If there’s any organization that knows about dealing with advanced persistent threats (APTs) it’s NIST.
The US government is constantly targeted by the most sophisticated adversaries, and the attacks are directed at both the government agencies themselves, and supporting organizations like service providers and defense contractors. Unfortunately, all too often these attacks have been successful. The silver lining is that as a result NIST is very well informed about not just how APTs operate, but why organizations fail to stop them.
NIST has leveraged this knowledge to come up with new recommendations in a document called 800-171B.
This update to an existing standard is focused on “enhanced” controls to protect particularly sensitive data being processed by service providers that support the federal government. However NIST clearly states that the controls should also be applied to anyone who cares about mitigating APTs:
“Everyone has high value assets, from small businesses to Fortune 500 companies. These enhanced defenses are great tools for anyone to use. We do our jobs primarily for the federal government, but everyone gets to take advantage of NIST’s cybersecurity guidance.”
Ron Ross, 800-171B contributor, NIST
800-171B makes it clear that the initial penetration of the APT is just the start of the battle, and that there are many things that can and should be done to limit or prevent lateral movement and data compromise following the initial breach. 800-171B has a number of great suggestions, but it should be no surprise that here at Acalvio we’re partial to the requirement to implement deception:
“Employ technical and procedural means to confuse and mislead adversaries through a combination of misdirection, tainting, or disinformation.”
NIST 800-171B”, Requirement 3.13.3e.
The requirement lists three critical benefits of deception:
- Reveal the presence of the attacker;
- Confuse and mislead the attacker to delay and degrade his efforts;
- Reveal the TTPs (tactics, techniques, and procedures) being used by the attacker
These align perfectly with the benefits of Acalvio Shadowplex – we couldn’t have said it any better ourselves! The only thing we would add is that deception is more operationally efficient and less risky that alternatives that attempt to provide similar benefits. But I suppose that’s implied in the fact that NIST is mandating deception. They know that 3rd party organizations supporting the government don’t have endless resources, and so the efficiency of the control set is an important consideration.
NIST 800-171B is open for public comment until August 2019, and after the standard NIST review process will go into effect. But the threat actors aren’t bound by this schedule – they’re on the offensive today. So it’s a good idea to review the document now, and start assessing how your controls stack up and how you can do a better job of lowering the risks from APT class attacks.