasingly complex. Some frameworks have become the de facto standards around which all other regulations are built, however, and this includes the National Institute for Standards and Technology (NIST) 800-53 family of security controls. NIST 800-53 is a collection of best practices for security control management. It is the most important set of security controls in the cybersecurity community.

Recently, on the basis of NIST 800-53, the U.S. Department of Defense launched its Cybersecurity Maturity Model Certification (CMMC), requiring that every DoD contractor that handles unclassified DoD-related information achieves security certification. The purpose is to ensure that contractors defend Defense Industrial Base data effectively. The DoD certification consists largely of NIST 800-53 security controls.

At AttackIQ, we have designed our Security Optimization Platform to test and validate that your security controls work in effective compliance with your most important cybersecurity frameworks.

We have started with the (NIST 800-53 family of security controls and CMMC, building on ground-breaking research in the process. In late 2020, MITRE Engenuity’s Center for Threat-Informed Defense mapped the NIST 800-53 family of security controls to the adversary behaviors described by the MITRE ATT&CK framework, a publicly available repository of adversary tactics, techniques and common knowledge. Our technology operationalizes MITRE Engenuity’s research to help you achieve compliance effectiveness for these two frameworks.

How does AttackIQ’s Security Optimization Platform do this?

The alignment of NIST 800-53, CMMC, and ATT&CK marries a threat-informed approach to defense, focused on adversaries’ likely behaviors, to the world’s leading cybersecurity regulatory framework.

When the frameworks are integrated into AttackIQ’s Security Optimization Platform, security teams can measure and test the effectiveness of their internal controls in detecting and preventing the TTPs presented by ATT&CK against NIST 800-53 and CMMC. The platform’s compliance functionality also provides evidence of controls’ effectiveness, which auditors can use to confirm the agency’s or company’s NIST and CMMC compliance.

Let’s walk through an example of how you might do this with the Security Optimization Platform. We will use the new Assessment Template to evaluate security technology performance using the tactics and techniques of the MITRE ATT&CK framework in accordance with NIST 800-53.

1. Assessment. Figure 1, below, is an Assessment Template showing MITRE ATT&CK Tactics and associated Scenarios in the Security Optimization Platform that are ready to run on your security technologies. You will note that the AttackIQ Security Optimization Platform offers broad coverage across all the MITRE ATT&CK Tactics that are relevant to the controls specified, with more delivered on a regular basis to our customers as the Security Optimization Platform evolves over time.

Figure 1. Assessment that evaluates security technologies against adversary behaviors according to NIST 800-53.


2. Prevention and Detection Results. Figure 2, below, shows the Results Summary view of the AttackIQ Security Optimization Platform, and how your technologies fared against 111 unique techniques aligned with NIST 800-53.

Figure 2: Prevention and detection results.


3. MITRE ATT&CK Heatmap. Figure 3, below, is a MITRE ATT&CK Matrix view showing how well your security technologies performed when evaluated against 111 techniques. In our hypothetical example below, a Carbon Black configuration was assessed using adversary behaviors that directly correspond to the controls specified in 800-53. Once you have had a chance to review the areas in your configuration that you would like to improve, the Security Optimization Platform generates more detail about specific steps you can take to improve your security effectiveness.

Figure 3: MITRE ATT&CK Navigator heatmap showing security effectiveness.


4. Remediation Report. Figure 4.1 and 4.2, below, show a remediation report; it provides data and guidance to help you configure your technologies to produce a more effective result. In this case, you see how the Security Optimization Platform used encoded PowerShell commands to bypass local execution policies, a common technique used by PowerShell Empire (as well as other tools that adversaries use). The detail included here will help you improve how your technologies block adversary behavior, thereby achieving the objective of the 800-53 control and improving your overall security posture. It is also easy to schedule the Assessment to run on a continuous basis to produce visibility into how your security program performs—and your state of compliance—over time.

Figure 4.1: Remediation report (title page).


Figure 4.2: Remediation report (detail).

DoD’s Cybersecurity Maturity Model Certification (CMMC)

AttackIQ’s Security Optimization Platform validates CMMC compliance in a similar fashion. The Assessment interface is somewhat different, however. Figure 5, below, is an Assessment Template showing MITRE ATT&CK Tactics and associated Scenarios in the Security Optimization Platform that are ready to run on your security technologies, aligned to CMMC capabilities on the left. The Security Optimization Platform produces identical analytic images to the above, showing security effectiveness, a MITRE ATT&CK heatmap, and producing reports for you to make adjustments to your security controls to achieve CMMC compliance. For more on how AttackIQ can help you achieve CMMC compliance, please click here for our CMMC-specific compliance document.

Testing alone does not enable compliance — it takes continuous effort and expert analysis on the part of experienced professionals to ensure that regulatory requirements are met in full. Effective compliance therefore involves a layered interplay of people, processes, and technologies.

Yet the only way to know if you have adequately implemented a security control is to actively test that it works.

Manual testing is a labor-intensive investment that can be difficult to scale across an enterprise. AttackIQ’s Security Optimization Platform tests your security controls continuously, at scale, and in production to generate real insights about your security program effectiveness.

Learn to Achieve NIST 800-53/CMMC Compliance Effectiveness with MITRE ATT&CK and AttackIQ

We offer a free course through AttackIQ Academy so that you can learn how to achieve NIST and CMMC compliance effectiveness with MITRE ATT&CK and AttackIQ. Our course is taught by one of the world’s leading practitioners of threat-informed defense, a former Marine who helped build some of the United States’ most innovative national security teams and is now educating the public about best practices in threat-informed defense and cybersecurity. For that course, please enroll here.

For customers interested in learning about how to improve their overall compliance process, we have built a compliance mapping blueprint for existing customers to use. In its beta version, this blueprint provides a flexible means to address some of the issues mentioned above. For existing customers interested in learning more about this blueprint, please contact our customer support team here. We will be rolling out more information about our blueprints over the coming weeks and months for our customers and the public. For information on our blueprints process and the journey towards security optimization, please visit our blueprints page here.

We have chosen these two compliance frameworks—NIST and CMMC—on the basis of MITRE Engenuity’s research and the two frameworks’ global importance. With a threat-informed defense approach, we can help you and your teams achieve other cybersecurity compliance requirements for other compliance frameworks, to include New York City’s Department of Financial Services regulation, SWIFT, or the Payment Card Industry Data Security Standard (PCI DSS). At the root of compliance effectiveness is real performance data, and our team is available to work with you to achieve your compliance objectives through automated testing and security control validation.