NIST Guidelines: a methodological underpinning for cybersecurity analysts
Table of Contents
The National Institute of Standards and Technology (NIST) is a U.S. public organization dedicated to generating knowledge, developing resources, and organizing training programs in multiple areas. From chemistry to energy, including, as it could not be otherwise in a fully digitized world, cybersecurity. Thus, NIST guidelines and frameworks have become global standards for the security of the software and hardware we use every day. Hence, NIST’s role as a knowledge generator is of great help to organizations and cybersecurity analysts.
1. What are NIST guidelines?
The NIST guidelines provide a set of best practices in many areas of cybersecurity. From risk management to the cybersecurity governance system. From pentesting to incident management.
The literature produced by NIST in the field of cybersecurity is vast. It is made up of hundreds of documents. All the knowledge accumulated in the collection of best practices has led to the NIST guidelines and frameworks being recognized as a global standard, not only in the United States.
Although these reference publications do not go into extremely specific technical issues as, for example, the OWASP guides do, they are fundamental as methodological support. Moreover, because they are produced and published regularly, they constantly expand and update the NIST knowledge base.
These documents offer a global vision of multiple areas of cybersecurity, proposing methodologies based on best practices. They stipulate, for example, which phases should be carried out when performing a penetration test. And they establish generic recommendations that ensure that the procedure is carried out optimally. Such as, for example, keeping a history of the commands that have been executed, to ensure that the process can be traced in the event of any incident occurring during its execution.
Next, we will briefly analyze three NIST guidelines that allow us to observe its importance as a global standard: NIST 800-115, NIST 800-94, and NIST 800-61.
2. NIST 800-115: Technical Guide for Information Security Testing and Assessment
The first of NIST guidelines offers a methodological basis for designing and implementing advanced pentesting or penetration testing services. Although it does not go into technical aspects and remains at a more general level, this guide is a must. Since it establishes the phases of these methodologies and makes a wide review of the characteristics of the different techniques that can be used to evaluate the security of the information. It thus functions as a guide in the process, on which to develop and plan specific methodologies that fit the systems to be studied and the established objectives.
The document analyzes the various techniques to be performed, as well as the phases of a safety assessment.
2.1. NIST Review techniques
These techniques are passive and consist of a systematized review of systems, applications, networks, and procedures to detect security vulnerabilities. They are also essential for gathering information for the development of proactive techniques such as advanced penetration testing. By their very nature, they pose minimal risk to the systems and networks being analyzed. Among the various review techniques, the NIST guide highlights:
- Documentation review. Its objective is to evaluate the technical details of policies and procedures by analyzing the available documentation.
- Logging review. It allows to evaluate that the implemented security controls record information in an adequate and detailed way according to the established policies.
- Rule set review. Through this technique, deficiencies in security controls are analyzed, analyzing mainly access control rules and signatures, in network devices and IDS/IPS systems respectively.
- Review of system configuration. The correct configuration of security measures in systems (hardening) is evaluated following established policies.
- Network scanning. It monitors network traffic on the local segment to obtain information. It also serves to verify the encryption of communications.
- File integrity check. It is used to detect possible tampering with important files and identify unwanted files, which may be tools of attackers. This type of feature is offered by HIDS (Host-Based Intrusion Detection Systems) solutions.
2.2. Target identification and analysis techniques
Using these techniques, cybersecurity analysts identify active devices and their associated ports and services and analyze them for vulnerabilities. The information gathered will be used to plan and implement techniques that validate the target’s vulnerability, such as pentesting services or advanced penetration testing. The NIST guide highlights four target identification and analysis techniques:
- Network discovery. Used to identify devices on the network, determine communication patterns between devices, and provide insight into the network architecture.
- Identification of network ports, services, and service details.
- Vulnerability scanning. It includes different techniques for the analysis of vulnerabilities in systems and services through the use of both automated and manual tools.
- Wireless scanning. This technique identifies unauthorized wireless devices and detects wireless signals outside the organization’s perimeter. Also, possible backdoors that can be exploited by malicious actors.
2.3. Target Vulnerability Validation Techniques
The NIST guide states that these techniques use the information generated in the identification and analysis of the target to explore in-depth the existence of vulnerabilities. These techniques make it possible to demonstrate that the vulnerability exists and what happens when it is exploited. Hence, these techniques have a greater potential impact on the system or network being worked on than the previous techniques. Within these techniques, NIST includes password cracking and social engineering techniques such as phishing and penetration testing.
2.3.1. Penetration testing
While the first two are dealt with succinctly in the guide, penetration testing is detailed in greater depth at the methodological level. Thus, on the one hand, it establishes the phases for developing and executing this type of test:
- Planning. The action protocols are established, the objectives are set and the pertinent technical conditions are created for the test to be successful.
- Discovery. In this phase, the techniques discussed above are of great help. Since it consists of gathering all the information about the target system or network, to discover vulnerabilities from the data collected.
- Execution. This is the key phase of the process. Within this phase the following attack actions are executed:
- Gaining access. It includes the exploitation of vulnerabilities to gain access to systems.
- Escalate privileges. Both access privileges obtained on compromised systems and avenues to gain privileged access as an administrator are analyzed.
- Lateral moves. Another discovery process is initiated to identify mechanisms and exploit vulnerabilities to gain access to additional systems in the infrastructure.
- Installation of additional tools. Includes post-exploitation tasks such as tools to obtain information or maintain persistence.
- Communication and reporting: This phase is transversal and occurs in parallel with the others since it is essential to document the entire process, and to report on the progress of the tests during the execution. At the end of the process, a report is generated describing the vulnerabilities identified, the exploitation procedure, as well as the associated risk level, and the proposed mitigation and/or remediation measures.
The following are the most common vulnerabilities exploited as part of a penetration test according to NIST publication 800-115:
- Misconfigurations.
- Kernel flaws.
- Buffer overflow.
- Insufficient input validation.
- Symbolic links.
- File descriptor attacks
- Race conditions
- Incorrect file and directory permissions.
2.4. Security Assessment
The NIST guide devotes two sections to information security assessments. The first focuses on planning and the second on execution. This complex activity must take into account the characteristics of the organization, the number of systems and their specifications, and the techniques to be used to perform the cybersecurity analysis. From a planning point of view, the document establishes as a priority:
- Develop a security assessment policy.
- Prioritize and schedule the assessments to be performed.
- Select and customize testing techniques, adjusting them to the characteristics of the organization and the objectives set.
- Determine the logistical aspects of the assessment.
- Develop the evaluation plan.
- Take into account the legal aspects.
The execution of the security assessment is based on four phases, as defined in the NIST guidelines:
- Coordination
- Evaluation
- Analysis
- Data management: collection, storage, transmission, and destruction.
3. NIST 800-94: Guidance for Intrusion Prevention and Detection in Systems
The second of the NIST guidelines focuses on intrusion detection and prevention systems (IDS/IPS), software that automates the intrusion detection process.
The four main IDS/IPS
Throughout the Guide, NIST sets forth a series of recommendations for designing, implementing, configuring, securing, monitoring, and maintaining four types of IDS/IPS systems:
- Network-based (NIDS/NIPS). Monitors network traffic for specific segments or devices and analyzes network activity and application protocols, to identify suspicious activity.
- Wireless analysis (WIDS/WIPS). This type of system monitors and analyzes wireless network traffic to detect suspicious activity involving wireless network protocols.
- Network Behavioral Analysis (NBA). Examines network traffic to detect threats that generate unusual traffic flows, such as forms of malware and policy violations.
- Host-based (HIDS/HIPS). This system monitors the characteristics of a single host, as well as events occurring on that host, to identify suspicious activity.
The guide provides an introduction to the basics of intrusion detection and prevention. It also provides an overview of the typical components of these technologies, general intrusion detection methodologies, and recommendations for implementation and operation.
Subsequently, it focuses on a detailed analysis of each of the IDS/IPS technologies mentioned above. A general description of the system is given, followed by an analysis:
- Components and architecture.
- Security capabilities.
- Management.
In this way, organizations are offered methodological support when designing and implementing secure IDS/IPS technologies that help to detect possible intrusions.
Integration of IDS/IPS technologies
These four main types of IDS/IPS differ from each other in terms of the type of intrusions they can detect, the level of detection accuracy, and the ability to perform in-depth analysis without affecting the performance of the systems they protect. For this reason, NIST recommends that organizations use several types of IDS/IPS technologies at the same time, thus achieving a more complete detection and prevention of malicious attacks.
To this end, it compares the four main IDS/IPS systems and establishes a series of recommendations for combining them.
The guide warns that in most environments a combination of network-based and host-based IDS/IPS is needed. Wireless analytics systems can also be critical if the organization considers that its wireless networks need to be monitored. While NBA technology is extremely useful if additional security capabilities against, for example, malware attacks are desired.
Integration between various types of IDS/IPS technologies can be direct or indirect. The former makes it easier for systems to share data and, thus, can speed up the information analysis process and help the organization prioritize the threats it needs to address. This is common when the organization uses IDS/IPS systems from a single vendor.
The second is done with security information and event management (SIEM) software. This software allows correlating events recorded by different technologies, helping users to verify IDS/IPS alerts.
Beyond the four main IDS/IPS technologies, other systems complement them, such as network forensics tools, anti-malware technologies, or firewalls.
Although the various NIST publications do not yet include EDR/xEDR systems in any of their publications, they will end up being considered as additional defense systems.
4. NIST 800-61: Cybersecurity Incident Management Guidance
Incident management is a critical issue in cybersecurity. It is not enough to perform penetration tests to preemptively detect problems or to have automated intrusion detection and prevention systems in place. In addition, in the event of an incident, the organization must have the necessary tools to manage it successfully.
To this end, NIST provides cybersecurity incident response teams, system administrators, security teams, CISOs, CIOs, and other related professionals with this guide, structured around three central themes: response plans, incident management, and coordination.
4.1. Response plans
In this regard, NIST guidelines address what incident response policies and plans should look like. As well as the structure, personnel, and services of organizations’ response teams. Its recommendations in this area are:
- Establish a formal incident response plan in order to be able to respond quickly and effectively when cyber defenses are breached.
- Design an incident response policy that defines what events are considered incidents and what are the roles and responsibilities of each team and individual.
- Develop a response plan that has a clear roadmap for successful implementation. It should include objectives and metrics to be evaluated.
- Develop incident response procedures, with detailed steps and covering the entire phase of the process.
- Incident response policies and plans and response team structure, personnel, and services.
- Stipulate incident-related information exchange procedures. From media to authorities.
- When establishing the response team model, all the advantages and disadvantages must be taken into account, as well as the organization’s resources and needs.
- It is essential to select the professionals of these teams by assessing their skills, technical knowledge, communication, and critical thinking abilities. Training them is also essential.
- Identify other groups within the organization that should be involved in incident management. For example, a legal support team or management staff.
- Determine the catalog of services the team should provide beyond incident response. Such as the monitoring of intrusion detection systems discussed in the previous chapter. Or the training of all personnel with regard to cybersecurity.
4.2. Incident management
The NIST guide sets out the four major phases in incident management: preparedness; detection and analysis; containment, eradication, and recovery; and post-incident activity. All of these are strongly interrelated and the progression is not merely linear, but rather circular. Since post-incident analysis is key to strengthening preparedness. Basic steps in managing and optimizing incidents detection are essentials in this path.
With regard to the recommendations made by the institute, we can highlight the following:
- Having useful tools and software for incident management.
- Recurrently evaluate risks in order to prevent them.
- Identify signs of incidents through the use of various security systems.
- Establish mechanisms for external actors to report incidents to the organization.
- Impose a baseline level of auditing of all systems. Reinforcing it in critical systems.
- Profiling networks and systems, facilitate the detection of changes in patterns and incidents.
- Knowing the normal behaviors of networks, systems, and apps, in order to easily detect any other type of abnormal behavior.
- Create a policy for logging incident information. Start logging all data as soon as there is a suspicion that an incident has occurred. And safeguard them, since they include sensitive information about vulnerabilities, security flaws, and users.
- Correlate events using various sources to obtain as much information as possible. In this regard, it is important to keep the time of the hosts synchronized.
- Employ a reliable and consistent knowledge base of information.
- Establish a mechanism for prioritizing incident management, based on key factors such as the impact on the organization’s operation or likelihood of recovery.
- Establish incident containment strategies quickly and effectively.
4.3. Coordination and information sharing
The NIST guidance focuses on how the different teams within an organization coordinate to provide a coordinated response to an incident. It also focuses on the techniques used to share incident data. Among its recommendations we can highlight:
- Pre-plan incident coordination with external actors, such as other incident response teams, authorities, or service providers. In this way, each actor will know his role and communication will be much more efficient.
- Have the permanent advice of the legal team, to ensure that all coordination actions are executed in compliance with the regulatory framework.
- Exchange information on incidents throughout their life cycle. From preparation to post-incident activity.
- Automate the exchange of information, as far as possible, in order to make it more efficient and less resource-intensive.
- Accurately analyze the advantages and disadvantages of sharing sensitive information with other actors.
- Share as much information as possible with other organizations, always taking into account the interests of the organization and security reasons.
5. NIST guidelines, methodological and regulatory assurance
As we have pointed out throughout this chapter, the NIST guidelines are generalist documents that provide a methodological basis on which to design, plan and implement various strategies or actions in the field of cybersecurity. Unlike other guides, their content is generic and therefore cannot be applied directly to a specific system or application. Rather, its recommendations, phases, and conceptualizations serve to provide professionals with a standardized procedure to adhere to.
In this sense, using NIST guidelines works as a guarantee of the actions that are executed, becoming a requirement at a methodological level.
In addition, as far as regulations are concerned, many of them establish a requirement that practices such as pentesting services be endorsed by a specific methodology such as the one offered by the NIST guidelines.
Compliance with the various NIST methodologies by cybersecurity service providers improves coverage and facilitates regulatory compliance for organizations and institutions that contract cybersecurity services.
In this way, the vast amount of documentation generated by NIST serves to establish a standard methodological basis that is recognized and used worldwide. A true guide in the prevention, detection, and remediation of vulnerabilities.
This article is part of a series of articles about NIST
- NIST Guidelines: a methodological underpinning for cybersecurity analysts
- NIST Cybersecurity Framework: A compass for navigating the ocean of cyber risks
- How to use the NIST Cybersecurity Framework to combat ransomware attacks
- The 4 keys to the NIST Cybersecurity Framework v2