Cyber Teams
Howard Poston,
Jun 13
2024
The NIST CSF is a cybersecurity standard that has been successful beyond all expectations. Originally published in 2014 to guide U.S. critical infrastructure cybersecurity programs, it has since been adopted by companies across all industry verticals.
In February 2024, NIST published an updated major version of the standard for the first time in a decade (the previous update, version 1.1, occurred in 2018).
The NIST CSF 2.0 has a new name, an enhanced focus on cybersecurity governance, and guidance on addressing modern cybersecurity threats.
The update to NIST 2.0 addresses new and emerging threats and seeks to formalize processes for incident and risk management.
Many changes involve reshuffling existing guidance to create the new Govern core focus. Some organize existing recommendations more logically. Additionally, new sub-requirements are created, including:
GV.OV: Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy.
PR.PS: The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization's risk strategy to protect their confidentiality, integrity, and availability.
PR.IR: Security architectures are managed with the organization's risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience.
The table below shows the new sub-requirements introduced in version 2.0 of the standard.
GV.RR-01 |
Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving |
GV.OV-01 |
Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction |
GV.OV-02 |
The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks |
GV.OV-03 |
Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed |
ID.AM-07 |
Inventories of data and corresponding metadata for designated data types are maintained |
ID.IM-01 |
Improvements are identified from evaluations |
PR.AA-04 |
Identity assertions are protected, conveyed, and verified |
PR.PS-05 |
Installation and execution of unauthorized software are prevented |
RS.MA-05 |
The criteria for initiating incident recovery are applied |
RS.AN-07 |
Incident data and metadata are collected, and their integrity and provenance are preserved |
RS.AN-08 |
An incident's magnitude is estimated and validated |
RC.RP-03 |
The integrity of backups and other restoration assets is verified before using them for restoration |
RC.RP-04 |
Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms |
RC.RP-05 |
The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed |
RC.RP-06 |
The end of incident recovery is declared based on criteria, and incident-related documentation is completed |
The enhancements to the NIST CSF include several different topics, including governance, data security, and access management. However, many of the changes are focused on incident response and recovery.
The NIST CSF has included Respond and Recover functions since the beginning. The latest updates to the framework include various steps to formalize the process.
As shown in the infographic above, the Respond function (RS) now includes requirements:
For applying criteria for starting incident response
Collecting and preserving data about the incident
Estimating the scope of the incident.
New Recovery requirements include verifying that backups are clean and that systems are restored to a normal, secure state.
💡HTB Academy’s SOC Analyst job role path, alongside blue team labs provides training on the key skills needed to perform incident detection and digital forensics. This includes both new and existing requirements in the NIST CSF’s Respond (RS) function.
Alongside new requirements and sub-requirements, the new version of the NIST CSF includes sections highlighting risk management programs focused on specific threats, such as AI, supply chain attacks, and data privacy risks.
These sections point to related NIST standards that organizations can use to address:
Risk assessment and management require the ability to identify potential vulnerabilities and gauge the risk they pose to the organization. NIST recommends its Risk Management Framework (RMF) for implementing a corporate risk management program.
💡 Risk assessment is also a key skill for any HTB Machine. Learners need to identify the vulnerabilities and configuration errors most likely to allow them to achieve their goals.
Data privacy and data security are related areas that overlap where cyberattacks pose a risk to an individual’s privacy, such as the potential for financial losses or physical harm.
The NIST Privacy Framework complements the NIST CSF by providing a privacy-focused approach to data management.
Many of the skills taught and tested by HTB relate directly to the potential for data theft. For example, check out resources on SQL injection, cross-site scripting, and password security using the Academy x HTB Labs mapping tool.
Supply chain attacks exploit vulnerable partner organizations or insecure or malicious dependencies used within an application.
The most famous example of a supply chain attack is likely the SolarWinds breach. Attackers with access to SolarWinds’ development environment injected malicious code into an update to their Orion product, which was then pushed out to customers.
In addition to a sub-requirement focused on supply chain risks, NIST has published NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.
💡 HTB has numerous courses, Labs, and Machines focused on supply chain security. For example, the ICS & SCADA security path on Dedicated Labs equips teams with a strong hands-on foundation of the intricate interplay of software, hardware, and network layers, including components such as SCADA systems.
Supply chain attacks course
Build your org’s ability to defend and detect supply chain attacks with this module.
Provides a guided overview of supply chain attacks that cover hardware and software vulnerabilities.
Explore the impact of supply chains, the lifecycle of attacks, specific vulnerabilities, and real-world mitigation strategies.
Artificial intelligence is a top-of-mind security concern for many, and many jurisdictions are rolling out new regulations, like the EU’s AI Act. NIST has developed an AI RMF to help organizations manage AI risks to their business.
Today, many companies are unaware of how they’re currently using AI and how to manage the associated risks.
Recommended read: How to develop an effective AI risk management strategy.
Learn to defend and exploit AI threats with Dedicated Labs
Our Dedicated Labs track provides insights into common attacks on Artificial intelligence (AI) and Machine Learning (ML) systems, emphasizing underlying principles and demonstrating how insecure implementations may compromise sensitive information or enable unauthorized access.
Identify and exploit insecure ML implementations.
Exploit classic vulnerabilities through AI systems.
Bypass Face Verification Systems.
Basic Prompt Injection techniques.
Write Machine Learning programs in Python.
Privacy attacks on Machine Learning models (white-box and black-box).
Train classification models for Membership Inference attacks.
The NIST CSF is an optional security standard for most organizations. However, it is also a well-regarded and comprehensive standard that includes crosswalks and mappings to other security standards. Some of the existing crosswalks map to NICE, the CSA Critical Controls, and other major standards.
Regulations are constantly being created and updated to address the latest privacy and security risks (AI, IoT, etc.).
The NIST CSF provides a framework for building an effective and sustainable cybersecurity program, and HTB teaches the skills that employees need to achieve compliance and manage the latest security threats.
Blue Teaming
Odysseus (c4n0pus), Dec 20, 2024