NIST: Agencies must prepare to get hacked
The National Institute of Standards and Technology’s new draft “Guide for Cybersecurity Event Recovery” reflects the stark acknowledgement that some cyber attacks can’t stopped and, as a result, agencies must ramp up their response plans and build a “playbook” for recovering from them afterwards.
“Organizations used to focus their information security efforts on cybersecurity event defense, but adversaries have modified their attack techniques to make protection much more difficult, including taking advantage of weaknesses in processes and people instead of just exploiting weaknesses in technology,” the document, designated Special Publication 800-184, states.
Because of this, the number of major cyber events continues to increase sharply every year, according to the guide.
The draft guide is “a recognition that if an organization goes through a cybersecurity event or compromise, they need to have some sort of plan in place where they can recover from it,” said Michael Bartock, co-author of SP 800-184 and an information technology specialist in the IT laboratory of NIST’s Computer Security Division. “It’s not de-emphasizing protection from cyber events, but an organization should also have some sort of plan in place in case they are compromised.”
Guy Barnhart-Magen, chief technology officer at cyber-security firm Nation-E, told FedScoop that “the security domain has been focused on detection and response in recent years and most high-tech industries already follow suit. However, much of the industrial domain is still lagging behind. I think that the emphasis [in the NIST guide] is that not all businesses or government agencies are deploying best practices.”
“The use of these best practices, formalized by NIST in a document, can help improve the state of security in [industry and government] and have them come closer to what is expected to defend from high-tech attackers,” he added.
The 33-page draft guide assembles for the first time in a single document policies, standards and guidelines on cyber-event handling that are scattered across the government landscape and irons out significant inconsistencies as well, Bartock said.
“A lot of this information exists in multiple spots, so one challenge was gathering all the information and trying to make sense out of it to provide this guidance,” he said.
NIST officials stressed that recovery is one part of the enterprise risk-management process lifecycle or framework — whose elements are defined as identify, protect, detect, respond and recover — and that the recovery function has a significant effect in shaping the other functions by “informing them with realistic data.”
“Lessons learned going through recovery can inform the other functions of the framework,” Bartock said. “There are processes that happen that can be mapped to the cybersecurity framework…but then there’s the challenge of drawing the line from where incident response ends and when do you start recovery and also of making the connection on where all the different pieces of the framework inform each other and how they all relate. [As a result] the recovery team has to work in close concert with the incident-response team so that they’re not stepping on each other’s toes and can have some sort of well-defined plan and not alert attackers that they’ve been discovered.”
The guide is not intended to be a universal “playbook” for responding to active cyber events, but rather a guide to help agencies develop a recovery plan in the form of their own customized playbooks, Bartock said.
“Each organization is going to have some sort of business continuity plan or disaster-recovery plan but specific for each organization, so depending on what type of cyber event they’re experiencing they’re going to have to tailor their recovery plan to what’s already been defined in the business continuity or disaster recovery plan,” he said. “It can also depend on what the organization’s mission is. If their mission is based on services, then they’re going to need to make sure that they get their service-oriented applications up and running quickly so they can meet their business objectives.”
The document addresses topics such as planning for event recovery, collecting recovery metrics that will help inform continuous improvement and building a playbook. It also provides a detailed example of an event-recovery scenario.
The draft guide is open to public comment through July 11. “We would love to get as much feedback as possible to make this document as good as it can be,” Bartock said.
