B (4:55)

fine folks at cisa. Let's think about it, Jacob. The baseline that's been established in every single. Well up until they no longer started, no longer came out. But cyber security alert issued by CISA to mitigate against these exact types of threats for specific audiences. The baseline controls that were attached are the baseline, those four foundational controls, you know, access control. Update your systems, make sure you're monitoring what people are doing. Every single cyber security alert, Jacob, that was included in it, it was just part of the course. It was a part of the template, basically.

A (5:27)

Yeah, absolutely. Last takeaway at the top. 800, 171 is a very strong floor. It is a very good baseline of controls, but it's just the minimum baseline. Only about 50% of the relevant controls from NIST SP853 that mitigate real world Iranian activity actually make it into 800 171. And since most organizations only do what's required at a minimum, we're always going to see a push from the government for that baseline to increase with every revision to 800171 over time. So we're doing a great job with the baseline that we have and we're only doing about half of what we could be doing. So the ceiling is much, much higher for future revisions of 800 171. But the requirements are effective. Proving that you've done them via CMMC is extremely valuable. Now we can get into the details of how we came to these conclusions.

B (6:25)

And that 50 tailoring of 853 is obviously because 171's confidentiality focus and a lot of the other things that are availability, integrity, focus don't make their way over into that confidentiality baseline.

A (6:38)

Yeah, a couple years ago, you know, we did a bunch of episodes on the details of NIST's tailoring when they were revising from 171Rev2 to 171Rev3. So it's a deep, deep rabbit hole. We won't get into all the details today, but we'll talk about how they decided what goes in and what doesn't. Maybe how that can change in the future. Okay. First things first to clarify CMMC versus the security requirements verified by cmmc. CMMC is a verification program. It is not a set of security requirements. The security requirements verified by CMMC are imposed by other different contract clauses. CMMC is valuable because it proves that defense contractors handling sensitive control data have implemented adequate security requirements pursuant to their contractual obligations. So the real question isn't is CMMC effective at preventing Iranian cyber intrusions? The real question is whether the requirements verified by CMMC are the requirements in NIST SP 800171 effective at detecting and mitigating Iranian cyber activity. If they are, of course we want to verify that people are doing them. If they're not, we want different requirements and we would still verify via CMMC that people are doing them. So in order to answer that question, we really have to know three things. First, we have to know how the cyber adversaries actually operate in the real world. Like what are they actually doing?

B (8:07)

Yeah, that's pretty important.

A (8:09)

Yeah. How can we detect or mitigate via security controls their real world activity? And then whether defense contractors are required to do those things. Are they required to implement those controls that mitigate that actual real world activity. So assuming that the baseline for defense contractors keeps up with this Iranian cyber activity, then yeah, hell yeah, CMMC assurance is immensely valuable to the department and to the defense contractor to know am I doing the things that are actually going to help prevent the real world techniques from the real world people who are really targeting you right now.

B (8:48)

So 171 is designed to protect the competency UI on non federal systems from what, Jacob?

A (8:56)

Well, it's from any cyber threat. This is kind of the fun part because NIST doesn't. They did not create this baseline to be like, here's how you stop Iranian cyber threats, here's how you stop Russian cyber threats, here's how you stop advanced persistent threats, and so on and so forth. They just said this is a well rounded baseline for protecting the confidentiality of data in a non federal system. But it turns out that smart fundamentals are smart fundamentals kind of regardless of where they show up or how you frame them. And so even though that wasn't what NIST intended to do, they did a pretty good job of coming up with a baseline that mitigates that activity.

B (9:33)

So I think what you try to say there is adversaries. The answer to my questions was adversaries from adversaries. Right. And so when 871 was pushed across, it wasn't verified. Right. And so nobody verified it and the adversaries were still get the data. And now CMC exists to make sure the verif the adversaries don't get the data. That's simply put, that's what it is.

A (9:56)

Yeah, absolutely. All right, so the first thing that we need to know, what do cyber actors actually do? Not just the Iranians, but any of the bad guys out there that are doing bad guy cyber stuff, what do they actually do? So the Mitre Corporation maintains a knowledge base of quote adversarial tactics, techniques and common knowledge, otherwise known as the MITRE attack framework. The model organizes these cyber techniques used by actual cyber bad guys into what are known as tactics. These 14 high level tactics. So for instance, in order to gain initial access into a system, the bad guys might use phishing as a technique, something that a lot of people are familiar with. Another example, in order to escalate their privilege privileges on a compromised system, like to move up to an admin level account or something with actual privileges that would let them do what they're going to do, the bad guys might use modifying domain policy as a technique. There's techniques to Achieve these tactics, initial access, maintaining persistence and escalating privileges, exfiltrating data, all the stuff that the bad guys do. There's all kinds of techniques that they can execute in order to achieve those tactics. So if you look at the MITRE, ATT and CK framework, you can actually see all 250 techniques, including detailed sub techniques for different operating systems, different technologies, different contexts, all organized by these 14 tactics. And in the MITRE, ATT and CK matrix. We'll put the link below. You can go to the website, click on it, drill down as deep as you want to. You do not have to be technical to understand the descriptions of what these actual very advanced bad guys are really doing on networks and systems. It's a wonderful way to get your, your awareness around how bad guys actually work to a much greater degree than just like your, you know, your routine awareness training. Anyways, all of this information is based on real world observations, right? They're based off of cyber threat intelligence reports that MITRE aggregates security research, academic papers on security research, and real world malware samples from known cyber intrusion groups from around the world. Important note here, every technique and sub technique has information about how to detect and, and, or mitigate that activity, if it's possible. That's the connective tissue here, right? We know what the bad guys do and we know how to detect it. And if possible, we know exactly how to mitigate it. That means that using mitre, ATT and ck, we can get an exact picture of how even the most advanced threat actors actually operate. China, Russia, North Korea and Iran and what to do about it.

B (12:52)

So you're saying that if I'm in a particular sector and somebody has been identified as a threat to my sector that my organization belongs to, I can go to this website, I can find that organization that's a threat to them, see how they operate, see the things that they're going to do, and then see the recommendations in which I can try to stop and delay that attack.

A (13:13)

Yep. And some of the, some of the mitigations and some of the detections, they'll give you detailed signatures that you can just straight up use off the website to detect that specific technique, that specific activity used by these threat actors. And it's just right there. It's just right there. I mean, a lot of people who are, you know, they're not going to.

B (13:31)

So it's just not a recommendation of, hey, make sure that you're monitoring for activity from Iran. It's to make sure that you're monitoring for this Particular signature or to even take and directly apply settings to do

A (13:41)

this configuration, do this for specific signature.

B (13:44)

So it's not a guessing game. It's actually, here's the solution, here's how you put it in place, here's a quick way to remediate it, because it's actually an issue that can be a big problem, right?

A (13:52)

Absolutely. And so for, in this example, we got issues with Iran. You're a target. Let's look at what the Iranians do within this mitre, ATT and CK data set. So we selected five Iranian threat actors that are known to target the US Defense industrial base. We're talking cyber espionage, supply chain attacks, often at the behest of what's known as the Ministry of Intelligence and Security in Iran, against sectors like defense, aviation, manufacturing, energy, other things like that. In total, these groups have been seen using 130 different cyber techniques divided across those tactics that we talked about earlier. The most common technique is T1105. That's how MITRE numbers these techniques, which is known as ingress tool transfer. This is how the adversaries, once they've compromised the system and actually get their tools to operate from an external system into that compromised environment. Right? That's like the thing that everybody's got to do. There's a million different ways that they could compromise your system. They get you to click on something, they get you download something, they could throw an exploit, they could do all kinds of cool, super spooky stuff. But once they're in, one, they got to be able to stay there, and two, they got to be able to get their tools in so that they can figure out what the data is and then get it out. Right. That's why they have all these different tactics.

B (15:16)

So I can vanilla this down from my big dumb brain. What you're saying is, is that the bank robbers make a way into the bank and because the vault needs to be blown open, they have to get the dynamite in there afterwards.

A (15:25)

That's right, yeah. You got to have your bag with like your drill and your hammers and your dynamite. They got to get the tools inside in order to get to the goods. Right. So although all these cyber intrusions, intrusion sets, all these different threat actors that we're talking about, they all operate slightly differently. Maybe their malware specifics are all slightly different. They all got to get their tools inside. So it's one example of very common technique. The technique itself is still the same.

B (15:49)

So now the why it's probably important to know exactly what I don't know software and hardware operates on your system and see any anomalies to that when things happen?

A (15:58)

Yep, yep, absolutely. If you guys are, you know, for those of you who are paying attention at home, it's pretty easy to read ahead to where we're going here. So first question, right, is can we detect them? Remember, we got all these techniques, we got 130 techniques now that are associated with the Iranians. Can we either detect it or mitigate it or both? So as it turns out, 100% of the techniques used by this selected set of Iranian cyber actors can be detected if you're doing stuff that's monitoring your system and detecting alerts. So for example, tool transfer, the most common technique used by these Iranian threat actors, can be detected by monitoring things like command execution, file creation, network connection creation, network traffic flow, network traffic content, so on and so forth. You can probably imagine system monitoring is a pretty standard requirement across every security baseline that's existed for 30 years. If you're not doing it, then you can't detect the most common thing that the Iranians want to do to you that they've been observed doing in the real world. Which is why proving that you're doing something like security monitoring is extremely valuable from a program like cmmc.

B (17:14)

Especially when new assets get added to the network, right? Like you want to know when that happens? Especially if it's not something you authorize and it's not an authorized asset.

A (17:22)

Wait, absolutely. People think it's crazy. People think it's crazy that there's, you know, that nist, you know, talks in their requirements about monitoring ports, protocols and services. You know why they want you to monitor ports, protocols and services? Because when you randomly have new ports, protocols and services opening in your environment

B (17:40)

and bad guys with dynamite walking in

A (17:42)

when they're exfilt trading data to frickin Tehran, you should probably know about it, right? Especially when the data is not yours, you should probably know about it. So great news everybody. 100% of the techniques that the Iranians have been observed using the real world can be detected. Can be detected.

B (17:59)

Right?

A (18:00)

So can we mitigate it? We can see them doing it. Theoretically, can we do anything to actually mitigate the activity? Turns out we sure can. 68% of the known techniques used by our set Iviranian threat actors can be mitigated. For those of you doing Math at home, that's 89 of the 130 techniques seen used by the Iranian threat actors in our little sample here have mitigations that can be implemented via Security controls. So, for example, network intrusion prevention systems, very standard concept in security for the last several decades. Network intrusion prevention systems can mitigate tool transfer techniques to get their tools inside of your environment. Right. It's pretty straightforward when it comes to stuff like that. However, important note, why can you detect everything but you can't mitigate everything? Some techniques can't be mitigated with preventative security controls because they are based on what's known as the abuse of system features and native utilities. Right. This would be things like Windows Command Line or PowerShell running commands like SC Query to display information about system services running on those systems. You can't actually stop that from happening. It's just how the system works. The bad guys can use that information in part of their technique set in order to achieve their goals. So you can't directly stop a lot of these techniques, or you can't directly stop some of these techniques, but you can stop a lot of them. And even if you can't stop them from using system features, you can detect that activity.

B (19:44)

So while I agree, isn't there like some of these things are cascading effects from a failed implementation at some point?

A (19:55)

Right.

B (19:55)

Like, so you put a mitigation recommendation in place and that mitigation recommendation is in place, it's going to stop some of these things that happen downwind, like the running of the queries and things like that. So like you say 68%, but realistically isn't it 100% if you do all of the foundational things, theoretically there's some

A (20:14)

things that user accounts or that administrator accounts can just do on a system that you can't always stop them from doing. You can't always stop administrators from running command line commands, running queries in PowerShell, things like that. Right. They would otherwise seem.

B (20:27)

Or you can stop people who aren't administrators from running those commands, depending on your configuration.

A (20:32)

Right? Yeah. If all of a sudden I was

B (20:35)

saying like by way of another mitigation being put in place, these things technically don't.

A (20:39)

Yeah, they build off of each other for sure. If all of a sudden there's a new account created on your network and all of a sudden that account gets its privileges escalated and then it starts running a bunch of administrative data gathering command line commands, you should probably see that as a gigantic flashing red light that there's a bad guy in your system, if you're not monitoring the system, you have no idea if that's happening. So like you said, it all builds on itself from there. Even in the worst Case if you were just to allow everybody to have access to PowerShell and run whatever command you want to, you would still be able to see what they're doing through system monitoring. Even if you didn't mitigate it, you would still be able to detect it. And that in and of itself would allow you to respond to it in the future. 100% can be detected. Almost 70% can straight up be mitigated just by itself. So how do we detect and mitigate? How do we do that stuff? You do that stuff by implementing security controls. NIST SP853, everybody, everybody's favorite catalog of security controls, especially around these parts. NIST SP853 specifically, according to NIST, is a catalog of security controls that can be effectively used to protect information systems from traditional and advanced persistent threats and, and advanced persistent threats. If an advanced persistent threat has to get their tools inside and they have to use basic known techniques, doesn't matter that they're the Chinese Ministry of State Security, they still got to go through the intersection, right? They still have to do stuff. Not everything that an advanced persistent threat is some spooky zero day for which you can't detect it and you can't mitigate it. That's just not how these guys work, right? So the fine folks over at MITRE did the hard work for us under their Mappings Explorer website, which we'll put a link to below, and they have mapped everything between MITRE, ATT&CK and NIST853, right. So this is. Don't take our word for it, you can take it from the brainiacs over at MITRE. So as it turns out, there are 94 NIST controls that map to those 89 mitigatable techniques used by our selected Iranian threat actors. Right? So those that 68% that they have mitigations is 89 techniques. If you map those over according to Mitre, there's 94 controls that you could implement to do those mitigations. So as it turns out, 50% of those mappings, 50% of the mappings identified by MITRE stem from just 10 NIST controls. Just 10 of them. I recently posted about this on LinkedIn, got a lot of positive feedback, so we'll put a link to that below as well. Go check it out. These are system monitoring, configuration settings, baseline configuration, malicious code protection, least functionality, continuous monitoring, least privilege access enforcement, account management, information flow enforcement, all of the most boring meat and potatoes. Finish your vegetables before you get up from the table. Least sexy things that nobody wants to talk about are, guess what? The 50% of the mitigation stem from those 10 things.

B (23:54)

John Madden would argue against your perspective about the importance of blocking and tackling and the foundations of the game. This is blocking and tackling. Allowing people to do the things that they're allowed to do, allowing people to get to the places they're allowed to go. Protecting your system from being compromised from malicious code, monitoring things that happen, making sure this is the blocking and the tackling.

A (24:20)

Yeah. And, and you should be asking yourself people who say that this is an unrealistic burden, that this is some draconian top down, out of touch burden that government is putting on industry. Oh yeah, Baseline configurations are a bridge too far. Least privilege is too big of an ask. Information flow enforcement and system monitoring is some absurd high tech thing that, you know, only the most advanced cyber defenders can possibly understand. These are 30 year old concepts. Right. These are not absurdly advanced or even necessarily all that expensive things to actually do. They're hard, but it doesn't necessarily mean that they're like complex and things that you couldn't possibly achieve.

B (25:02)

I. For, for us, yes, because like you said in these parts, 853 is, is the godsend. It's, it's the thing that we were built off of. However, our audience in the show is defense contractors. And defense contractors aren't necessarily referencing 853, even though they should for SI, you know, 04 and for CM 06 and things of that nature. So how does that apply? How does that carry over?

A (25:24)

Yeah, well, before we get into how this carries over 171, there's even more. I'll make it even better for you. Every one of 89, every, not every one of those 89 mitigatable techniques, the ones that can be mitigated, can be mitigated to some degree just by the first four of those ten controls. So system monitoring, configuration settings, baseline configurations, malicious code protection, those four will mitigate to some degree every single one of the known Iranian techniques that can be mitigated that aren't just a pure abuse of natural system features. Right. Just those four things. The, the fantastic four. There are going to be things that will give you massive traction against a nation state operator.

B (26:13)

You mean monitoring the system, making sure that the settings that you put in place stay there and that you've established the settings so that you can. Yeah. Oh wow.

A (26:21)

Yeah. And you know what one of the top 10 other than satisfied DIBCAC findings is? Baseline configuration. Yeah. Anyways, so let's get to Your original question. Okay, great. We know what the bad guys are doing. We know it can be detected. We know in most cases it can be mitigated. We know that there are NIST controls that we can implement to do those things. Do those NIST controls show up in the 800171 baseline that contractors are obligated to implement pursuant to DFARS clause 252, 204 7012? Remember, 800171 is derived from the moderate baseline selected from 853. Turns out every one of those top 10 NIST SP 853 controls are represented in NIST SP 800 171, revision 2 and revision 3. All 10 of them. All 10 of them, including the Fantastic Four that map to literally every single thing that the Iranians do. Right. So this is stuff like if, even if you're not familiar with 853, as we went through that top 10 list, you should start to sound familiar because they basically all come from the 3.1 controls. 3.4, 3.14. We're talking system monitoring, least functionality, continuous monitoring, access enforcement, things like that. So you're talking requirements like 3, 1.5, 3, 1.2, 3, 14.6. We'll put the chart. We're going to have a blog with all this information. If you don't see it in the description, when this is live, we're going to add it back later. You'll see us post about it as well or check my LinkedIn posts. But these should all be familiar. You shouldn't be hearing these concepts for the first time. If you've skimmed through 8001 71, if you've gone through implementation, you're getting ready for assessment. These should all seem like, you know, the bare bones things that you would be doing. Anyways, some more details here. Okay. Those top 10 controls, all of them are in 800, 171. And we know that 50% of the mappings come from those top 10 controls. This is wonderful as a baseline, as a floor. That means that 800171 is extremely effective at mitigating and detecting real world Iranian cyber threats. Even though that's not what NIST tailored the baseline to do. They just tailored it as a general confidentiality baseline for data. There's just a lot of overlap between

B (28:45)

layers of a cop, layers of a baseline.

A (28:48)

Right.

B (28:48)

So the minimum baseline layer is 171R2, then R3. Right. And that coverage that they offer you've mentioned multiple times through Here, a key term that is a line of delineation when it comes to what NIST framework to establish for a CMMC organization.

A (29:06)

Right.

B (29:07)

And that's advanced persistent threats. There's a separate document, a separate. This baseline that's pulled out that's designed to enhance this minimum baseline that would, I would argue, possibly maps to quite more.

A (29:21)

Well, we don't have time to get into 172 today. If you guys find this interesting, let us know in the chat, because I don't think you're. I did the analysis. I don't think you're gonna like it because Most of what 172 does is double down on the existing.

B (29:34)

We have no. We have no room for your 172 negativ.

A (29:37)

It doubles down on what is already in one baseline. Instead of adding the things that are missing, let's talk about what's missing. Right. So only 47% of the 94 controls that mitigate the Iranian techniques represented in our sample, only 47% of those 94 are actually represented in 171. So even though we're getting the, you know, the majority of the mappings with just 10 controls, 171 only contains about half of the possible controls that it could if we wanted to mitigate cyber activity from Iran to the greatest degree possible. So 25% of the controls that would mitigate Iranian cyber activity aren't in the 853 moderate baseline. So they were never eligible to be included in the 171 baseline to begin with. 12% were tailored out of 171 based off of the assumption that contractors would already be doing these things without being required to do them. These are the famous NFO controls in the appendix at the back of 812% of the stuff that would help with Iranian cyber activity, the government originally just assumed people would be doing as we know that's not the case. 6% of the controls were tailored out of the baseline because according to nist, they weren't relevant to protecting CUI confidentiality. So you're Talking about almost 40% of what we could have in the baseline was never able to be included in the baseline to begin with. So although we're doing a wonderful job with that 50% or so that we have in the baseline, we've got the top 10, we've got the top four. We have way higher of a ceiling that we could possibly get to in future revisions of 171, depending on how NIST decides to tailor the baseline.

B (31:30)

Can you Just imagine your entire organization getting smashed from orbit by Iran because one of those IOU controls that everybody assumed that you were doing.

A (31:38)

Yeah, well, I mean this. That was 171Rev2. When you move to 171Rev3, you would imagine that things would change. And it really doesn't change all that much. We still have the top 10 controls. We still have the top five, four controls that do most of the heavy lifting. But instead of 47% being represented, we only have 52% of the possible controls represented. So we don't really increase the. We don't really raise the floor significantly from Rev 2 to Rev 3 because we leave a lot of those possible 853 controls out of the baseline. So 26% of the relevant 853 controls still aren't in the 853 moderate baseline. So we can't consider them for the 800171 baseline until they are in the moderate baseline. And NIST got rid of the NFO control mistake from Rev 2. They stopped assuming that companies would be doing stuff if they weren't required. But what they really did was take a lot of those assumptions and just say, well, actually none of this stuff is relevant relevant to CUI. So 16% of those relevant 853 controls are now considered not relevant to protecting the confidentiality of cui. And so they weren't included in the baseline. So the jump from Rev 2 to Rev 3 doesn't really raise the floor all that much. The good news is the floor was already pretty high with Rev2. So if you hear people say Rev2 doesn't work, we go to go to Rev3. That's not necessarily true. Rev2 is doing just fine. You do get some more stuff in Rev 3, but it's not night and day different. And it certainly isn't the case that the floor for Rev 2 is very low or it doesn't work. Least privilege is least privilege. System monitoring is system monitoring. Information flow enforcement is information flow enforcement. It has been that way since those concepts were created. They will continue to be effective forever until we go forward because they're basic fundamental concepts. So ultimately NIST SP800,171 as a floor is excellent at what it's able to achieve, even though it wasn't actually designed to do. That's why I say it punches way above its weight class. But we're barely covering half of the possible set of controls from 853. That would go further at mitigating real World Iranian cyber activity or Chinese cyber activity or Russian cyber or whatever it happens to be. So we will continue to see revisions increase in size to increase the baseline, to raise the floor, if you will, moving into the future for this exact reason.

B (34:18)

I like that you use the term floor in describing this, because it's exactly what it is, the floor. And we're here in NFL draft season, right, where people are analyzing, you know, people that are about to athletes that are about to get drafted, and they're determining what the athlete's floor comparison is and what their ceiling comparison is. The floor comparison is based off of the given talents and the baseline of things that we see about this person. This is what we think their lowest level of ability is going to be. But if they put in that extra work, they add those extra capabilities, put in that extra time, their ceiling is so much higher. I think that's a perfect way to explain 800171 implementation, especially for two defense contractors, is you have been given the floor of what it is to be a good career. But in order to make it an excellent career and hit the ceiling, added things have to go on there. We've given you the foundation. Build a beautiful house, right?

A (35:06)

Yeah, absolutely. So does CMMC help mitigate Iranian cyber activity? Absolutely, because it proves that you're doing the things that when you go under the hood and you actually look at, we know, mitigate Iranian cyber activity. So make sure you tell your friends Share this episode we're going to put a blog out with all the details. We'll have a link down to the Miter attack database so you can check it out, you can check the math on your own, or you can check any other intrusion set to see how it maps over. It turns out that the security requirements are just pretty good just to start with, and there's not really much controversy about it. If you guys thought this was interesting and you want us to do an analysis of 172 and watch Jason and I fight about it, let us know in the chat below and we can do that in a future episode. Other than that, like and subscribe, we'll see you next week.

B (35:50)

See you next week.