Title CYBER SEC FRAMEWORK.pdf ✅

1 Discussion Draft of the Preliminary Cybersecurity Framework 2 Illustrative Examples 3 The Cybersecurity Framework emphasizes processes/capabilities and supports a broad range of 4 technical solutions. While organizations and sectors may develop overall Profiles, these Threat 5 Mitigation Profile examples that illustrate how organizations may apply the Framework to 6 mitigate specific threats. These scenarios include cybersecurity intrusion, malware, and insider 7 threat. 8 9 Threat Mitigation Examples 10 A threat is characterized as any circumstance or event with the potential to have an adverse 11 impact on an information system through unauthorized access, destruction, disclosure, 12 modification of data, and/or denial of service (DoS). Threats continue to evolve in sophistication, 13 moving from exploitation (collection and interception of information) to disruption (denial of 14 service attacks) to destruction, with physical damage to a main operating component, whether it 15 is destruction of information or incorrect commands causing damage to computer-controlled 16 systems. The following examples describe Profiles crafted to address specific known threats. 17 Example 1: Mitigating Cybersecurity Intrusions 18 This example Profile is intended to describe key activities that address the cybersecurity risk 19 associated with a Cybersecurity Intrusion event. The Profile was crafted based on the activities 20 performed by adversaries during the life cycle of a cybersecurity intrusion. The cybersecurity 21 intrusion life cycle consists of three general phases: Gain Access, Maintain Access, and Act. 22 Gain Access: The goal of this phase is to achieve limited access to a device on a target 23 network. Adversaries often gain initial access to networks by exploiting a single 24 vulnerability in a product or by prompting user action. Techniques used include: spear 25 phishing, malicious e-mail content, Web browser attacks, exploitation of well-known 26 software flaws, and distribution of malware on removable media. 27 Maintain Access: During this phase the adversary takes steps to ensure continued access 28 to the targeted network. This is often accomplished by the installation of tools and/or 29 malware to allow the adversary to maintain a presence on the network. Malware 30 components establish command and control capabilities for the adversary and enable 31 additional attacks to be performed, such as capturing keystrokes and credentials. Example 32 actions taken during this phase include the installation of rootkits/backdoor programs and 33 execution of BIOS exploits. 34 Act: In the final phase the adversary focuses on gaining access privileges that enable 35 them to move, compromise, disrupt, exploit, or destroy data. Using the previously 36 established command and control capabilities and compromised accounts, adversaries 37 take steps to access and control additional data and resources. This includes establishing 38 communications channels to the adversary’s servers that facilitate remote access. 39 Privilege escalation and lateral movement enable an enterprise-wide compromise by an 40 adversary. The adversary is able to use the access gained to internal networks, where 41 security protections may not be as robust, to gain access to critical resources. 42

Function Category Subcategories IR Comment for an adversary to craft an initial exploit. It is important that critical infrastructure install updated patches; test patches for potential operational impacts; and ensure that the patches do not introduce new vulnerabilities. Protect Protective Technology  Implement and maintain technology that enforces policies to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on organizational systems (i.e., Whitelisting of applications and network traffic)  Determine, document, and implement physical and logical system audit and log records in accordance with organizational auditing policy CCS CSC 6 COBIT APO11.04 Application whitelisting ensures that only approved applications may run. This mitigation approach can also prevent the installation of known malicious code. Auditing and logging operates in direct support of other Detect, Respond, and Recover Framework Functions. Detect Security Continuous Monitoring  Perform network monitoring for cybersecurity events flagged by the detection system or process  Perform physical monitoring for cybersecurity events flagged by the detection system or process  Perform personnel monitoring for cybersecurity events flagged by the detection system or process  Employ malicious code detection mechanisms on network devices and systems to detect and eradicate malicious code  Detect the use of mobile code and implement corrective actions when unacceptable mobile code is detected  Perform personnel and system monitoring activities over external service providers NIST SP 800-53 Rev. 4 CM-1, CA-7, AC-2, SC-5, SI-4 NIST SP 800-53 Rev. 4 CM-1, CA-7, PE-3, PE-6, PE-20 NIST SP 800-53 Rev. 4 CM-1, CA-7 ISO/IEC 27001 A.10.4.2 ISO/IEC 27001 10.2.2 NIST SP 800-53 Rev. 4 CM-1, CA-7, PE-3, PE-6, PE-20 Monitoring can detect and quarantine email that contains malware prior to delivery. Malware can be identified using signatures that uniquely identify specific malware components. Malware signatures must be frequently updated to ensure that emerging malware threats can be identified and eradicated before users within the organization can launch them. Monitoring also allows the organization to detect unusual or anomalous system behaviors that may indicate that a system has been infected with malware. Automated malware detection solutions can be configured to block connections to servers that are known to host malware or that malware
Function Category Subcategories IR Comment  Perform periodic checks for unauthorized personnel, network connections, devices, software  Perform periodic assessments to identify vulnerabilities that could be exploited by adversaries (aka Penetration testing) NIST SP 800-53 Rev. 4 CM-1, CA-7 software is known to communicate with. Respond Planning  Execute the organization’s incident response plan CCS CSC 18 NIST SP 800-53 Rev. 4 IR-1, IR-2 After an attack is recognized, the security team should use the organization’s response plan to determine the appropriate, coordinated response to the type of attack. Respond Analysis  Investigate anomalies, including cybersecurity events (from network, physical, or personnel monitoring) flagged by the detection system or process  Conduct an impact assessment (damage/scope)  Perform forensics  Classify the incident ISO/IEC 27001 A.06.02.01 ISO/IEC 27001 A.06.02.01 ISO/IEC 27001 A.13.02.02 A.13.02.03 ISO/IEC 27001 A.13.0 A.13.02 A.03.06 A.07.4.2.1 It is important to understand the scope of the incident, the extent of damage, the level of sophistication demonstrated by the adversary, and the stage the attack is in. This knowledge helps to determine if an attack is localized on an organization's machine or if the adversary has a persistent presence on the network and the scope is enterprise-wide. Organization should compare attack data against current and predicted attack models to gain meaningful insight into the attack. Respond Improvements  Incorporate lessons learned into plans  Update response strategies ISO/IEC 27001 A.13.02.02 NIST SP 800-53 Rev. 4 PM-9 Document the lessons learned from the intrusion and use them to enhance organizational cybersecurity processes. 45 46