Abstract
Today cyberattacks continue to evolve and are highly complex. They are also very expensive by the average cost of a breach-in cyberattack. The top ten most common cyberattack intrusion incidents for industrial, public, and private organizations are phishing attacks, negligent and malicious insiders, advanced persistent threats, zero day attacks, denial of service attacks, software vulnerabilities, social engineering attacks, and brute force attacks. Therefore, cybersecurity becomes an essential issue that generally focuses on the measures to protect valuable data, information, and business assets from malicious threat events that affect confidentiality, integrity, and availability of information. In this regard, it is vitally important that computer systems, networks and network-connected devices, infrastructure resources, and others stay up-to-date with current software operating systems, patches, and releases. Therefore, organizations need to institute policies and procedures that enforce the way their user’s access information and interact with network or system resources. Here the NIST Cybersecurity Framework and the MITRE Cybersecurity Criteria come into play. The NIST Cybersecurity Framework is a set of best practices, standards, and recommendations that support organizations to improve their cybersecurity measures. It focusses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organizations cybersecurity risk management. In this regard, the framework provides a common organizing structure for multiple cybersecurity approaches by assembling standards, guidelines, and practices that are working effectively today. The MITRE Cybersecurity Criteria enable a collective response against cybersecurity threat events, worked out in conjunction with industry and government authorities. It describes the common tactics, techniques, and procedures of advanced persistent threats against organizations’ computer systems and networks and was later expanded to industrial control systems. In this regard, the MITRE Cybersecurity Criteria are fully committed to defending and securing cyber-ecosystems. NIST’s and MITRE’s goal is to develop cyber resiliency approaches and controls to mitigate malicious cyberattacks. Cyber resiliency enables anticipating, withstanding, recovering from and adapting to adverse conditions, stresses, cyberattacks, or compromises on computer systems, networks, infrastructure resources, and others. Against this background, this chapter introduces in Sect. 5.1 the NIST Cybersecurity Framework (NIST CSF) with their manifold possible uses and their great impact improving industrial, public, and private organizations’ cybersecurity needs. Therefore, Sect. 5.1 introduces the process of cybersecurity risk management. Since NIST CSF is one of the most relevant cybersecurity frameworks, Sect. 5.1 introduces the NIST Cybersecurity Framework. Section 5.1.1 introduces CIS Critical Security Controls, Sect. 5.1.2 ISA/IEC 62443 Cybersecurity Standard, Sect. 5.1.3 MITRE Adversarial Tactics, Techniques, and Common Knowledge, Sect. 5.1.4 NIST 800-653, and in Sect. 5.1.5, the NIST Cybersecurity Framework. Section 5.2 focuses on the NIST Cybersecurity Framework for Critical Infrastructure and focuses in Sect. 5.2.1 on a NIST CSF Critical Infrastructure best practice use case, making use of a model approach in cybersecurity maturity. Against this background, Sect. 5.3 focusses on the MITRE Cybersecurity Criteria that provides a common taxonomy of Tactics, Techniques, and Procedures, applicable to defend cyberattacks, to withstand cyberattackers activities like unauthorized interaction with organizations’ computer systems, networks, and infrastructure resources, to recover from potential malicious cyberattacks. Section 5.4 introduce the MITRE Cybersecurity Taxonomy, which refers to cyberattack possibilities and how to conquer them. Section 5.5 contains comprehensive questions on the topics of NIST Cybersecurity Framework and MITRE Cybersecurity Criteria. Finally, “References” refers to the used references for further reading.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
https://en.wikipedia.org/wiki/The_CIS_Critical_Security_Controls_for_Effective_Cyber_Defense. 2022 (Accessed 12.2022)
https://learn.cisecurity.org/cis-controls-download (Accessed 12.2022)
Brooks, R.: Top 20 Critical Security Controls for Effective Cyber Controls. 2018 https://blog.netwrix.com/2018/02/01/top-20-critical-security-controls-for-effective-cyber-defense/ (Accessed 12.2022)
CIS Benchmarks™ https://www.cisecurity.org/cis-benchmarks/ (Accessed 12.2022)
ISA/IEC 62443 https://ldra.com/iec-62443/ (Accessed 12.21022)
Purdue Model for ICS Security https://www.checkpoint.com/cyber-hub/network-security/what-is-industrial-control-systems-ics-security/purdue-model-for-ics-security/ (Accessed 12.2022)
Pavleska, T., Aranha, H., Masi, M., Grandry, E., Selitto, G.P.: Cyber Security Evaluation of Enterprise Architectures: The e-SENS Case. In: Proceedngs 12th IFIP Working Conference on The Practice of Enterprise Modeling (PoEM), pp. 226–241, 2019
Röhrig, S.: Using Process Models to Analyze IT Security Requirements. PhD Thesis, University of Zürich, 2003
Anton, A.I., Earp, J.B., Reese, A.: Analyzing Website Provacy Requirements using a Privacy Goal Taxonomy. In: Proceedings IEEE Joint international Conference on Requirements Engineering, pp. 23–31, 2003
Pfleeger, C.P., Pfleeger, S.L:: Security in Computing, 4th Edition. Prentice Hall Publ., 2006
Hubbard, J.: Measuring and Improving Cyber Defense using the MITRE ATT&CK Framework. SANS Whitepaper, 2020
NIST Special Publication, Revision 5, Joint Task Force, 2020 https://doi.org/10.6028/NIST.SP.800-53r5 (Accessed 12.2022)
NIST Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, 2018 https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf (Accessed 12.2022)
Achieving NIST CSF Maturity with Verve Security Center. Verve Use Case Report https://verveindustrial.com/resources/case-study/achieving-nist-csf-maturity-with-verve-security-center/ (Accessed 12.2022)
NIST Framework for Improving Critical Infrastructure Cybersecurity, 2018 https://nvlpubs.nist.gov/nistpubs/cswp/nist.cswp.04162018.pdf (Accessed 12.2022)
Pederson, P.: A RIPE Implementation of the NIST Cybersecurity Framework. Whitepaper from the Langner Group, 2014 https://www.langner.com/wp-content/uploads/2017/04/A-RIPE-Implementation-of-the-NIST-CSF.pdf (Accessed 12.2022)
Liveri, D., Theocharidou, M., Naydenov, R.: Railway Cybersecurity: Security Measures in the Railway Transportation Sector. ENISA, 2020
Möller, D.P.F., Iffländer, L., Nord, M., Leppla, B., Krause, P., Czerkewsky, P., Lenski, N., Mühl, K.: Cybersecurity in the German Railway Sector. In: CRITIS 2022
Becker, J., Knackstedt, D., Pöppelbuß, J.: Developing Maturity Models for IT Management: A Procedure Model and its Application. In: Business Information Systems Engineering, Vol. 1, pp. 213–222, 2009
Systems Engineering Guide: An Introduction to Risk Management. MITRE Corporation, 2020 https://www.mitre.org/news-insights/publication/systems-engineering-guide-introduction-risk-management (Accessed 12.2022)
Strom, B.E., Battaglia, J.A., Kemmerer, M.S., Kupersanin, W., Miller, D.P., Wampler, C., Whitley, S.M., Wolf, R.D.: Finding Cyber Threat with ATT&CKTM-Based Analytic. The MITRE Corporation, 2017# https://www.mitre.org/sites/default/files/2021-11/16-3713-finding-cyber-threats-with-attack-based-analytics.pdf (Accessed 12.2022)
Livingston, J.: What is MITRE ATT&CK? The Definite Guide. Verve Whitepaper, 2022 https://verveindustrial.com/resources/what-is-mitre-attck-the-definitive-guide-thank-you/?submissionGuid=06f2b320-058f-401d-9517-17663c6c65b9 (Accessed 12.2022)
Cyber Kill Chain https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html (Accessed 12.2022)
Downloads | CVE https://www.cve.org/Downloads (Accessed 12.2022)
2022 CWE Top 25 Most Dangerous Software Weaknesses https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html#cwe_top_25 (Accessed 12.2022)
Supplemental Details – 2022 CWE Top 25 https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25_supplemental.html#comparison_mssw (Accessed 12.2022)
Common Vulnerability Scoring System version 3.1: Specification Document https://www.first.org/cvss/specification-document (Accessed 12.2022)
CWE – Why it is Important https://www.hackerone.com/vulnerability-management/cwe-common-weakness-enumeration-why-it-important (Accessed 12.2022)
REvil Ransomware-as-a-Service – An Analysis of a Ransomware Affiliate Operation. INTEL471 Whitepaper, 2020 https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/ (Accessed 12.2022)
Smith, R.F., Coulson, B., Kaiser, D., Vincent, S.: Using the MITRE ATT&CK® Framework to Boost Ransomware Defenses. LogRhythm Whitepaper, https://gallery.logrhythm.com/white-papers-and-e-books/logrhythm-na-ransomware-as-a-service-white-paper.pdf (Accessed 12.2022)
Enghoff, H., Seberg, O.: A Taxonomy of Taxonomy and Taxonomists – The Systematist. In: Newsletter of the Systematics Association, Vol. 27, pp. 13–15, 2006 http://www.systass.org/newsletter/TheSystematist27.pdf (Accessed 12.2022)
Enghoff, H.: What is Taxonomy – An Overview with Myriapodological Examples. In: Soil Organisms, Vol. 81, No. 3, pp. 551–451, 2009
Taxonomy & Thesaurus Management. Pool Party Whitepaper, 2021 https://www.poolparty.biz/taxonomy-thesaurus-management (Accessed 12.2022)
ATT&CK Structure Part 1: A Taxonomy of Adversarial Behavior https://www.tripwire.com/state-of-security/mitre-framework/attck-structure-taxonomy-adversarial-behavior/ (Accessed 12.2022)
MIRE ATT&CK Enterprise Matrix, 2022 https://attack.mitre.org/matrices/enterprise/ (Accessed 12.2022)
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Möller, D.P.F. (2023). NIST Cybersecurity Framework and MITRE Cybersecurity Criteria. In: Guide to Cybersecurity in Digital Transformation. Advances in Information Security, vol 103 . Springer, Cham. https://doi.org/10.1007/978-3-031-26845-8_5
Download citation
DOI: https://doi.org/10.1007/978-3-031-26845-8_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-26844-1
Online ISBN: 978-3-031-26845-8
eBook Packages: Computer ScienceComputer Science (R0)