A cyber security professional needs to understand many things in order to have some level of success in defending the systems in their care – A small sample of those things include:

  • Technological systems – hardware and software
  • Communications systems – wired and wireless
  • Storage systems – Online, offline, on-premise, cloud
  • Data structures
  • Programming languages
  • Human behaviours
  • Business processes

Within those broad categories, there are many sub-topics – for example just within the communications section we have a vast array of protocols to deal with including ones like TCP/IP, UDP, SMTP, ICMP, FTP, SSH, Telnet, ARP, DNS, DHCP, PPTP, SSTP, IPSec, QUIC, SNMP, NTP – the list goes on – and its ever increasing.

Not only does the security professional need to know how those protocols and systems work, they need to know how to properly configure them for secure use, they need to know what vulnerabilities those systems may have. They also need to know about any threats or exploits which may target those vulnerabilities.

This is not an easy task.

Fortunately, there is quite a bit of help available – much of which is via the adoption of a framework

So what is a cyber security framework?

A Cybersecurity framework is a collection of policies, practices, guidance, and procedures which can be implemented to create an effective cybersecurity posture. Frameworks provide security practitioners with the tools to protect their assets from threats by identifying, assessing, and managing risks that could lead to data breaches, system outages, or other such disruptions.

Frameworks help organisations develop and maintain an effective cybersecurity strategy that meets the specific needs of their business. By evaluating current security practices and identifying gaps in protection, frameworks can help cybersecurity teams implement appropriate safeguards to protect critical assets.

There are many frameworks available, and some organisations opt to follow one framework – maybe for ease, or for contractual obligations, but in many cases organisations cherry-pick pieces of different frameworks that are applicable to their specific requirements.

Some of the more common cyber security frameworks are:

ISO/IEC – 27001 & ISO 27002

ISO – The International Standards Organisation provides standards for multiple industry sectors, including agriculture, health, transport, materials, engineering, and IT amongst many others.

ISO 27001 & 27002 are part of the wider ISO 27000 family of standards which contains 25 separate standards, although ISO 27001 & 27002 are the two most widely used.

ISO 27001 provides a systematic approach to risk assessment, control selection, and implementation. It includes the requirements for establishing an Information Security Management System (ISMS).

ISO 27002 is a code of practice that outlines more specific and detailed cybersecurity controls.

When implemented together, these two standards provide organisations with a comprehensive approach to information security management.

Initially developed in 2005, ISO 27001 has undergone a couple of revisions, the latest being in 2022. Organisations that have already achieved ISO 27001 certification must transition to the new version by October 31st, 2025.

The previous iteration of ISO 27001 (2013) had 114 controls divided into 14 domains. The new version condenses these into 93 controls divided into 4 themes:

  1. Organisational (37 controls)
  2. People (8 controls)
  3. Physical (14 controls)
  4. Technological (34 controls)

Additionally, the new 2022 version introduces 11 new controls including:

  • Threat intelligence
  • Information security for the use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding

ISO 27001 2022 has placed a greater emphasis on risk treatment processes than previous iterations and has introduced new requirements that organisations must ensure that they have a robust supplier and third-party management programme, along a requirement with to ensure that employees are aware of their responsibilities when it comes to cyber security.

NIST – CSF

NIST is the National Institute of Science and Technology and is a part of the U.S. Department of Commerce. NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve the US quality of life.

There is no mandate for private sector NIST compliance, which means organisations are free to adopt the frameworks on a voluntary basis. However, NIST framework compliance is required for federal agencies and most government contractors. Many organisations outside the US have adopted NIST standards.

The CSF – Cyber Security Framework was released in February 2014 in response to an executive order that called for “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.”

CSF v2.0 was formally released in February 2024 and is described as a portfolio designed to help manage and reduce risks. CSFv2.0 consists of a series of:

  • Informative References that point to sources of guidance on each outcome from existing
    global standards, guidelines, frameworks, regulations, policies, etc.
  • Implementation Examples that illustrate potential ways to achieve each outcome
  • Quick-Start Guides that give actionable guidance on using the CSF and its online
    resources, including transitioning from previous CSF versions to version 2.0
  • Community Profiles and Organizational Profile Templates that help an organization put the CSF into practice and set priorities for managing cybersecurity risks

ISACA – COBIT

Originating in the US, but now an international association – The Information Systems Audit and Control Association (ISACA) is a professional body focussed on IT governance.

ISACA – COBIT (Control Objectives for Information and related Technology) is a comprehensive framework which offers best practices for governance, risk management, and cybersecurity.

The COBIT framework is divided into five categories:

  • Plan & Organize
  • Acquire & Implement
  • Deliver & Support
  • Monitor & Evaluate
  • Manage & Assess.

COBIT 5, the latest iteration of the framework, was released in 2012 and is based on five principles that are essential for the effective management and governance of enterprise IT:

  • Principle 1: Meeting stakeholder needs
  • Principle 2: Covering the enterprise end to end
  • Principle 3: Applying a single integrated framework
  • Principle 4: Enabling a holistic approach
  • Principle 5: Separating governance from management

These five principles enable an organisation to build a holistic framework for the governance and management of IT that is built on seven ‘enablers’:

  1. People, skills and competencies
  2. People, policies and frameworks
  3. Processes
  4. Organisational structures
  5. Culture, ethics and behaviour
  6. Information
  7. Services, infrastructure and applications

These guidelines provide organizations with a comprehensive set of measures that can be used to protect their systems from cyberthreats.

PCI-DSS

The Payment Card Industry – Data Security Standard was developed by the major credit & debit card companies (Visa, Mastercard, AMEX, Discover, JCB) to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect payment account data.

The latest iteration of PCI-DSS was released in June 2024

PCI DSS has twelve requirements for compliance, organised into six groups known as control objectives:

  1. Build and maintain a secure network and systems
    • Install and Maintain Network Security Controls
    • Apply Secure Configurations to all System Components
  2. Protect account data
    • Protect Stored Account Data
    • Protect Cardholder data with strong cryptography during transmission over open, public networks
  3. Maintain a vulnerability management program
    • Protect all systems and networks from malicious software
    • Develop and maintain secure systems and software
  4. Implement strong access-control measures
    • Restrict access to system components and cardholder data by business need to know
    • Identify users and authenticate access to system components
    • Restrict physical access to cardholder data
  5. Regularly monitor and test networks
    • Log and monitor all access to system components and cardholder data
    • Test security of systems and networks regularly
  6. Maintain an information security policy

ITIL – Security Management

The Information Technology Infrastructure Library (ITIL) is a set of practices and a framework for IT activities such as IT service management and IT asset management that focus on aligning IT services with the needs of the business.

ITIL security management describes the structured fitting of security into an organization. ITIL security management is based on the ISO 27001 standard.

ITIL security management covers 5 broad processes:

  • Control
    The Control sub-process organises and manages the security management process. The Control sub-process defines the processes, the allocation of responsibility for the policy statements and the management framework.
  • Plan
    The Plan sub-process contains activities that in cooperation with Service Level Management lead to the (information) Security section in the Service Level Agreement. Furthermore, the Plan sub-process contains activities that are related to the underpinning contracts which are specific for information security.
  • Implementation
    The Implementation sub-process makes sure that all measures, as specified in the plans, are properly implemented.
  • Evaluation
    The Evaluation sub-process is used to maintain the agreed measures and the implementation of the controls detailed in the plan sub-process. Evaluation is necessary to measure the success of the implementation and security plans.
  • Maintenance
    The maintenance sub-process is based on the results of the Evaluation sub-process and insight in the changing risks. These activities will produce proposals which will either serve as new inputs for the plan sub-process or can be adopted as part of maintaining Service Level Agreements.

The MITRE ATT&CK framework

The frameworks described above, help an organisation plan, prepare and manage their cyber security posture, but as mentioned at the top of this post – cyber security practitioners also need to understand how their systems may be targeted, and by whom – this is where the MITRE ATT&CK framework comes in very handy.

The ATT&CK framework is a globally-accessible, navigable, knowledge base of adversary tactics and techniques based on real-world observations.

Developed and managed by MITRE, the ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

ATT&CK stands for Adversarial Tactics, Techniques, & Common Knowledge and as such, the framework details the common ways real world threat actors target and compromise a victim, and the indicators to look for to help harden a system / detect compromise.

MITRE produce 3 different frameworks:

  • ATT&CK for Enterprise
  • ATT&CK for Mobile
  • ATT&CK for ICS

The structure of the frameworks detail the series of steps a threat actor would typically follow when attacking a target – this sequence follows, but expands upon the 7 steps detailed by the Lockheed Martin Cyber Kill Chain:

  • Reconnaissance
  • Weaponization
  • Delivery
  • Exploitation
  • Installation
  • Command & Control (C2)
  • Actions on Objectives

The MITRE ATT&CK framework for Enterprise covers 14 areas:

  • Reconnaissance – Techniques for information collection for a target
  • Resource Development – Techniques for infrastructure acquisition and capabilities development
  • Initial Access – Techniques to gain an initial foothold into a target environment
  • Execution – Techniques to execute code within the target environment
  • Persistence – Techniques that maintain access to the target environment after system restarts
  • Privilege Escalation – Techniques that elevate access within the target environment
  • Defence Evasion – Techniques to avoid being detected
  • Credential Access – Techniques to acquire internal/additional account credentials
  • Discovery – Techniques to learn more about the target environment
  • Lateral Movement – Techniques to expand access beyond the initial entry point
  • Collection – Techniques to collect information or data for follow-on activities
  • Command & Control – Techniques to control implants within the target environment
  • Exfiltration – Techniques to export collected data from the target environment
  • Impact – Techniques to negatively deny, degrade, disrupt, or destroy assets, processes, or operations with the target environment

Each of these 14 sections has a number of sub-sections, so for example the Reconnaissance section currently contains 10 sub-sections:

  • Active Scanning
  • Gather victim host information
  • Gather victim identity information
  • Gather victim network information
  • Gather victim org information
  • Phishing for information
  • Search closed sources
  • Search open technical databases
  • Search open websites / domains
  • Search victim-owned websites

Within each of these sub-sections there may be further sub-sections – for example, Active Scanning details 3 techniques:

  • Scanning IP blocks
  • Vulnerability scanning
  • Word list scanning

Within each section, the framework describes the threat activity, provides possible mitigation approaches, and discusses techniques for detecting the activity.

In each case, a real-world example of the threat being used against a target is provided to illustrate how the technique is used in an attack:

The MITRE ATT&CK framework for Mobile covers 12 areas:

  • Initial Access – Techniques to gain an initial foothold into a target environment
  • Execution – Techniques to execute code within the target environment
  • Persistence – Techniques that maintain access to the target environment after system restarts
  • Privilege Escalation – Techniques that elevate access within the target environment
  • Defense Evasion – Techniques to avoid being detected
  • Credential Access – Techniques that can be used by adversaries to obtain access to or control over passwords, tokens, cryptographic keys, or other values that could be used by an adversary to gain unauthorized access to resources
  • Discovery – Techniques to learn more about the target environment
  • Lateral Movement – Techniques to expand access beyond the initial entry point
  • Collection – Techniques to collect information or data for follow-on activities
  • Command & Control – Techniques to control implants within the target environment
  • Exfiltration – techniques and attributes that result or aid in the adversary removing files and information from the targeted mobile device
  • Impact – techniques used by the adversary to execute his or her mission objectives but that do not cleanly fit into another category such as Collection

The MITRE ATT&CK framework for ICS covers 12 areas:

  • Initial Access – Techniques to gain an initial foothold into a target environment
  • Execution – Techniques to execute code within the target environment
  • Persistence – Techniques that maintain access to the target environment after system restarts
  • Privilege Escalation – Techniques that elevate access within the target environment
  • Evasion – Techniques to avoid being detected
  • Discovery – Techniques to learn more about the target environment
  • Lateral Movement – Techniques to expand access beyond the initial entry point
  • Collection – Techniques to collect information or data for follow-on activities
  • Command & Control – Techniques to control implants within the target environment
  • Inhibit Response Function – Techniques that adversaries use to hinder the safeguards put in place for processes and products
  • Impair Process Control – Techniques that adversaries use to disrupt control logic and cause detrimental effects to processes being controlled in the target environment
  • Impact – Techniques that adversaries use to disrupt, compromise, destroy, and manipulate the integrity and availability of control system operations, processes, devices, and data.

Closing words

The cyber security domain is vast, and ever changing at a rapid rate. Keeping abreast of the latest technologies, vulnerabilities, and attacks is a constant process.

Frameworks like the ones described here are invaluable for security professionals in helping understand the complexities of protecting a system from would-be attackers, staying compliant with legislations, regulations, and contracts, but also ensure that the implementation of vital controls are not missed, or the development of critical policies are not overlooked.

Related Articles

LockBit – Latest update – Identities revealed.
General blogs

LockBit – Latest update – Identities revealed.

Mark
Bypassing Windows security with DLL search order hijacking
General blogs

Bypassing Windows security with DLL search order hijacking

Mark
Active Cyber Defence 2.0 – NCSC want your help
General blogs

Active Cyber Defence 2.0 – NCSC want your help

Mark
AI – bringing the worst out of people
General blogs

AI – bringing the worst out of people

Mark
One of most-wanted cyber criminals extradited to US
General blogs

One of most-wanted cyber criminals extradited to US

Mark