The Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) version 1.1, developed by the National Institute of Standards and Technology (NIST), with extensive private sector input, provides a risk-based and flexible approach to managing cybersecurity risk that incorporates industry standards and best practices. The Cybersecurity Framework is, by design, crafted to enable individual organizations to determine their own unique risks, tolerances, threats, and vulnerabilities, so that they may prioritize their resources to maximize effectiveness.
The Framework provides for broad applicability across a variety of industries, organizations, risk tolerances and regulatory environments and can be supplemented by the use of Profiles. As defined by the Framework, a Profile is the application of Framework components to a specific sector, threat, or organization. A Profile may be customized to suit specific implementation scenarios by applying the Framework Category and Sub-Categories appropriate to the circumstances. Profiles should be constructed to take into account the organization’s a) business/mission objectives; b) regulatory requirements; and c) operating environment.
Organizations can use Profiles to define a desired state for their Cybersecurity posture based on their business objectives and use it to measure progress towards achieving this state. It provides organizations with the ability to analyze cost, effort and risk for a particular objective. Profiles may also be used by industry sectors to document best practices for protection against specific threats.
The Botnet Threat Mitigation Profile focuses on botnet prevention and mitigation. Botnets have long been used as a method for orchestrating Distributed Denial of Service (DDoS) and other attacks. The range of targets and methods (e.g., from using individual PCs to using connected Internet of Things (IoT) devices) has also broadened. This Threat Profile emphasizes how the Cybersecurity Framework can reduce the likelihood of devices becoming part of a botnet, and mitigate devices that have.
To develop the Threat Profile, we have reviewed all the Cybersecurity Framework Categories and Subcategories and determined those most important to combat the botnet threat. The Categories and Subcategories were then labeled into different priorities as follows:
The Botnet Threat Mitigation Profile represents a Target Profile focused on the desired state of organizational cybersecurity to mitigate botnet threats. The intent is to provide guidance to enterprises and establish a common language for discussion regarding botnets with product vendors, ISPs, and other technology providers. The Profile may be used to help enterprises identify opportunities to reduce the likelihood of their devices becoming part of a botnet and assist in cybersecurity prioritization by comparing their current state with the desired target state.
Botnets are created when an attacker infects or acquires a network of devices, then controls these devices to remotely launch an attack at a given target. Increasingly, botnets are incorporating Internet of Things (IoT) devices, which continue to proliferate rapidly and often suffer from weak security in the form of hard coded passwords or unpatched vulnerabilities. The number of these devices is expected to grow to as much as 55 billion by 2025, up from around 9 billion today. That is a massive collection of potential targets that can be incorporated into botnet’s capable of generating attacks at an unprecedented scale.
Botnets allow for a wide variety of attack methods aimed at evading or overwhelming defenses. Compromised devices within an organization can be used by the botnet to carry out attacks targeting assets and infrastructure inside or outside the organization. This can have a significant negative impact on the overall risk posture of the organization and its reputation and responsibility in the community.
Mitigating botnet’s is largely similar to how organizations currently manage existing assets in terms of vulnerability management, traffic scanning, and so forth. However, as efforts to mitigate botnet’s are likely to become more aggressive, commensurate with the increasing threat, issues of privacy are important to keep in mind. For example, monitoring IoT devices looking for signs of botnet activity, could result in the exposure of sensitive information, including PII and ePHI. While that same issue exists today, the further insertion of devices into homes, doctor’s offices, and corporate offices, means that more data is likely to be collected and put at risk.
It’s important to recognize that the Framework is designed to be implemented in a comprehensive manner. That is, it should be integrated into overall technology risk management policies, procedures, and programs across the entire organization. That means that risk managers have to make decisions around what Categories and Subcategories will apply enterprise-wide, as well as which will apply for specific business units. Let’s consider an example of how this looks in practice.
The Framework Core Subcategory ID.AM-1 says “Physical devices and systems within the organization are inventoried.” The relative importance of this Subcategory is predicated on the widely-accepted idea that you can’t properly defend what you don’t know about. The challenge often manifests with what many call “shadow IT, or devices that have been connected to the enterprise network without the knowledge or approval of the security and operations teams. As a result, those devices may not be properly protected by the security mechanism the organization has put into place, which in turn introduces potential risk. The nature of that risk can depend on how and where the devices are connected. An unauthorized device connected to the HR system that holds all the employee data may introduce greater risk than one connected to a hotel lobby computer for guest use that has been properly segmented. Nevertheless, risk is introduced and if that device isn’t identified, then appropriate mitigations are not put into place.
The implications of this when taken in the context of botnet threat mitigation is clear: you have to know what devices are on your network in order to be able to protect them effectively.
This same patterns holds true for the other Subcategories presented in the Profile. In other words, the Profile should be implemented in the context of the broader enterprise risk management, not as a standalone approach.
From here, how organizations use the Profile will vary based on certain factors including:
Assessing the real risk of having organizational devices become part of a botnet means thinking through how that would impact business operations. It could mean that bandwidth is being used by the compromised devices or having your connectivity blocked to the extent that it effectively becomes a DDoS attack. Or it could cause reputational damage as your devices are used to harm other organizations. Regardless, without fully understanding the risk, it is difficult to determine what resources need to be applied to mitigate it.
Armed with that understanding, the risk then has to be considered in the context of what resources are available. This will vary widely from one organization to the next, and may be especially impactful to small and medium sized businesses. This is where the Priorities can be of help. Start by implementing as many P1 Subcategories as possible, and work your way from there, based on the risk as it evolves.
The current maturity of an organizations existing cybersecurity policies, procedures and programs makes a difference. If basic, fundamental cybersecurity risk management hasn’t been implemented, or is ad hoc, implementing mitigations against botnets in an effective and efficient manner will be challenging. This could lead a false sense of security or unneeded expenditures on a level of protection that exceeds the risk.
Within the high level guidelines presented in this section and throughout the document, each organization will ultimately find their own way in which to make use of the Profile. This is the intent and wholly consistent with the use of the Cybersecurity Framework overall.
The Informative References used originate from the following: