Frameworks and Regulations
By Robert Salier, Product Manager, Endace
In this, the third article in our series on threat hunting (see here for Part 1 and Part 2), we explore the frameworks and regulations most relevant to threat hunting.
These tend to fall into two categories: those that address cybersecurity at a governance level, and those that facilitate insight into individual attacks and help formulate appropriate defense actions.
Governance Level Frameworks and Regulations
The regulatory environment influences threat hunting, and cyber defense in general. In many countries, regulations impose obligations on disclosure of breaches, including what information must be provided, when, and to which stakeholders. This influences the information that an organization needs to know about a breach, and hence its choice of strategies, policies, processes and tools. These regulations generally require companies to disclose a breach to all customers that have been affected. However if an organization cannot ascertain which customers were affected, or even if any customers were affected, then they may need to contact every customer. The only thing worse than having to disclose a breach is having to disclose a breach without being able to provide the details your customers expect you to know.
There are a also a number of frameworks addressing cybersecurity at the governance level, which in some cases overlap with regulations, dealing with many of the same issues and considerations. Collectively, these frameworks and regulations help to ensure organizations implement good strategies, policies, processes and tools, e.g. …
- Which systems and data is most important to the organization
- What Information security policies should be in place
- How cybersecurity should be operationalized (e.g. what organizational structure, security architecture and systems are most appropriate for the organization)
- Incident management processes
- Best practice guidelines
Prevalent frameworks and regulations include…
- ISO 27000 Series of Information Security Standards
A comprehensive family of standards for information security management, providing a set of best practices for information security management. Maintained by the International Standards Organization, it has been broadly adopted around the globe.
- CIS Critical Security Controls for Effective Cyber Defense
Best practice guidelines for information security, with 20 “Critical Security Controls” that organizations should implement to block or mitigate attacks. Produced by the Centre for Information Security.
- NIST Special Publication 800-53
A catalogue of security and privacy controls for all U.S. federal organizations except those related to national security.
- COBIT (Control Objectives for Information and Related Technologies)
A framework of generic processes for management of information systems, including inputs, outputs, activities, objectives, and performance measures.
- NIST Cybersecurity Framework
A policy framework for private sector organizations to assess and improve their ability to prevent, detect, and respond to cyber attacks. It was developed for the USA, but has been adopted in a number of countries.
- PCI DSS (Payment Card Industry Data Security Standard)
An information security standard for organizations that handle credit cards from the major credit card providers.
- HIPAA (Health Insurance Portability and Accountability Act of 1996)
This USA legislation prescribes national standards for electronic health care transactions within the healthcare and healthcare insurance industries. It stipulates how Personally Identifiable Information must be maintained and protected from fraud and theft.
Frameworks to Characterize Attacks and Facilitate Responses
A number of frameworks have been developed to help describe and characterize attacker activity, and ultimately facilitate defense strategies and tactics.
Prevalent frameworks include…
- Cyber Kill Chain
Developed by Lockheed Martin, this framework was developed from a “kill chain” framework developed for military attack and defense. It decomposes a cyber attack into seven generic stages, providing a framework for characterizing and responding to attacks. Refer to this Dark Reading article for some discussion on the benefits and limitations of this framework.
- Diamond Model
This model describes attacks decomposing an attack into four key aspects, i.e. details of the adversary, their capabilities, the infrastructure they used, and the victim(s). Multiple attack diamonds can be plotted graphically in various ways including timelines and groupings, facilitating deeper insight. - Mitre Att&ck
Developed by Mitre, Att&ck stands for “Adversarial Tactics, Techniques, and Common Knowledge”. It is essentially a living, growing knowledge base capturing intelligence gained from millions of attacks on enterprise networks. It consists of a framework that decomposes a cyber attack into eleven different phases, a list of techniques used in each phase by adversaries, documented real-world use of each technique, and a list of known threat actor groups. Att&ck is becoming increasingly popular, used by and contributed to by many security vendors and consultants. - OODA Loop
Describes a process cycle of “Observe – Orient – Decide – Act”. Originally developed for military combat operations, it is now being applied to commercial operations.