As a cybersecurity professional, I know that one of the most critical aspects of security is having a framework to guide your efforts. A cybersecurity framework is a set of guidelines, best practices, and standards that help organizations protect their networks, systems, and data from cyber threats. In this article, I’ll discuss three of the most prevalent cybersecurity frameworks - NIST, ISO, and CIS - and how red teams and pen testers can use them to enhance their security posture.

NIST Cybersecurity Framework

The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a widely recognized framework that helps organizations of all sizes and sectors manage and reduce their cybersecurity risks. The framework was created in response to Executive Order 13636, which called for developing a voluntary, risk-based approach to cybersecurity. The NIST Cybersecurity Framework consists of five functions - Identify, Protect, Detect, Respond, and Recover - and guides how to manage and reduce cybersecurity risk.

The Identify function is all about understanding your organization’s assets, the risks associated with those assets, and the potential impacts of those risks. This includes identifying the people, processes, and technologies critical to your organization’s operations and the threats and vulnerabilities that could impact them.

The Protect function is focused on implementing safeguards to protect your organization’s assets from cyber threats. This includes implementing access controls, training employees on cybersecurity best practices, and deploying security technologies such as firewalls and antivirus software.

The Detect function is all about identifying cyber threats as they occur. This includes implementing continuous monitoring capabilities, conducting regular vulnerability assessments and penetration tests, and establishing incident response procedures.

The Respond function is focused on taking action to mitigate the impact of cyber threats when they occur. This includes activating your incident response plan, conducting forensics investigations, and communicating with stakeholders.

Finally, the Recover function is about restoring your organization’s systems and data after a cyber attack. This includes restoring backups, conducting system and data validation, and conducting a lessons-learned review to identify areas for improvement.

The NIST Cybersecurity Framework provides a great starting point for organizations looking to improve their security posture. Red teams and pen testers can use the framework to guide their testing and ensure they address all aspects of an organization’s security.

ISO/IEC 27001

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) developed the ISO/IEC 27001 standard to provide a systematic approach to information security management. The standard provides a framework for managing and protecting sensitive information, including financial information, intellectual property, employee data, and other confidential information.

The ISO/IEC 27001 standard consists of 14 sections, each guiding a different aspect of information security management. These sections include:

  1. Scope
  2. Normative References
  3. Terms and Definitions
  4. Context of the Organization
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance Evaluation
  10. Improvement

One of the key benefits of the ISO/IEC 27001 standard is that it provides a systematic and repeatable approach to information security management. This can be especially useful for organizations looking to comply with various regulatory requirements, such as HIPAA or PCI-DSS.

Red teams and pen testers can use the ISO/IEC 27001 standard to guide their testing and ensure they address all aspects of an organization’s information security. For example, a red team might focus on testing an organization’s access controls to ensure they effectively manage who has access to sensitive information.

CIS Controls

The Center for Internet Security (CIS) Controls is a set of 20 cybersecurity best practices designed to protect organizations against common cyber attacks. The controls are broken down into three categories - Basic, Foundational, and Organizational - and cover various security areas, including email and web browser protections, secure configuration, and incident response.

The Basic Controls are the first five controls in the CIS Controls framework and are considered essential for any organization looking to improve its security posture. These controls include:

  • Inventory and Control of Hardware Assets - Organizations should maintain an up-to-date inventory of all hardware assets and implement controls to ensure that unauthorized devices are not connected to the network.
  • Inventory and Control of Software Assets - Organizations should maintain an up-to-date inventory of all software assets and implement controls to prevent unauthorized software from being installed on network devices.
  • Continuous Vulnerability Management - Organizations should establish and maintain processes to regularly identify and remediate vulnerabilities on all network devices.
  • Controlled Use of Administrative Privileges - Organizations should establish processes to manage and control administrative privileges to prevent unauthorized access to network devices and data.
  • Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers - Organizations should establish and maintain secure configurations for all hardware and software devices to reduce the risk of cyber attacks.

The Foundational Controls are the following ten controls in the CIS Controls framework, focused on protecting against common cyber attacks. These controls include:

  • Maintenance, Monitoring, and Analysis of Audit Logs - Organizations should establish and maintain processes to monitor and analyze audit logs to detect and respond to cyber attacks.
  • Email and Web Browser Protections - Organizations should implement controls to protect against email and web-based attacks, such as phishing and malware.
  • Malware Defenses - Organizations should implement malware defenses, such as antivirus software, to prevent and detect malware attacks.
  • Limitation and Control of Network Ports, Protocols, and Services - Organizations should establish and maintain processes to manage and control network ports, protocols, and services to reduce the risk of cyber attacks.
  • Data Recovery Capabilities - Organizations should establish and maintain processes to ensure that critical data can be recovered during a cyber attack.
  • Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches - Organizations should establish and maintain secure configurations for network devices to reduce the risk of cyber attacks.
  • Boundary Defense - Organizations should implement boundary defenses, such as firewalls and intrusion detection/prevention systems, to prevent and detect cyber attacks.
  • Data Protection - Organizations should implement controls to protect sensitive data, such as encryption and access controls, to prevent unauthorized access and disclosure.
  • Controlled Access Based on Need to Know - Organizations should implement controls to limit access to sensitive data to only those who need it to perform their duties.
  • Wireless Access Control - Organizations should implement controls to manage and secure wireless access to the network.

Finally, the Organizational Controls are the last five controls in the CIS Controls framework and are focused on establishing a culture of cybersecurity within the organization. These controls include:

  • Security Awareness and Training - Organizations should provide security awareness and training to all employees to ensure they understand the importance of cybersecurity and how to protect against cyber attacks.
  • Application Software Security - Organizations should implement controls to ensure that application software is developed and maintained securely to reduce the risk of cyber attacks.
  • Incident Response and Management - Organizations should establish and maintain processes to detect, respond to, and recover from cyber attacks.
  • Penetration Testing and Red Team Exercises - Organizations should conduct regular penetration testing and red team exercises to identify and address vulnerabilities in their security posture.
  • Cybersecurity Continuous Monitoring - Organizations should establish and maintain processes to monitor their network for cyber attacks and anomalies.

Overall, the CIS Controls provide a comprehensive framework for organizations looking to improve their cybersecurity posture. Red teams and pen testers can use the CIS Controls to guide their testing and ensure they address all aspects of an organization’s security. For example, a red team might focus on testing an organization’s email and web browser protections to ensure they effectively protect against phishing and malware attacks.

Real-World Examples

One real-world example of a cybersecurity framework in action is the recent SolarWinds hack. In December 2020, it was discovered that the SolarWinds Orion software had been compromised, allowing hackers to access the networks of numerous organizations, including government agencies and Fortune 500 companies. The attack was a sophisticated supply chain attack that exploited software development and deployment vulnerabilities.

The SolarWinds hack underscores the importance of having a comprehensive cybersecurity framework in place. In particular, the NIST Cybersecurity Framework’s Identify and Protect functions would have prevented the attack. In addition, by understanding the organization’s assets and the risks associated with those assets, organizations can implement the necessary safeguards to protect against cyber attacks.

Another real-world example of a cybersecurity framework in action is the WannaCry ransomware attack in May 2017. The WannaCry attack was a global cyber attack that impacted organizations in over 150 countries, including healthcare organizations, government agencies, and financial institutions.

The WannaCry attack highlighted the importance of effective vulnerability management processes. The CIS Controls' Continuous Vulnerability Management control would have prevented the attack. Organizations can reduce their risk of cyber attacks by regularly identifying and remediating vulnerabilities.

Conclusion

In conclusion, cybersecurity frameworks are essential for organizations looking to improve their security posture. The NIST Cybersecurity Framework, ISO/IEC 27001, and CIS Controls are the most popular frameworks and provide comprehensive guidance on managing and reducing cybersecurity risks. Red teams and pen testers can use these frameworks to guide their testing and ensure they address all aspects of an organization’s security. By implementing a comprehensive cybersecurity framework, organizations can reduce their risk of cyber attacks and protect their networks, systems, and data.