NIST Publishes Draft Update of Guidance on Developing Cyber-Resilient Systems

The National Institute of Standards and Technology (NIST) has released a draft version of updated guidance to help organizations improve their defenses against ransomware and other destructive cyberattacks by developing cyber resilient systems.

Organizations can implement robust perimeter defenses and adopt a defense-in-depth approach to cybersecurity, but recent attacks have shown that even sophisticated perimeter defenses can be breached. Cyber threat actors often target weak links in security such as employees, and typically use social engineering techniques in their phishing campaigns to obtain credentials to gain a foothold in an internal network. Vulnerabilities in software and operating systems are also commonly exploited to bypass perimeter defenses.

The NIST guidance document – Draft NIST Special Publication 800-160, Volume 2, Revision 1, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach – advocates a departure from traditional perimeter defenses and instead requires IT systems to be made more resilient to attacks from within the network.

Security teams should assume that their perimeter defenses have already been breached and unauthorized individuals already have access to internal resources or will do at some point in the future. Safeguards and countermeasures should therefore be put in place to limit the damage that can be caused to the network and infrastructure.

According to NIST, cyber resilience is “the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber resources.” The aim should be to implement measures that will limit damage to mission critical IT systems and will allow them to continue to function to support business operations while an attack is remediated.

“What we want to achieve is a system that we call ‘cyber resilient’ or a system that is sufficiently resilient where it can continue to operate and support critical missions in business operations – even if it’s not in a perfect state or even in somewhat of a degraded state,” said NIST Fellow Ron Ross, who wrote the updated guidance document with assistance provided by other NIST staff and cybersecurity experts at MITRE Corp.

The guidance document provides information on the tools, techniques, and approaches that IT security teams can adopt to improve cyber resilience, including legacy systems that are already deployed and considerations when implementing new IT systems. The guidance also provides advice on zero-trust architectures to prevent or limit lateral movement within networks.

Key aspects of the update include implementing controls to support cyber resilience and for those controls to be aligned with NIST’s Security and Privacy Controls for Information Systems and Organizations (SP 800-53, Revision 5), to create a single threat taxonomy based on the MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework, and now includes approaches to implement cyber resiliency techniques to support SP 800-53, Revision 5 and the MITRE ATT&CK framework.

NIST is seeking comment on the draft version of the guidance until September 20, 2021, with the final version due for the publication before year end.