Security Frameworks: A Love Story

Over the past few years, the MITRE ATT&CK framework has taken the reins as the new standard of security framework for many organizations. It is the spiritual successor to Lockheed Martin’s Cyber Kill Chain in many ways. In brief, the MITRE ATT&CK follows an attack from beginning to end, listing attacker tactics and techniques for each phase of the attack.

More and more, frameworks in security are becoming indicators of a good security program. In my time as a CISO, I would write corporate policy around frameworks. Coming from a government/military background myself, I was in love with NIST and the Cyber Kill Chain.

However, once I found myself in a retail organization that had never had a true security program, I realized that I couldn’t utilize my beloved NIST — the organization simply wasn’t ready for that kind of seismic shift in their culture.

Security Frameworks (and Compliance) Don’t Equal Security.

I tell this story to many people in the security industry as a warning: don’t make a security framework your only form of securing your people. Frameworks are just as the name suggests, a framework! They are guide rails. They are a measuring stick. They aren’t security.

If you follow NIST to the letter, you’ll still get hacked. If you are PCI DSS Level 1 and have never failed an audit, you’ll still get hacked. Compliance doesn’t equal security.

I’ve seen several people become slaves to the framework at the detriment of their organization’s growth. I’ve heard those same people tell the horror stories of IT teams resenting security due to the over-restrictive nature of their policies, all done in honor of their particular framework.

Again, I go back to what a framework by name truly is: a FRAMEWORK. This means:

  • Don’t be too stringent in sticking with a single cybersecurity framework.
  • Do find elements of each existing framework, and adapt it for your policy.
  • Don’t adapt your organization to a framework.

In other words, if you’re protecting jeans and not nuclear codes, don’t lock down your organization so much that you can’t sell your merchandise.

That said, the MITRE ATT&CK falls into a different category of frameworks. Unlike other frameworks, MITRE ATT&CK deals more with the process of finding where to stop an attack at a particular level, before irreparable damage is done. Security analysts can use it to follow an attack pattern and try to stop the attack from progressing. More than 80 percent of enterprises have adopted the MITRE ATT&CK framework to determine security gaps, write policy or for threat modeling. The framework is a good way to have your security team think about an attack.

But what is better than following a cyberattack through its lifecycle? Stopping it from happening to begin with. Detection is a must, but prevention is ideal, as the old saying goes. I challenge you to find the points of weakness and design preventions to stop the bleeding there.

At Area 1, we stop phishing attacks before they do damage. That is our mission. We take the email vector off the table for an attacker. In terms of applying what we do to the MITRE ATT&CK framework, our goal is to focus on the “Initial Access” stage to prevent attacks from reaching organizations in the first place. That’s why a large part of our technology focuses on massive-scale web crawling and in-the-wild phish indexing to detect the early signs of a phishing attack at its source.

By extension, a strong focus on comprehensive email security will protect your organization from many targeted attacks, the great majority of which start off as a phishing email.

If an attack can’t begin, will a framework still be needed? To measure your readiness and maturity, yes. But to follow an attack through your network? Nope!

In summary, love your security, like your framework. Not the other way around. Fight the good fight my friends!

If you’d like to learn what makes the MITRE ATT&CK framework useful for email security, and how to adapt the areas of the framework that make the most sense for your organization, check out Kevin’s recent webinar, “Phishing & the MITRE ATT&CK Framework” (where he’s joined by Area 1 Security’s co-founder, Oren J. Falkowitz), here.

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!

 

Kevin Wilson Headshot

Kevin Wilson

Senior Product Manager at Area 1

Kevin Wilson is a Sr. Product Manager at Area 1 Security. Throughout his 14 years in Cyber Security, Kevin has been an Analyst and Engineer in various organizations such as the U.S Navy, First Data, and Lowe’s. Previously he served as the Global Information Security Officer at Guess? Inc as well as a Product Manager for McAfee.

Cyber_Attack_Preemption
Beyond_the_Mirror