The National Institute of Standards and Technology has released the first public draft of a set of guidelines to help organizations address Advanced Persistent Threats.
NIST Special Publication 800-160 Volume 2 Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems provides guidelines to help organizations address Advanced Persistent Threats (APT) to IT infrastructure of targeted organizations, orchestrated for purposes of exfiltrating information, undermining, or impeding critical aspects of a mission, program, or organization.
The guidelines include four major cyber resilience goals, which are to anticipate, withstand, recover from and adapt to threats. They also outline a list of cyber resilience objectives, described as “specific statements of what a system must achieve in its operational environment and throughout its lifecycle to meet stakeholder needs for mission assurance and resilient security.”
It includes basic methods for achieving each objective, such as applying basic cyber hygiene and risk-tailored controls to preclude the successful execution of an attack, or understanding the effectiveness of cybersecurity and controls supporting cyber resiliency to maintain cyber resources.
The guidelines also detail analytic practices, including coverage analysis with respect to a taxonomy of attack events or TTPs, attack tree or attack graph analysis, attack surface analysis, and Red Team analysis.
“The ultimate objective is to obtain trustworthy secure systems that are fully capable of supporting critical missions and business operations while protecting stakeholder assets, and to do so with a level of assurance that is consistent with the risk tolerance of those stakeholders,” said NIST.
The new guidelines are intended to be used in conjunction with NIST Special Publication 800-160 Volume 1, Systems Security Engineering – Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.
NIST is seeking industry feedback from March 21 through May 18 to help shape the final publication to ensure that it meets the needs and expectations of its customers. Comments can be submitted to firstname.lastname@example.org