Organizations today need to establish a secure network that is both proactive and reactive to cyberattacks. Reactive security focuses on reducing the gravity of an attack and containing the damage. A proactive strategy hardens the security of the organization so risks from an attack are minimized. Although most organizations have some proactive and reactive strategies in place, they might have implemented these without fully understanding their own unique exposure to risks. Implementing cybersecurity frameworks can help. They can list guidelines for streamlining security policies so organizations fully understand their specific risks and can develop curative and preventive measures accordingly.
This article explores and compares two popular cybersecurity models that are used by organizations across industries: the National Institute of Standards and Technology (NIST) NIST and MITRE Adversarial Tactics, Techniques, and Common Knowledge (MITRE ATT&CK) frameworks.
The NIST framework in brief
NIST aims to blend industry standards (like FISMA and HIPAA) and best practices (such as risk assessments and asset identification) to help organizations reduce cybersecurity risks. It helps organizations develop a proactive strategy that categorizes assets that need to be protected and helps reduce the risks to these assets. It also advises organizations on the best ways to respond and recover from cyberattacks in case they do happen.
The NIST framework can be divided into three components:
The framework core: This instructs how to implement uniform defense techniques and comply with industry standards.
The five steps of the organization's cybersecurity risk are:
- 1Identify: Define processes and assets that need protection.
- 2Protect: Establish safeguards to protect these assets
- 3Detect: Establish systems and procedures to detect security incidents.
- 4Respond: Design procedures that can mitigate or contain the impact.
- 5Recover: Develop procedures to resume business operations.
Framework implementation tiers: This NIST component helps organizations assess their security maturity level, referred to as implementation tiers, based on the following factors:
- 1Risk management process: What kind of cybersecurity activities does the organization engage in to mitigate possible risks?
- 2Integrated risk management: Are cybersecurity activities and defense techniques uniformly implemented across the organization?
- 3External participation: How does the organization participate and contribute to the overall cybersecurity ecosystem?
Framework profile: This component helps organizations define and align their security outcomes, like revisions of the security policy and improvements to the security design, with the associated risks (identified at the "core" stage), and the security maturity level they're currently at (identified in the "implementation tier" stage). Organizations can set this as a "current profile" and then create "target profiles" to determine the maturity levels they aspire to be at.
This approach to understanding the current security posture helps organizations address the different risks the organization faces and invest in appropriate security solutions. Since its introduction, NIST has been widely implemented as a security standard to enhance security postures.
The MITRE ATT&CK framework
The MITRE ATT&CK framework was developed in 2013 to provide organizations with a blueprint for any possible type of cyberattack. It is one of the most multi-dimensional frameworks available for understanding cyberattacks. The ATT&CK framework's foundation is built on publicly accessible research on cyberattack techniques, threat intelligence on attacks, and reports of security incidents. It also lists ways organizations can mitigate these attacks.
The MITRE ATT&CK framework is structurally a matrix that explores tactics, the "why" of a cyberattack, and techniques, the "how" of a cyberattack.
ATT&CK analyzes the tactics, the malicious goals that attacker wants to accomplish, and the techniques, the processes used to achieve those goals. For example, let's suppose that an attacker wants to send a malicious code to a vulnerable system on a network. One of the attacker's goals may be to bypass any detection mechanisms that have been set up. This goal is referred to as a "defense evasion" tactic in the matrix. To evade detection, the attacker may send a seemingly harmless image that actually contains the malicious code within the bits of the image. This technique, known as steganography, is used to evade cybersecurity defenses. ATT&CK features 14 tactics that cover possible attack goals, and the multiple techniques attackers might employ to achieve each tactic.
ATT&CK vs. NIST
After an overview of NIST and ATT&CK, you'll see that these two frameworks act as a sort of empirical drug to cyberattacks. While they share the goal of empowering organizations to defend themselves, the approach they take is different. NIST helps companies achieve required security outcomes by outlining best practices blended with compliance laws. ATT&CK helps companies understand their adversaries better, test their network for vulnerabilities, and set up counter measures.
The difference in approach starts with the stakeholders they're targeting. NIST is less technically inclined compared to ATT&CK, and is built so management level executives can assess the security posture and maturity of their company easily. Management level executives with a basic working knowledge of an enterprise network, can deduce the assets that need to be protected, the maturity tier they are at, and determine their current profile. ATT&CK on the other hand is targeted at chief information security officers with a vast technical knowledge of IT networks. The ATT&CK matrix provides an in-depth look at what tricks an attacker has up their sleeve, and how to detect and mitigate any intrusive attempts on the network.
The technical nature of ATT&CK serves as a good reference for pentesters to determine what signs or activity logs to analyze to detect and mitigate threats. Pentesters will often work with a red team, a group of outside contractors tasked with testing the security of the organization by trying to break into its network. Pentesters also often work with a purple team, a transient group of IT professionals that includes blue members, the defenders, and red members, the attackers.
Another striking difference between these frameworks is that ATT&CK is more dynamic. MITRE's website says that the ATT&CK matrix is updated bi-annually. NIST has multiple revised versions (the latest version 1.1 being in April 2018), but not enough to match the speed of an ever changing cyberthreat landscape. This can make it difficult for security practitioners to update their security functions, according to more relevant cyber risks. ATT&CK's frequent updates are based on new threat intelligence fed into the matrix. In fact, anyone can contribute threat intel to this database. This allows CISOs to quickly understand what threats need top priority and if any threats can be relegated to a lower priority. For example, the threat landscape of 2017-2019 saw a surge in cryptojacking attacks due to rising cryptocurrency prices. This meant that security analysts needed to focus on tactics and techniques identified in ATT&CK that are relevant to how an attacker can hijack systems to illegally mine cryptocurrency. In 2021, the threatscape is different since organizations were thrown a curve ball in the form of the COVID-19 pandemic. Organizations have had to contend with advanced variants of ransomware and DDoS attacks. Logically security teams would refer to MITRE's updated techniques to implement better defenses against these attacks and minimize the focus on cryptojacking. With NIST's last major overhaul in 2018, and a few additions made in 2020, high priority risks that spring up suddenly are not dealt with quickly enough, leading companies to miss major threat intel that they could leverage to safeguard their networks if they're solely relying on NIST.
The difference in approaches between NIST and ATT&CK is that ATT&CK isn't useful until you actually have red and purple teams simulating tactics and techniques, running tests on your networks to check for vulnerabilities, and ensuring that your security capabilities can fend off attacks. ATT&CK is not a checklist like NIST but a list of all possible ways an attack can be carried out. This means the evaluation has to be carried out practically. NIST, on the other hand, is designed to help organizations understand their security capabilities without the labor of elaborate testing. The NIST framework can be implemented as a checklist so you can figure out your organization's security posture. This is a simpler and quicker way to gauge your security standing, but there is a lot of subjectivity involved with how security practitioners at your organization assess security.
After all the comparisons presented between NIST and ATT&CK, the question is: which is better? There isn't a clear winner since we feel that we need a cohesive blend of NIST's simple assessment style with the depth and diversity that MITRE's ATT&CK has to offer. However, with an overarching goal of enhanced network security, we'd suggest you start by assessing the risks your organization faces individually using NIST, and practically test how you can combat these risks with the tactics, techniques and procedures identified in ATT&CK. This way, an organization can slowly improve its security maturity levels. Leveraging the best of what both these frameworks offer will help any organization implement risk-relevant proactive and reactive cybersecurity strategies.