A quick primer on some common cybersecurity frameworks
As part of my master’s degree thesis project, I’ve been spending some time reviewing the common (non-regulatory) cybersecurity maturity model frameworks and some of the issues in attempting to implement them. I focus on the three most common frameworks here, touch on one of the regulatory frameworks, and talk a bit about the MITRE ATT&CK framework. At the end of this post I also discuss the next steps I have in mind for my own research project and some insights into my goals. Enjoy!
A Note about Regulator Required Frameworks
One important factor to discuss is the external pressure of existing regulations and laws that govern aspects of cybersecurity across multiple organizations. These laws and regulations, such as the General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), and the Health Insurance Portability and Accountability Act (HIPAA) include cybersecurity in their respective frameworks. Some organizations may be required to follow these frameworks, but they are also used by organizations to baseline their own cybersecurity maturity without the regulatory requirements. This post primarily focuses on voluntary cybersecurity maturity model framework implementation, as regulatory frameworks and laws are out of scope for my research for the most part.
Commonly Use Cybersecurity Maturity Model Frameworks
NIST Cybersecurity Framework (CSF)
One of these commonly used and bench-marked frameworks is the NIST Cybersecurity Framework (CSF). This model was developed by the United States Government, but it is not a current requirement for government contractors to comply with this framework. The framework is aligned to Five Functions — Identify, Protect, Detect, Respond, and Recover. Each function represents an aspect of the cybersecurity management lifecycle and contains categories, sub-categories, and external references to the function category.
Some of the feedback received on this framework includes that it is hard to specify detailed control requirements rather than the high-level requisites that exist in the framework currently. While the NIST CSF is not technically considered a maturity model, it is still used as a maturity model by some organizations and that makes it complicated for organizations looking for specific ways to improve their maturity.
Center for Internet Security Critical Security Controls (CIS Controls)
A second common model for benchmarking cybersecurity maturity is the Center for Internet Security Critical Security Controls (CIS Controls), which consists of 18 main controls and 153 sub-controls or “safeguards”. In previous implementations of this CIS Controls, there were 20 main controls, but with the 2021 release of the CIS Controls version 8 of the maturity model framework, the number of main controls was reduced to 18 and CIS included changes such as documentation on control prioritization.
CIS recommends a prioritization for implementation of the CIS controls in groups, known as Implementation Groups (Center for Internet Security, 2021b). The first Implementation Group, or IG1, is what CIS considers to be the essential cyber controls to implement within an organization and consists of 56 safeguards. The final Implementation Group, or IG3, consists of all 154 Safeguards in the CIS Controls.
One common feedback aspect regarding the CIS Controls is the lack of specific technical control details. A significant portion of the CIS Controls consists of fairly vague language that can be interpreted multiple ways, making it harder for organizations to determine if they are meeting the language of the control requirements. Though it is worth mentioning that the CIS Controls have been mapped to multiple cybersecurity frameworks, including NIST CSF which can make it easier to utilize the framework.
ISO 27000
The third common cybersecurity maturity model framework in use at present is ISO 27000. This international standard, most recently updated in 2018, is used by European countries and organizations. This framework provides standards for information security management systems regardless of the size of the organization.
The ISO 27000 standards include requirements that discuss physical security controls, risk assessment, and systems acquisition controls which focus on the higher-level management aspects of cybersecurity. However, to become certified against the ISO 27000 standard, it can be expensive and requires many steps to determine compliance with the controls that can be prohibitive for organizations.
The MITRE ATT&CK Framework
The MITRE Adversary Tactics, Techniques & Common Knowledge (ATT&CK) Framework is a technical framework that was developed in 2013 by the MITRE corporation. The goal of the framework is to focus on threat actors’ adversary behaviors (tactics and techniques) and apply them to real-world environments with a lifecycle model that frames the conversation around adversary activities with a common taxonomy.
The framework is organized via Tactics — or the tactical objective for performing an action. These tactics are often aligned to aspects of the Cyber Kill Chain, developed by Lockheed Martin, but expand the original 7 phases of the Cyber Kill Chain to 14 total Tactics within the ATT&CK Framework. Within each Tactic is a series of Techniques and Sub-Techniques that describe the action the adversary is performing to achieve the Tactic goal. There are significantly more Techniques than Tactics in the ATT&CK Framework, as there are multiple ways to achieve a Tactic goal. The MITRE ATT&CK Framework Matrix is the visual representation of the relationship between Tactics and Techniques, and can be used to show additional information such as “defensive coverage of an environment, detection capabilities in security products, and results of an incident or red team engagement.”
The MITRE ATT&CK Framework has several Matrix versions that represent the different potential environments threat actors operate in. These Matrices include techniques that are applicable to Enterprise, Mobile, and Industrial Control Systems. Within the MITRE ATT&CK Framework, there are also mappings to Mitigations and Data Sources that show the techniques covered as well as mappings to Threat Actors which show techniques known to be used by them.
MITRE D3FEND
Another subset of the ATT&CK Framework is the MITRE D3FEND Knowledge Gap Project, which was funded via the Cybersecurity Directorate of the National Security Agency under contract W56KGU-18-D-0004. This project’s goal is to help specify how to address cyber threats from an engineering perspective, and as such, the offensive techniques outlined in the MITRE ATT&CK Framework are mapped via digital artifacts to the D3FEND countermeasures, helping to specifically identify the “how” of addressing a technique used by a threat actor.
One aspect of the MITRE ATT&CK Framework that makes it incredibly useful for a significant number of organizations is the technical modeling of adversary behaviors and tool detection coverage using publicly available information. The MITRE ATT&CK and D3FEND Frameworks are technical in nature, making it easier for organizations to determine if they have appropriate coverage of the Framework based on risk tolerance. The MITRE Corporation has published multiple articles, training resources, and webinars about how to use the ATT&CK and D3FEND Frameworks. However, it can be hard to know how best to implement the Frameworks, which techniques are applicable and which are not, as well as how to improve or define what it means to be a “mature” organization.
Initial Insights from this Review
The MITRE ATT&CK Framework is a technical framework, and as such, it focuses primarily on technical engineering and detection methodology. This can be helpful for organizations who are looking to confirm that their use cases are detecting the techniques that they are most concerned with or that they have the ability to detect others based on the log sources they are ingesting into the Security Operations Center. However, there are other aspects of a Security Operations Center that should be reviewed to identify gaps and areas of maturity growth.
The NIST CSF, ISO 27000, and CIS Controls are generally less technically detailed than the MITRE ATT&CK Framework, but they do include mention of non-technical aspects that affect operations within an organization, such as training, documentation, and other inputs that can affect the maturity of an organization. If training and documentation are not adequate, the ability to act on the detection of a malicious threat is severely compromised, lowering the overall maturity of the organization.
Next Steps
Based on my review of the common cybersecurity maturity model frameworks as well as the more technical MITRE ATT&CK Framework, there is an opportunity to combine technical and non-technical maturity model and scoring methodology. Utilizing the technical aspects of the MITRE ATT&CK Framework, leveraging existing cybersecurity maturity model framework requirements, and through direct experience reviewing the maturity of Security Operations Center organizations, I have begun to develop a methodology that factors in technical engineering detections, people, processes, and operational aspects to create a hybrid cybersecurity maturity model framework that can be leveraged to assess the maturity of a Security Operations Center within an organization. My goal is to hopefully publish and solicit feedback on my scoring methodology by the end of 2022.
