NIST CSF, MITRE ATT&CK, and HASP frameworks
In today’s digital world, the ever-evolving landscape of cybersecurity threats poses significant challenges for organizations. Two major concerns are social engineering and credential stuffing, the attack vectors responsible for most breaches. Organizations rely on established frameworks and expert guidance to combat these threats effectively.
This blog post explores the recommendations of the NIST Cybersecurity Framework, which are relevant for protecting against social engineering and credential compromise, highlights the MITRE ATT&CK framework’s insights on these threats, and introduces the Human Attack Surface Protection (HASP) Framework as a comprehensive resource to tackle human-centric attacks preemptively. Additionally, we’ll delve into how Picnic combines actions from NIST, MITRE ATT&CK, and HASP to provide robust automated protection against these attacks.
NIST Cybersecurity Framework and Social Engineering
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and various NIST publications offer guidance to assist organizations in managing and improving their cybersecurity posture. While NIST doesn’t provide step-by-step guidance for countering social engineering and credential stuffing attacks, NIST does provide foundational principles and best practices that organizations can apply to mitigate these threats. Here are some key points from NIST resources:
- Security Awareness and Training (NIST SP 800-50): NIST emphasizes the importance of establishing and maintaining security awareness and training programs for employees. These programs should educate staff about various cybersecurity risks, including social engineering tactics, and teach them how to recognize and respond to suspicious activity. This helps reduce the success rate of social engineering attacks.
- Access Control (NIST SP 800-53): NIST publications recommend implementing access controls to protect against unauthorized access and credential theft. Strong authentication mechanisms, such as multi-factor authentication (MFA), can significantly enhance security by making it more difficult for attackers to gain unauthorized access even if they have already obtained valid credentials via social engineering.
- Identity and Access Management (NIST SP 800-63): NIST’s guidelines on digital identity recommend using identity proofing and authentication processes that are commensurate with the level of risk. This includes using stronger authentication methods to protect against credential stuffing and unauthorized access.
- Incident Response (NIST SP 800-61): NIST highlights the importance of having an incident response plan to address security incidents promptly. This includes incidents related to social engineering and credential compromise. Having a well-defined response strategy can help minimize the impact of these attacks.
- Continuous Monitoring (NIST SP 800-137): NIST encourages organizations to continuously monitor network traffic and user activities to detect and respond to abnormal behavior, including signs of impersonation, credential compromise, and unauthorized access.
- Risk Management (NIST SP 800-30): NIST’s risk management framework provides a structured approach to identifying, assessing, and mitigating cybersecurity risks. Organizations can use this framework to prioritize security measures to reduce the risk of social engineering and credential-related attacks.
While NIST resources provide valuable guidance on cybersecurity best practices, organizations should complement these guidelines with specific countermeasures and technologies designed to address social engineering and credential compromise threats.
The MITRE ATT&CK Framework and Human-Centric Attacks
The MITRE ATT&CK framework is a comprehensive knowledge base that outlines the Tactics, Techniques, and Procedures (TTPs) used by cyber adversaries during various stages of a cyber attack. Developed by MITRE, a nonprofit organization, this framework is a valuable resource for understanding and defending against cyber threats. Here’s how the MITRE ATT&CK framework can be used to protect against social engineering and credential compromise attacks:
- Understanding the Tactics and Techniques:
- Social Engineering: The MITRE ATT&CK framework provides detailed information about techniques used in social engineering attacks. Understanding these techniques, such as spear phishing, impersonation, and pretexting, helps organizations recognize the tactics attackers employ to manipulate individuals into disclosing sensitive information.
- Credential Compromise: MITRE ATT&CK outlines various techniques related to credential compromise, including credential dumping, credential stuffing, and brute force attacks. By studying these techniques, organizations can identify potential vulnerabilities and attack vectors that adversaries may exploit to steal credentials.
- Mitigation and Detection:
- Social Engineering Mitigation: The MITRE ATT&CK framework offers guidance on mitigating social engineering attacks. This includes recommendations for employee training and awareness programs, email filtering, and user authentication practices that can help reduce the risk of falling victim to social engineering tactics.
- Credential Compromise Mitigation: Organizations can use MITRE ATT&CK’s guidance to implement defenses against credential compromise techniques. This may involve strategies like enforcing strong password policies, implementing multi-factor authentication (MFA), and monitoring for abnormal login behavior.
- Threat Intelligence:
- MITRE ATT&CK provides valuable insights into adversary behavior. Organizations can leverage this information to understand better how threat actors operate, which techniques they favor, and which tactics they employ. This knowledge is critical for threat intelligence teams in identifying and responding to threats early.
- Red and Blue Teaming:
- Organizations often conduct red teaming exercises using the MITRE ATT&CK framework. Red teams simulate real-world attacks, including social engineering and credential compromise, to assess an organization’s defenses. Blue teams, in response, use the framework to detect and defend against these simulated attacks, thus enhancing their incident response capabilities.
- Security Tooling:
- Many cybersecurity tools and platforms integrate with the MITRE ATT&CK framework. This integration allows security teams to map their tools and capabilities to specific techniques and tactics outlined in the framework, making identifying, responding to, and mitigating threats easier.
By leveraging the MITRE ATT&CK framework to understand the tactics and techniques employed by adversaries, organizations can proactively implement security measures, educate their personnel, and improve their overall cybersecurity posture. However, the pre-attack TTPs outlined in the framework are often ignored as tactics that can be effectively mitigated. Attacker reconnaissance and resource development are two tactics in the MITRE ATT&CK framework that are typically not addressed by enterprise security despite their crucial role in adversaries being able to carry out successful attacks. For those seeking to prevent social engineering and credential compromise attacks before they happen, another resource must be utilized to supplement both MITRE ATT&CK and NIST CSF.
Introducing the HASP Framework
Fortunately, a new comprehensive framework designed specifically to address human-centric attacks now exists. Developed by Picnic in collaboration with cybersecurity experts worldwide and aligned to NIST CSF and MITRE ATT&CK, the Human Attack Surface Protection (HASP) Framework is the first framework of its kind dedicated to proactively reducing social engineering and human compromise risk. With attacks that leverage the human element remaining the largest unsolved security problem for organizations, HASP is designed to arm the cybersecurity community with best practices that help prevent these attacks and protect the human attack surface.
For cybersecurity professionals looking to shift from detection and response to prevention, the HASP framework provides mitigation actions for the following risk categories. These remediations are not exhaustive but are critical examples of the risk-based actions that can be taken by different teams and managed security service providers to protect the human attack surface and reduce overall corporate risk.
- High-Risk Employees
- Establish and implement procedures for high-value and highly accessible employee targets.
- Increase detection and monitoring for high-value and highly accessible employee targets.
- Enroll high-risk employees in an elevated threat monitoring program.
- Exposed Employee PII
- Reduce exposed employee PII, commonly leveraged for social engineering and initial access.
- Exposed Credentials
- Reset passwords of currently-set exposed credentials.
- Block work, personal, and service account exposed credentials from reuse within the organization.
- Restrict service account access.
- Monitor for account takeover (including real-time alerts on exposed credentials).
- Monitor for multi-factor authentication (MFA) configuration changes.
- Monitor for new MFA registrations.
- Exposed Remote Services
- Manage shadow IT and remote access.
- Implement an allowlist to limit brute force attacks.
- Establish an email gateway with best practices.
- Implement DNS anti-spoofing techniques.
- Exposed Sensitive Data
- Request takedowns of sensitive data.
- Monitor channels where sensitive data cannot be removed.
- Flood with rogue data to generate noise.
- Third-Party Risk Management
- Monitor third parties that have direct network access to systems.
- Establish authenticated communication channels with third parties to reduce spoofing. • Build and establish third-party and supply chain policies, processes, and procedures.
- Require service providers to securely manage your data.
- Indicators of Attack
- Request takedowns for suspicious external accounts.
- Alert your organization about suspicious external accounts.
- Block suspicious domains.
- Monitor for certificate/token stealing.
- Block list of scam-likely phone numbers.
- Tailored Cyber Awareness Training
- Train high-risk employees on social engineering attacks they will likely face.
- Provide high-risk employees with tailored phishing simulation training.
- Train security teams on social engineering tactics.
- Build and establish social engineering policies, processes, and procedures.
- Give employees a way to report phishing/smishing.
- Provide near real-time responses to phishing/spoofing inquiries.
- Incident Response
- Identify potential attackers or threat actors involved in the incident using OSINT methods.
- Conduct research on the TTPs used by the attackers or threat actors to help prevent future incidents.
- Assess the incident, isolate it, preserve evidence, contain it, investigate it, and communicate/notify about it.
- Update incident response plans.
- Continuously monitor and remediate.
- Drive implementation of proactive preventive measures
By leveraging HASP, organizations can fill a critical defensive gap and protect their human attack surface from being exploited, resulting in an improved overall security posture, more focused intelligence, fewer active threats, less attention fatigue at the SOC, and reduced cybersecurity operating expenses.
Picnic's Human Attack Surface Protection
Picnic Corporation leverages the NIST Cybersecurity Framework, insights from MITRE ATT&CK, the comprehensive HASP Framework, and its own proprietary technology and expert social engineers to deliver a service that does the work of protecting your organization from social engineering and credential stuffing attacks for you. Here’s how Picnic’s service operates:
- Automated Protection: Picnic seamlessly integrates with your existing security stack, offering automated protection against prevalent social engineering attacks, including spear phishing, phishing, smishing, vishing, impersonation, and credential harvesting.
- Proactive Defense: Picnic’s proactive approach anticipates and mitigates threats, reducing the need for costly incident detection and response efforts.
- Human-Centric Focus: Recognizing that human vulnerabilities are the source of most cybersecurity incidents, Picnic identifies and disrupts potential attack vectors through predictive analysis.
- Threat-Informed Security: Picnic prioritizes threat intelligence and remediations tailored to your industry, people, and connected infrastructure.
- Enhanced Employee Engagement: Picnic’s service increases cyber awareness and engagement through personalized human risk assessments and targeted coaching.
- Versatility: Picnic adapts its program to your unique needs and evolving cybersecurity threat landscape, delivering continuous threat exposure reduction.
Picnic does all the work beyond your perimeter and integrates with your existing security stack to drive prioritized and automated protections against the most commonly observed social engineering attacks, such as spear phishing, phishing, smishing, impersonation, and attacks involving stolen credentials.
We reduce your operating costs associated with detection and response by reducing organizational risk and the number of cybersecurity incidents. We do it through prediction and prevention, delivering remediations that harden your human attack surface to prevent operational interruptions and security incidents that negatively impact your organization’s brand, reputation, and bottom line. For more information, check out the Solution Brief.
The Verizon 2023 Data Breach Investigations Report (DBIR) underscores the persistent threat of human-centric attacks involving social engineering and credential compromise. These attacks remain the source of most breaches because they exploit all organizations’ most substantial security gap: the human attack surface of employees, contractors, and third parties. With threat actors now leveraging AI, the scale and effectiveness of these attacks are reaching unprecedented levels.
In this threat landscape, organizations must prioritize the protection of their human attack surface. The NIST Cybersecurity Framework, MITRE ATT&CK, and HASP Framework provide essential guidance and insights for protecting against human-centric attacks. Implementing this guidance can be a time-consuming and resource-intensive process, however, particularly for large organizations with multiple access points. By partnering with Picnic, organizations can fortify their defenses against social engineering and credential-stuffing attacks, safeguarding their assets, reputation, and financial well-being while staying ahead of evolving threats.
Become a Subscriber to receive timely articles on human-centric security issues: