NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations, is a detailed document that describes multiple security and privacy controls. These are controls that should be in place to protect both the Federal Government and Critical Infrastructure Information Systems. Other industries also use these guidelines in an effort to protect their systems from threats. Risk assessments incorporate the NIST SP 800-53 because it is so detailed and covers many of the security domains. The most current version is NIST SP 800-53 Revision 5.
ATT&CK Navigator is fully customizable with multiple layers of the ATT&CK knowledge base that can be added to build out specific adversary techniques and tactics. While the ATT&CK Navigator we link to is hosted on Github, there is an option to host on premises if that is preferred. Instructions are in the README.md
1. Download the ATT&CK Navigator JSON file from SCYTHE
2. Go to the Mitre ATT&CK Navigator and select Open Existing Layer.
3. Select Upload from local and import the ATT&CK Navigator JSON file
4. The techniques that are highlighted in red were successfully run within the campaign; meaning, there were no security controls in place to block their execution.
5. Right click on one of the red highlighted boxes for more options. Clicking on Select Technique or Select Tactic will take you to the MITRE ATT&CK page.
6. The MITRE ATT&CK page for the respective technique or sub-technique will have all the information a Blue Teamer needs to detect and respond to the TTP.
Reports and Summaries are available upon successful run of a campaign. Click Reports on the left and see that all Campaigns are viewable in this section. Select the NIST 800 summary for the respective campaign. This will download the summary in a .JSON file.
In order to view the NIST security controls that will mitigate each technique, mouse over the technique. Investigation into the mitigation controls will enable the Blue Team to determine how they can add the most feasible controls in order to protect against the specified technique.
For both the ATT&CK Navigator and the NIST 800 Navigator Summary report, the Blue Team should focus on the techniques that are highlighted red. These are the techniques that successfully ran in the SCYTHE campaign and were not blocked by any security controls. Once the mitigation controls have been put in place, re-run the campaign and review the summaries to see if they reflect the changes. Team members who are working on a NIST SP 800-53 Risk Assessment would want to focus on the red, light and dark blue techniques. Risk Assessments must document both mitigated and non mitigated controls.
Blue Teams will find the summaries and integration with MITRE’s ATT&CK Navigator valuable because it integrates with the MITRE ATT&CK matrices and lists out the applicable NIST controls. This information will save the Blue Team time investigating to discover which controls apply to which technique.
SCYTHE adds value in knowing where you stand and speeding up the remediation process. Once the Blue Team has implemented the missing security controls and is ready to retest to see if any gaps remain; re-running the same campaign is ideal for consistency. The new summary will highlight anything that may have been missed in the mitigation. The Blue Team will not need to waste time reviewing every control and step to determine whether their defenses still have gaps; the SCYTHE reports will do this for them.
Elaine Harrison-Neukirch has over 10 years of experience in cyber security working in the healthcare and financial services industries. She currently runs the customer support program at SCYTHE. Elaine loves giving back to the community and volunteers for the Cyber Security Non Profit (CSNP.org) and has written several blogs for them. Elaine advocates for Women in Cybersecurity; she is a member of both Women in Cybersecurity and Women’s Society of Cyberjutsu. Elaine has multiple certifications including CEH, Security + and Cyberops CCNA.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.