Skip to main content
SpringerLink
Log in

NIST Cybersecurity Framework and MITRE Cybersecurity Criteria

  • Chapter
  • First Online:
Guide to Cybersecurity in Digital Transformation

Part of the book series: Advances in Information Security ((ADIS,volume 103 ))

Abstract

Today cyberattacks continue to evolve and are highly complex. They are also very expensive by the average cost of a breach-in cyberattack. The top ten most common cyberattack intrusion incidents for industrial, public, and private organizations are phishing attacks, negligent and malicious insiders, advanced persistent threats, zero day attacks, denial of service attacks, software vulnerabilities, social engineering attacks, and brute force attacks. Therefore, cybersecurity becomes an essential issue that generally focuses on the measures to protect valuable data, information, and business assets from malicious threat events that affect confidentiality, integrity, and availability of information. In this regard, it is vitally important that computer systems, networks and network-connected devices, infrastructure resources, and others stay up-to-date with current software operating systems, patches, and releases. Therefore, organizations need to institute policies and procedures that enforce the way their user’s access information and interact with network or system resources. Here the NIST Cybersecurity Framework and the MITRE Cybersecurity Criteria come into play. The NIST Cybersecurity Framework is a set of best practices, standards, and recommendations that support organizations to improve their cybersecurity measures. It focusses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organizations cybersecurity risk management. In this regard, the framework provides a common organizing structure for multiple cybersecurity approaches by assembling standards, guidelines, and practices that are working effectively today. The MITRE Cybersecurity Criteria enable a collective response against cybersecurity threat events, worked out in conjunction with industry and government authorities. It describes the common tactics, techniques, and procedures of advanced persistent threats against organizations’ computer systems and networks and was later expanded to industrial control systems. In this regard, the MITRE Cybersecurity Criteria are fully committed to defending and securing cyber-ecosystems. NIST’s and MITRE’s goal is to develop cyber resiliency approaches and controls to mitigate malicious cyberattacks. Cyber resiliency enables anticipating, withstanding, recovering from and adapting to adverse conditions, stresses, cyberattacks, or compromises on computer systems, networks, infrastructure resources, and others. Against this background, this chapter introduces in Sect. 5.1 the NIST Cybersecurity Framework (NIST CSF) with their manifold possible uses and their great impact improving industrial, public, and private organizations’ cybersecurity needs. Therefore, Sect. 5.1 introduces the process of cybersecurity risk management. Since NIST CSF is one of the most relevant cybersecurity frameworks, Sect. 5.1 introduces the NIST Cybersecurity Framework. Section 5.1.1 introduces CIS Critical Security Controls, Sect. 5.1.2 ISA/IEC 62443 Cybersecurity Standard, Sect. 5.1.3 MITRE Adversarial Tactics, Techniques, and Common Knowledge, Sect. 5.1.4 NIST 800-653, and in Sect. 5.1.5, the NIST Cybersecurity Framework. Section 5.2 focuses on the NIST Cybersecurity Framework for Critical Infrastructure and focuses in Sect. 5.2.1 on a NIST CSF Critical Infrastructure best practice use case, making use of a model approach in cybersecurity maturity. Against this background, Sect. 5.3 focusses on the MITRE Cybersecurity Criteria that provides a common taxonomy of Tactics, Techniques, and Procedures, applicable to defend cyberattacks, to withstand cyberattackers activities like unauthorized interaction with organizations’ computer systems, networks, and infrastructure resources, to recover from potential malicious cyberattacks. Section 5.4 introduce the MITRE Cybersecurity Taxonomy, which refers to cyberattack possibilities and how to conquer them. Section 5.5 contains comprehensive questions on the topics of NIST Cybersecurity Framework and MITRE Cybersecurity Criteria. Finally, “References” refers to the used references for further reading.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 64.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 89.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. https://en.wikipedia.org/wiki/The_CIS_Critical_Security_Controls_for_Effective_Cyber_Defense. 2022 (Accessed 12.2022)

  2. https://learn.cisecurity.org/cis-controls-download (Accessed 12.2022)

  3. Brooks, R.: Top 20 Critical Security Controls for Effective Cyber Controls. 2018 https://blog.netwrix.com/2018/02/01/top-20-critical-security-controls-for-effective-cyber-defense/ (Accessed 12.2022)

  4. CIS Benchmarks™ https://www.cisecurity.org/cis-benchmarks/ (Accessed 12.2022)

  5. ISA/IEC 62443 https://ldra.com/iec-62443/ (Accessed 12.21022)

  6. Purdue Model for ICS Security https://www.checkpoint.com/cyber-hub/network-security/what-is-industrial-control-systems-ics-security/purdue-model-for-ics-security/ (Accessed 12.2022)

  7. Pavleska, T., Aranha, H., Masi, M., Grandry, E., Selitto, G.P.: Cyber Security Evaluation of Enterprise Architectures: The e-SENS Case. In: Proceedngs 12th IFIP Working Conference on The Practice of Enterprise Modeling (PoEM), pp. 226–241, 2019

    Google Scholar 

  8. Röhrig, S.: Using Process Models to Analyze IT Security Requirements. PhD Thesis, University of Zürich, 2003

    Google Scholar 

  9. Anton, A.I., Earp, J.B., Reese, A.: Analyzing Website Provacy Requirements using a Privacy Goal Taxonomy. In: Proceedings IEEE Joint international Conference on Requirements Engineering, pp. 23–31, 2003

    Google Scholar 

  10. Pfleeger, C.P., Pfleeger, S.L:: Security in Computing, 4th Edition. Prentice Hall Publ., 2006

    Google Scholar 

  11. Hubbard, J.: Measuring and Improving Cyber Defense using the MITRE ATT&CK Framework. SANS Whitepaper, 2020

    Google Scholar 

  12. NIST Special Publication, Revision 5, Joint Task Force, 2020 https://doi.org/10.6028/NIST.SP.800-53r5 (Accessed 12.2022)

  13. NIST Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, 2018 https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf (Accessed 12.2022)

  14. Achieving NIST CSF Maturity with Verve Security Center. Verve Use Case Report https://verveindustrial.com/resources/case-study/achieving-nist-csf-maturity-with-verve-security-center/ (Accessed 12.2022)

  15. NIST Framework for Improving Critical Infrastructure Cybersecurity, 2018 https://nvlpubs.nist.gov/nistpubs/cswp/nist.cswp.04162018.pdf (Accessed 12.2022)

  16. Pederson, P.: A RIPE Implementation of the NIST Cybersecurity Framework. Whitepaper from the Langner Group, 2014 https://www.langner.com/wp-content/uploads/2017/04/A-RIPE-Implementation-of-the-NIST-CSF.pdf (Accessed 12.2022)

  17. Liveri, D., Theocharidou, M., Naydenov, R.: Railway Cybersecurity: Security Measures in the Railway Transportation Sector. ENISA, 2020

    Google Scholar 

  18. Möller, D.P.F., Iffländer, L., Nord, M., Leppla, B., Krause, P., Czerkewsky, P., Lenski, N., Mühl, K.: Cybersecurity in the German Railway Sector. In: CRITIS 2022

    Google Scholar 

  19. Becker, J., Knackstedt, D., Pöppelbuß, J.: Developing Maturity Models for IT Management: A Procedure Model and its Application. In: Business Information Systems Engineering, Vol. 1, pp. 213–222, 2009

    Google Scholar 

  20. Systems Engineering Guide: An Introduction to Risk Management. MITRE Corporation, 2020 https://www.mitre.org/news-insights/publication/systems-engineering-guide-introduction-risk-management (Accessed 12.2022)

  21. Strom, B.E., Battaglia, J.A., Kemmerer, M.S., Kupersanin, W., Miller, D.P., Wampler, C., Whitley, S.M., Wolf, R.D.: Finding Cyber Threat with ATT&CKTM-Based Analytic. The MITRE Corporation, 2017# https://www.mitre.org/sites/default/files/2021-11/16-3713-finding-cyber-threats-with-attack-based-analytics.pdf (Accessed 12.2022)

  22. Livingston, J.: What is MITRE ATT&CK? The Definite Guide. Verve Whitepaper, 2022 https://verveindustrial.com/resources/what-is-mitre-attck-the-definitive-guide-thank-you/?submissionGuid=06f2b320-058f-401d-9517-17663c6c65b9 (Accessed 12.2022)

  23. Cyber Kill Chain https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html (Accessed 12.2022)

  24. Downloads | CVE https://www.cve.org/Downloads (Accessed 12.2022)

  25. 2022 CWE Top 25 Most Dangerous Software Weaknesses https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html#cwe_top_25 (Accessed 12.2022)

  26. Supplemental Details – 2022 CWE Top 25 https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25_supplemental.html#comparison_mssw (Accessed 12.2022)

  27. Common Vulnerability Scoring System version 3.1: Specification Document https://www.first.org/cvss/specification-document (Accessed 12.2022)

  28. CWE – Why it is Important https://www.hackerone.com/vulnerability-management/cwe-common-weakness-enumeration-why-it-important (Accessed 12.2022)

  29. REvil Ransomware-as-a-Service – An Analysis of a Ransomware Affiliate Operation. INTEL471 Whitepaper, 2020 https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/ (Accessed 12.2022)

  30. Smith, R.F., Coulson, B., Kaiser, D., Vincent, S.: Using the MITRE ATT&CK® Framework to Boost Ransomware Defenses. LogRhythm Whitepaper, https://gallery.logrhythm.com/white-papers-and-e-books/logrhythm-na-ransomware-as-a-service-white-paper.pdf (Accessed 12.2022)

  31. Enghoff, H., Seberg, O.: A Taxonomy of Taxonomy and Taxonomists – The Systematist. In: Newsletter of the Systematics Association, Vol. 27, pp. 13–15, 2006 http://www.systass.org/newsletter/TheSystematist27.pdf (Accessed 12.2022)

  32. Enghoff, H.: What is Taxonomy – An Overview with Myriapodological Examples. In: Soil Organisms, Vol. 81, No. 3, pp. 551–451, 2009

    Google Scholar 

  33. Taxonomy & Thesaurus Management. Pool Party Whitepaper, 2021 https://www.poolparty.biz/taxonomy-thesaurus-management (Accessed 12.2022)

  34. ATT&CK Structure Part 1: A Taxonomy of Adversarial Behavior https://www.tripwire.com/state-of-security/mitre-framework/attck-structure-taxonomy-adversarial-behavior/ (Accessed 12.2022)

  35. MIRE ATT&CK Enterprise Matrix, 2022 https://attack.mitre.org/matrices/enterprise/ (Accessed 12.2022)

Download references

Author information

Authors and Affiliations

  1. Clausthal University of Technology, Clausthal-Zellerfeld, Germany

    Dietmar P. F. Möller

Authors
  1. Dietmar P. F. Möller
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Möller, D.P.F. (2023). NIST Cybersecurity Framework and MITRE Cybersecurity Criteria. In: Guide to Cybersecurity in Digital Transformation. Advances in Information Security, vol 103 . Springer, Cham. https://doi.org/10.1007/978-3-031-26845-8_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-26845-8_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-26844-1

  • Online ISBN: 978-3-031-26845-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation