NIST SP 800-115 and Penetration Testing

If you’re starting with implementing security, you’d find it helpful if you had a place to start instead of planning everything from scratch. If you have already implemented security, you’d find it helpful if you had a reference to check if your implementations are enough or how to get better. There are a lot of frameworks and standards that can be of help for both of these needs. In this post, we’ll discuss one of those - NIST SP 800-115.

We’ll start by understanding what NIST is. Then we’ll talk a bit about the NIST cybersecurity framework and who it is for. Finally, we’ll get to NIST SP 800-115 and discuss in brief what this publication covers.

What is NIST?

The National Institute of Standards and Technology (NIST) is a physical science laboratory, part of the U.S. Department of Commerce. This institute provides measurements, standards, and guidelines for businesses of all sizes in various technologies and domains such as Chemistry, Climate, Health, Information Technology, and many more. So where does NIST come into the picture in Cybersecurity?

Of all the domains NIST covers, Cybersecurity is one of the most critical. NIST provides a cybersecurity framework that includes a set of guidelines to improve the security of an organization. This framework helps organizations plan their security strategy and provides guidelines and best practices to identify and mitigate security issues.

Let’s take a quick look at the NIST cybersecurity framework.  

NIST Cybersecurity Framework

The NIST cybersecurity framework breaks down security into 5 major aspects (aka core functions):

1. Identify
2. Protect
3. Detect
4. Respond
5. Recover

Identify

This function has to do with identifying all the assets of an organization that come under the scope of security implementation. In order to implement/improve security, it’s crucial to identify all the areas that you need to cover. You need to identify all the physical and software assets, environments, existing security implementations, regulatory and compliance requirements, threats, risks, data, and employees and employee groups.

Protect

This is where the security implementations occur. After identifying all the areas, you start building defenses against internal and external threats. This function includes training employees, identity management, access control, data security, vulnerability and patch management, maintenance, etc.

Detect

No matter how much security you implement, no organization is 100% secure. Therefore you need a system to learn of any incident that might happen.

Detection mostly has to do with using strong monitoring and alerting systems. You need to monitor anomalies behavior, security-critical activities, unauthorized actions, etc. When detected, you need to audit if these activities are expected and take necessary actions.

Respond

This and the following function come into play when things go wrong. Before anything else, you need a response plan for when things go wrong. You need to create this plan in advance, define processes, and train employees. When an incident takes place, inform the stakeholders, and contain the attack so that its impact is to a minimum. Use the learnings from the incident to further improve security.

Recover

Similar to a response plan, you also need to create a recovery plan and define processes. The goal of this function is to get back things to normal as soon as possible after a cyber incident.

Now that we’ve understood what the NIST cybersecurity framework is about, let’s understand who it is for.

Who is NIST SP 800-115 for? And Who Needs to Adhere to it?

The guidelines that NIST provides act as best practices but it’s not mandatory for every organization to implement them. Therefore, there are 2 questions to be answered.

The first question is to understand who NIST is for and who can use it. As mentioned earlier, the NIST framework provides best practices and it is for businesses of all sizes and various domains. In short, it’s for everyone. Every organization can use NIST guidelines to improve its security.

The second question addresses the entities that MUST adhere to it. It’s mandatory for all federal agencies to comply with the NIST guidelines. In addition to it, contractors working with federal agencies also have to comply with it. Otherwise, they are at risk of losing their contracts.

Some guidelines from NIST are more suitable for certain industries and some are more suitable for certain approaches to improving security. Let’s look into one such specific publication - the NIST SP 800-115.

NIST SP 800-115

Security assessment, testing, and security examination are important for 2 main reasons:

1. To check if the implemented security measures are working as expected.
2. To identify new security weaknesses.

As important as these processes are, it’s also crucial how well you execute them. To help with this, NIST Special Publications 800-115 provides technical guidelines for testing and assessment of security.

NIST 800-115 is broken down into multiple chapters covering different aspects of security testing:

• Security Testing and Examination Overview
• Review Techniques
• Target Identification and Analysis Techniques
• Target Vulnerability Validation Techniques
• Security Assessment Planning
• Security Assessment Execution
• Post-Testing Activities

Security Testing and Examination Overview

This section sets a foundation for security testing and planning. As per NIST SP 800-115, security assessment should consist of the following phases at least:

• Planning
• Execution
• Post-Execution

The standard also defines 3 types of assessment methods.

3 types of NIST Security Assessments

Testing: Comparing actual behavior with expected behavior.

Examination: Checking, inspecting, reviewing, observing, studying, or analyzing an object to improve understanding of it.

Interview: Discuss with employees of the organization in groups or individually to get clarification.

Review Techniques

This section addresses various review techniques such as reviewing documentation, logs, ruleset, and configurations. Additionally, it mentions network sniffing which can be used to identify and analyze targets. And finally, it talks about file integrity checks to check if any system files or critical files have been tampered with.

Target Identification and Analysis Techniques

This section addresses identifying ports, services, and systems in the network. The next step is to identify any security weaknesses in them. The techniques covered in this section are:

• Network Discovery
• Network Port and Service Identification
• Vulnerability Scanning
• Wireless Scanning (Passive and Active scanning, Wireless device location tracking, Bluetooth Scanning)

Target Vulnerability Validation Techniques

This section talks about confirming the existence of a vulnerability and understanding the impact if the vulnerability is exploited. It covers technical weaknesses as well as weaknesses due to lack of awareness and training:

• Password Cracking
• Penetration Testing
• Social engineering

Security Assessment Planning

If you don’t plan security assessment planned well, you can end up wasting your resources and still not have achieved what you had in mind. This section is all about how to plan your security assessment process. It provides guidance for:

• Developing a Security Assessment Policy
• Prioritizing and Scheduling Assessments
• Selecting and Customizing Techniques
• Assessment Logistics (Assessor selection and skills, location, tools, and resources selection)
• Assessment Plan Development
• Addressing Legal Considerations

Security Assessment Execution

Execution is what follows after planning and is important for assessors to follow the plan efficiently. If there is a reason to deviate from the plan, the situation should be reviewed to make a decision. This section provides guidelines to execute security assessment smoothly and covers:

• Coordination
• Assessment
• Analysis
• Data Handling (Collection, Storage, Transmission, Destruction)

Post-Testing Activities

As the name suggests, this is what happens after testing. In this phase, the data gathered is converted into action points. Post-testing activities aim at gathering the findings from the previous section and creating a plan to mitigate found vulnerabilities. NIST provides guidelines for the following post-testing activities:

• Mitigation Recommendations
• Reporting
• Remediation/Mitigation

In order to make the best use of the techniques mentioned in NIST SP 800-15, you should have baselines set and the assessor should be trained enough. NIST also mentioned certain baseline skill sets for each of these techniques that one can use.

Conclusion

NIST is one of the most popular places to go to for standards and guidelines. In this post, we covered one such publication that provides guidelines for security assessment and testing - NIST SP 800-115. This standard helps in planning and executing your security testing better and in an efficient manner.

We went about knowing a bit about NIST and its cybersecurity framework. However, the meat of the post was a brief look into the aspects NIST SP 800-115 covers:

• Security Testing and Examination Overview
• Review Techniques
• Target Identification and Analysis Techniques
• Target Vulnerability Validation Techniques
• Security Assessment Planning
• Security Assessment Execution
• Post-Testing Activities

There are different approaches you can take for testing. If you’re interested in exploring more, you might want to check out Penetration Testing as a Service.