As part of my cyber workforce development research, I want to rationalize the NIST Cybersecurity Framework (NCSF), the related NIST National Initiative for Cybersecurity Education (NICE) Cybersecurity Framework and the Lockheed Martin Cyber kill chain. I believe connecting these foundational components is critical to establishing a common working framework for cyber operations. I include the kill chain because keeping the end game (securing infrastructure against internal/external exploitation) in mind when discussing cyber operations is imperative. At a 10,000-foot level (as shown in the Appendix of the NICE SP 800-181), it all seems to fit together, but as discussed below, clarity at lower elevation (where the work gets done) requires morphing the underlying structures. In the end, I think it gives a new perspective on how to operationalize the NCSF.
When looking at graphic depictions of the NCSF, NICE and the Cyber Kill Chain, I find that they do not represent the real world. For example, anyone dealing with cyber is familiar with the Kill Chain, adapted to cyber by Lockheed Martin. The Cyber Kill Chain identifies steps adversaries take during an intrusion, exploit, and eventual exfiltration of data. Most people depict a linear process, per Figure 1.
For a single exploit, it is a relatively straight-line process. However, from the viewpoint of cyber operations, this is ongoing, and therefore, a more accurate depiction of the kill chain is a kill cycle, as depicted in Figure 2.
I also see the same challenge when describing the NIST Cybersecurity Framework (NCSF) core elements: Identify, Protect, Detect, Respond, and Recover. Often these framework functions are laid out in a cycle format, similar to COBIT’s (Deming) Plan, Do, Check, Act (PDCA) cycle (See Figure 3).
As with the Cyber Kill Chain, this may work for addressing protection of a single asset, but from a cyber operations viewpoint, these functions overlap and intersect; at times parallel, at times linear, and at times orthogonal. For example, I view Detect at the center of the Core, detecting normal and anomalous behaviors continually. Similarly, the Protect and Identify activities represent ongoing governance and protective controls throughout cyber operations. In comparison, the Recover function engages only after malicious exploit. The best depiction I can develop showing the relationship between these functions is in Figure 4.
When we combine the Cyber Kill Cycle and the NCSF Core Cycle, we get a very functional NCSF operational template, per Figure 5.
What I like about this approach is it puts the Cyber Kill Chain into operational perspective. It confirms the criticality of Detect and Respond as crucial steps for all stages of the attack. It shows the need for 360-degree governance and diligence represented by Identify and Protect Core functions. And, it maps the Recover function to the second half of the Cyber Kill Chain.
In the end, I have taken two static models and put them in motion for successful cybersecurity operations. You may be wondering how NIST NICE fits in here? Well, that’s the next step: to map the functional roles of cybersecurity operations to this NCSF Cyber Operations Cycle. Please stay tuned! Also, as I’ll discuss in future posts, this research dovetails nicely with the NIST Cybersecurity Framework Controls Factory Model (NCSF CFM) training, developed by Larry Wilson, UMass CISO and produced by itSM Solutions. For more information on this exciting program, please see my previous posts.