NIST gets down with Deception
January 23, 2023
A lot of CISOs look to the National Institute of Standards and Technology (NIST) and ISO for third-party validation of appropriate security controls and security program approaches. They bring credibility and gravitas to what others may view as arbitrary or over-burdensome controls and processes. They can help free up budget dollars and shape digitization efforts across IT and security.
And up until recently, they haven’t had anything to say about the use of deception solutions. That’s been a barrier to market penetration for the industry. Forward-looking CISOs that are likely to try disruptive technologies may have their eye on deception solutions, but without the backing of an independent third-party, it could require too much political capital to fight for.
So, to finally see the embracing and recommendation of deception technology by NIST is a welcome event. The June draft of NIST Special Publication 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, discusses enhanced requirements derived from the Security and Privacy Controls document (SP 800-53) for protecting against cyber attacks. This new NIST document offers recommendations for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations where that information runs a higher than usual risk of exposure. Deception is one of the key recommendations:
- Using deception to confuse and mislead adversaries regarding the information they use for decision making, the value and authenticity of the information they attempt to exfiltrate, or the environment in which they are operating.1
By thwarting attackers very early in the Cyber Kill Chain®, our customers avoid getting into the attackers “opportunity funnel” to begin with. Avoiding making this first-cut has both cost-saving and force-multiplier effects throughout the log, alert, and analyze food-chain.
In another NIST Special Publication (800-160 vol. 2), Systems Security Engineering, deception is included as one of 14 techniques in the cyber resiliency engineering framework. Volume 2 addresses cyber resiliency considerations for two important, yet distinct communities of interest:
- Organizations conducting new development of IT component products, systems, and services; and
- Organizations with legacy systems (installed base) currently carrying out day-to-day missions and business functions.2
- Is unobtrusive
- Avoids needing a team of threat analysts
- Doesn’t require complex SOAR integrations
- Has minimal on-going maintenance
- Delivers heavy-weight preventative results.
Check out these NIST publications:
- https://csrc.nist.gov/publications/detail/sp/800-171b/draft
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High-Value Assets
Authors: Ron Ross (NIST), Victoria Pillitteri (NIST), Gary Guissanie (IDA), Ryan Wagner (IDA), Richard Graubart (MITRE), Deborah Bodeau (MITRE) - https://csrc.nist.gov/publications/detail/sp/800-160/vol-2/draft
Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems
Authors: Ron Ross (NIST), Richard Graubart (MITRE), Deborah Bodeau (MITRE), Rosalie McQuaid (MITRE)
