MITRE ATT&CK vs. NIST CSF

Two critical frameworks that can serve as a key component in any cybersecurity program, whether enterprise (IT), operational (OT), or a converged version of the pair (IT/OT) are the National Institute of Standards & Technology (NIST) Cybersecurity Framework (CSF) and the MITRE ATT&CK®.

• NIST Cybersecurity Framework is a set of best practices, standards, and recommendations that help an organization improve its cybersecurity measures. Originally, it was targeted towards IT, but it was later expanded to include an ICS component.
• MITRE ATT&CK® is a publicly available knowledge base that catalogs the tactics, techniques, and procedures adversaries use across multiple platforms. It was first built from real-world intrusions in Windows enterprise environments and has since expanded to include macOS, Linux, cloud, mobile, and Industrial Control Systems (ICS).

This post will highlight the value and discuss how to use these two different frameworks together for a more comprehensive and effective security strategy.

In this way, the tactics represent “why” an attacker may use those techniques, and the techniques represent “how” they do so, which is very different in nature from the core concept of governance.

Governance is composed of structures, systems and practices that encompass decision making, strategic direction guidelines, implementations of policy, and reports on performance for improvement and corrective action. Meanwhile, ATT&CK groups various techniques into piles for cybersecurity professionals and tools to communicate defensive coverage, cyber threat intelligence, detection capabilities and incident/red team results.

Why You Should Use NIST CSF and MITRE ATT&CK Together

Most organizations have a governance structure and process that includes how the organization protects itself from cyber threats or uses technology.

The NIST CSF is made up of five governance areas that comprehensively describe: Protect, identify, detect, respond, and recover. These five areas provide the overarching structure or blueprint for your security program and outline the essential areas you need to address.

This is where MITRE ATT&CK matrices (Enterprise and ICS) come in. The ATT&CK framework puts forward the necessary information or use cases that should be captured. One without the other is not very effective, but when used together, they drive effective cyber security governance for both IT and OT environments.

A Hypothetical Example Using NIST CSF and MITRE ATT&CK

Imagine the following scenario:

A manufacturing organization detects unusual network activity from anti-virus and affected system logs. The source originates from an IT workstation that connects to the OT network for data collection.

Using the above scenario, an analyst would be assigned to investigate the alerts or anomalous conditions, but how would they do so and in what manner?

Protecting your OT environment involves the right frameworks and technology. In this situation, the right approach would be to:

1. Set up sufficient technology and guidance/governance aligned with the five NIST CSF areas, so the security teams have clear processes and tools at their disposal.
2. Ensure resources and staff are adequately trained on core security tools to identify and detect threats, protect systems, isolate, and remediate an attacker, and recover affected systems.
3. Use predefined playbooks that are fine-tuned and supported using ATT&CK tactics, techniques, and procedures.
4. Use the ATT&CK framework to outline, identify, and triage the cyber event as it occurs, but also as part of the post-mortem process.
5. Follow the organization’s guidance from start to finish including communicating the impacts to management.

This is a high-level overview that requires customization for your organization, but it is important to note that you can use the frameworks together in ICS and OT.

Comprehensive OT Security Using NIST CSF, MITRE ATT&CK, and Verve by Rockwell Automation

While NIST CSF and MITRE ATT&CK provide the framework and knowledge, effectively implementing them in complex IT/OT environments often requires the right technology and resources.

When operationalized as part of an organization focused on structured action, Verve® by Rockwell Automation becomes an invaluable OT cyber security solution to help secure critical infrastructure.

About the Verve by Rockwell Automation Security Center

The Verve by Rockwell Automation Security Center goes beyond asset inventory management and vulnerability management to apply a robust OT Systems Management (OTSM) approach.

ATT&CK works best when using a SIEM, which is significant as SIEM functionality for logging and alerts (Signals) is a new feature to the Verve by Rockwell Automation Security Platform. Even more, we support a variety of ATT&CK detection use cases and provide additional resources to enable the use of both frameworks to enhance your organization’s security posture. This includes:

• Identifying risks, and areas where gaps exist in an organization’s NIST CSF wheel coverage.
• Enumerating vulnerabilities and tracking remediation.
• Creating custom policies to help protect endpoints against specific techniques.
• Layering compensating controls to reduce the likelihood of an attacker initial compromise vector.
• Fine-tuning logs, alerts, and SIEM functionality.
• Creating custom detection “signals” that are grouped or use specific ATT&CK TTPs.
• Dissecting timelines into a series of events that contributed to an incident.

Given the unique ability for Verve by Rockwell Automation to install on commodity systems to communicate natively to a wide catalog of devices, patches, and ingest logs from applicable OT systems, you get a powerful cyber security tool to aid security teams.