CMMC, NIST 800-172, and Advanced Persistent Threats

Michael Peters

9 months ago

As organizations move up the CMMC maturity model, they do so for one reason: to prepare themselves better to protect against Advanced Persistent Threats (APTs). These threats are a significant problem in the defense supply chain, and as such, CMMC leans heavily on NIST 800-171 and 800-172 to address them.

This article introduces how these documents, particularly Special Publication 800-172, address APTs.

Understanding APTs and Their Effect on Cybersecurity

APTs are particularly sophisticated and prolonged cyber-criminal attacks initiated exclusively against a vital target to extract data or resources. Usually, targeted entities of such threats include government agencies, defense contractors, utility and infrastructure companies, and others maintaining valuable information repositories. The term “APT” often refers to both a type of ongoing cyber attack and the groups launching those attacks.

It’s essential to understand how APTs work to see how they impact an organization fully:

APTs involve continuous, stealthy, and sophisticated hacking processes to gain access to a system and remain inside for a prolonged period. They are known for their determination, highly developed threat know-how, and numerous resources and skills.
APTs will utilize several overlapping attacks, including zero-day exploits, continuous infiltration, and ongoing obfuscation. As such, they are long-term attacks that can go undetected for weeks, months, or even years.
APTs often target specific organizations for espionage or intellectual data theft, not for opportunistic money gain. They are also often suspected of being state-supported.

Some well-known examples of APTs include:

APT1 (Comment Crew): This group, suspected to be linked to China’s People’s Liberation Army, is behind numerous cyber espionage attacks on diverse industries worldwide, especially within the United States. They are also known for using highly sophisticated means to exfiltrate data from compromised networks.
APT28 (Fancy Bear): APT28 is regarded as the leading actor behind Russian cyber attacks, focusing on the governmental, military, security, and journalist industries. They have been accused of interfering with political processes related to other leading elections, such as those of the United States in 2016.
APT29 (Cozy Bear): Also believed to be associated with Russian intelligence services, this group carried out a campaign of cyber espionage to collect foreign intelligence against governmental, diplomatic, think-tank, healthcare, and energy organizations. Together with APT28, they attacked the Democratic National Committee (DNC).
APT10 (Stone Panda): Originating in China, APT10 conducts widespread hacking operations against intellectual property and sensitive data in diverse industries and governments worldwide. It has become famous through its “Cloud Hopper” campaign targeting managed service providers to breach client networks.
APT33 (Elfin): Based in Iran, A secret network focused mainly on aerospace and energy companies in Saudi Arabia and the United States.
APT38: Tied to North Korea, APT38 is a financially motivated group that has embarked on attacks across financial institutions globally. Among their projects are various attempts to steal funds to support the North Korean regime, like the unsuccessful $1 billion from the Bangladesh Bank in 2016.

NIST 800-171 & 800-172: An Overview in the Fight against APTs

Some key enablers for APT protection in the NIST include the guidelines for securing the Controlled Unclassified Information (CUI) from non-federal systems and organizations. More so, these standards further delineate vital controls that will be used to lessen risks from APTs.

Some of the essential controls to address APTs come from two key NIST documents:

NIST 800-171: Focused on maintaining the confidentiality of CUI on non-federal systems, it is made up of rules that relate to access control, incident response, system and information integrity, and other requirements that are necessary for proper access controls.
NIST 800-172: These simply establish the scope of the NIST 800-171 security requirements for systems under high risk from APTs. It introduces additional unique APT resistance controls needed for enhanced system security engineering, penetration-resistant architecture, damage-limiting operations, and designed security capabilities.

How to Implement NIST 800-171 and 800-172 to Mitigate APTs

Implementing NIST 800-171 and 800-172 controls can go a long way toward mitigating threats from APTs. Some of the critical controls include:

Assessment and Gap Analysis: Analyze the existing state of cybersecurity, vulnerabilities, and gaps to comply with NIST 800-171 and 800-172 in a detailed manner.
Risk Management: Risk assessment using different models should be applied to identify the controls’ priority based on their respective threat landscape and the possibility of the organization facing APT attacks.
Access Control: Multi-factor authentication (MFA) should be thoughtfully implemented along with this principle of least privilege to minimize the access area for APT. NIST 800-172 also recommends stronger authentication methods, such as MFA, and robust encryption techniques to protect sensitive information.
Incident Response: Develop and test an incident response plan to include APT scenarios to build rapid detection, containment, and recovery capabilities into the organizational culture.
System and Communication Protection: NIST 800-172 emphasizes the importance of protecting the systems and the communications between them. This includes implementing measures to secure data in transit and at rest and ensuring that communications are monitored and controlled to prevent eavesdropping or data exfiltration by APTs.
System and Information Integrity: Use advanced threat detection solutions and techniques, including anomaly detection, and endpoint detection and response systems for identification and response of APT activities.
Training and Awareness: Continue training the workforce with online trends regarding cyberspace, tactics, techniques, and procedures being used by APTs so that defense continues from a proactive stance, considering that at some point in time, APTs will get through network security.
Continuously Monitor and Improve: Devise a procedure that will continuously monitor cyber threats, targeting real-time detection of APT activities and all other threats posed to your cybersecurity.
Advanced Threat Detection: The publication suggests implementing advanced threat detection mechanisms to identify indicators of compromise associated with APT activities. This includes using behavior-based analytics and anomaly detection tools to spot unusual activities indicative of an APT attack.
Least Functionality and Privilege: NIST 800-172 stresses the least functionality and least privilege principle, ensuring that systems and users have only the access and capabilities necessary for their roles. This minimizes the potential impact of an APT exploiting elevated privileges or unnecessary system functionalities.

Streamline NIST Compliance and APT Protection with Continuum GRC

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id= “43885”]