Novel Ideas From NIST for Fighting APTs

2021 brought many surprises, not the least of which was an uptick in the scale and severity of cyberattacks. One might be tempted to call 2021 the year of ransomware, yet ransomware is not merely automated worms anymore. Modern advanced persistent threats (APTs) attack enterprises and even critical infrastructure using sophisticated means and leave ransomware in their wake. APTs will steal or encrypt data, or simply take a copy of them to present to organizations along with a ransom note and a demanded amount of Bitcoin. Most enterprises do not have the means or technical depth to respond to adversaries the size of nation-states. Not only do they lack the tools and resources, but also the guidance to interpret and filter attack scenarios down to protection protocols and actionable security controls. To help organizations strengthen their protections, the US National Institute of Standards and Technology (NIST) has answered the call and stated in the “How To Use This Publication” section of the standard: “The enhanced security requirements are designed to respond to the advanced persistent threat (APT) and supplement the basic and derived security requirements in [SP 800-171].”¹

While NIST Special Publication [SP] 800-171 was released in December 2016 and updated in Nov 2017, it was designed to be a general in nature and did little to address the enhanced threat of APTs. NIST SP 800-172’s enhanced security requirements build on 3 concepts: penetration-resistant architecture, damage-limiting operations, and designs to achieve cyberresiliency survivability, all based on the foundation of NIST SP 800-171.

Key to the protection of data from APTs is a revelatory set of concepts explained in NIST SP 800-172: redirect, preclude, impede, limit and expose. The novelty of this guidance is in the admission that security teams cannot always stop an APT, but they can make things very difficult for nation-state actors, expose them and provide tactics, processes, and attribution to help other enterprises recognize attack methods and speed up their response times.

The novelty of this guidance is in the admission that security teams cannot always stop an APT, but they can make things very difficult for nation-state actors.

Section 2.3 of SP 800-172 describes how trust relationships between system components and business, or agency needs should be considered when deciding which enhanced requirements to apply to an organization. NIST states: “There is no expectation that all of the enhanced security requirements will be selected by every federal agency.”² Cybersecurity experts everywhere will appreciate a compliance guidance standard that is optional and could even inspire creativity. NIST goes further, noting that some aspects of its recommendation may be cost prohibitive and, therefore, not possible for everyone, which is a refreshing nod to the reality that business and cyberleaders experience. Reading SP 800-172, one gets a sense that this document was put together by smart people with a pragmatic take on the Herculean task of addressing frustrating APTs.

Interesting key concepts outlined by NIST for fighting APTs are loosely interpreted as:³

• Curating threat intelligence and going beyond reading reporting from news outlets
• Threat hunting with tools designed to find suspect activity including artificial intelligence (AI)
• 24/7 system monitoring and security management, perhaps via third parties
• Strengthening IT infrastructure and platforms using software-as-a-service to help reduce risk
• Conducting threat, vulnerability and risk assessments with APTs in mind
• Implementing response and recovery practices beyond the basics
• Improving cyberresiliency to better detect deception

While many of the recommendations that follow in SP 800-172 are basic, there are fascinating ideas hiding among them such as:⁴

• Employing automation to detect misconfigurations
• Automating the rotation of credentials and keys, and using a rotation-capable password manager or privileged account management (PAM) product
• Validating the trust that a system is properly configured before connecting using Network Access Control or a lower-tech option such as exchanging a hash or signature of configuration
• Considering the establishment of an incident response team or contracting an on-call team from a third party
• Managing security operations center (SOC) operations to help achieve 24/7 coverage
• Conducting a physical security assessment and cyberassessments
• Applying predictive analysis
• Monitoring supply chain risk with third-party subcomponents and develop supply chain risk fallback plans for protection if one fails
• Organizing a tabletop exercise that simulates an APT. Some top-tier companies provide this service. Results may vary, but it is a novel idea.

Section 3.13.3e⁵ does something out of the norm in cybersecurity by embracing a controversial concept: the widely maligned idea of deception. It is commonly assumed that obfuscation is meaningless, and that true security means being able to be exposed without being hacked or reversed. That may be an outdated way of thinking, however, given the magnitude of the threats organizations face in 2021. SP 800-172 opens the door to allowing deception operations to become a legitimate aspect of cybersecurity. That is not to say that one should use obfuscation in place of encryption, but rather honey pots and sandboxes could be used to slow attackers, and watch or analyze malicious actors, and perhaps even use implanted data to track documents or provide misinformation as a tactic to mislead attackers.

The insightful SP 800-172 makes additional groundbreaking recommendations, proposing zero trust concepts and isolating rather than connecting networks, and auto-refreshing infrastructure-as-code releases to force out any digital footholds established by adversaries in virtual machines (VMs) or containers. NIST even broaches the subject of the Internet of Things (IOT), given that many organizations are incorporating smart whiteboards, appliances, and Amazon Alexa-like devices into their offices, and recommends organizations be mindful of IoT deployments and the danger they pose if not updated.

Overall, SP 800-172 is an interesting read with sound, yet progressive ideas based on the security basics cyber professionals know and love, mixed with some bleeding edge concepts that may inspire new ideas. Applying the concepts in SP 800-172 can help secure enterprise systems regardless of an organization’s size or budget. When security practitioners are putting together battle plans against sophisticated attackers, SP 800-172 will help dial in the APT security strategy.

Endnotes

¹ National Institute of Standards and Technology, Special Publication (SP) 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST SP 800-171, USA, February 2021
² Ibid.
³ Ibid.
⁴ Ibid.
⁵ Ibid.

David Cross, CISSP, GCIH, GPEN, GWAPT, ISTQB

Is a hacker and principal security architect for Henry Schein One. He crossed over into the security sector from development, where he created applications including neural network-based cost prediction systems, document recognition and emergency medical management systems. He enjoys speaking at security conferences and serving the community. He is on the boards of UtahSec and the Cybersecurity Collaboration Forum, and has also served as president of the InfraGard. When he is not securing systems, shoring up policy or automating security controls, he is writing voice-automated artificial intelligence (AI)-based hacking software, contributing to hacking tools, speculating about the future or evangelizing for AI use in security.