As the threat landscape grows, so too does the need for a common lexicon, and this has resulted in the emergence of cyber security frameworks. These frameworks provide important context and structure to cyber security, which can be difficult to communicate in their absence. Implemented correctly, frameworks can help security leaders manage their organisations’ cyber risk and assist with the formulation of an incident response plan. (And organisations with such a plan in place, it’s worth noting, save an average of $340,000 per breach).
Structurally, a cyber security framework consists of various documents that outline the policies, procedures and processes an organisation should follow. In the case of a breach, for example, the framework acts as a rallying point for the first responders, providing transparency around what must be done and when. Frameworks are integral to day-to-day security operations too, as they outline the procedures that are necessary to minimise an organisation’s surface of attack.
Those that utilise frameworks are not only less vulnerable to attacks; they’re more prepared when they strike, too. They can also evidence this preparation by explaining the steps taken in any given security incident – establishing trust with business partners and clients, who are clear on how their data is safeguarded. As such, every organisation handling large datasets should use a cyber security framework to minimise their risk (just ask Marriott Hotels, whose reputation was annihilated by a breach costing $72m last year).
The National Institute of Standards and Technology (NIST) has created one of the most trusted and commonly used frameworks – the National Initiative for Cybersecurity Education (NICE) Framework. According to NIST, the NICE Framework aims to ‘energise and promote a robust network and an ecosystem of cybersecurity education, training, and workforce development’.
President Trump recently highlighted the value of this framework in his Executive Order on America’s Cybersecurity Workforce, which looks to improve the US Federal Government’s cyber security workforce. The order states that NICE will become the standard for measuring government workers’ cyber skills and for assessing potential recruits. Cyber security frameworks are not only helpful for reducing cyber risk, then; they can also be used to define, develop and assess skills.
Immersive Labs experts recognised the value of NICE some time ago, and aligned many of our labs to the framework as a result; this ensures that those using our platform are developing skills relevant to real security teams today. Our experts have also created pre-defined objectives that map to the framework, supporting structured learning for different users or teams. These define a clear path towards specific technical roles and include ‘Introduction to Operating Systems’, ‘Become a Tier 1 SOC Analyst’ and ‘Become a Junior Penetration Tester’.
Another framework making waves at present is MITRE ATT&CK™, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. This is used as a foundation for the creation of threat models and methodologies in the private sector, government, and in the cyber security product and service community.
At Immersive Labs, we have mapped our labs to techniques within the MITRE ATT&CK™ Framework in order to help organisations visualise their cyber risk. Each technique sits within a colour-coded box: red means zero users from that organisation have completed the corresponding lab (or labs), and there is a high risk; amber means one user from that organisation has completed the corresponding lab (or labs), and there is a medium risk; green means two (or more) users from that organisation have completed the corresponding lab (or labs), and there is a modest risk.
This on-the-fly risk analysis enables organisations to address skill gaps and visibly reduce cyber risk by completing the relevant labs. Managers can create bespoke objectives to speed this process up and ensure users are prioritising areas where the organisation is weakest. So, while on the grand scale cyber security frameworks are used to reduce risk and respond to incidents, they can also operate in tandem with platforms like ours to develop and assess skills on the ground, creating a bottom-up cyber security culture.