[Research Effort]: Lack of Cyber Resilience OSCAL control profile to assess and protect High Value Targets

[fchiarini]

Problem Statement

High Value Targets (HVTs) are information systems for which unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to an organization’s ability to perform its mission or conduct business. NIST 800-160 and MITRE CREF define a set of defensive controls (a subset of NIST 800-53, for which profiles are already in place) however they fail to be applied by the cybersecurity community because of their complexity and lack of regulator interest to mandate (possibly again due to complexity). For this reason, focusing on the assets that matter most to advanced cyber adversaries (i.e. High Value Targets), is the most important step of any organization wanting to define and execute a threat-informed and risk aware security strategy.

I have been collaborating with MITRE -as part of MITRE CREF- and ResilienCyCon from 2022 on the concept of High Value Target. From 2023 I have launched the concept of Cyber Resilience Officer, which is the role that would be in charge within an organization of such OSCAL-defined control profile for HVTs. The concept got endorced by NIST NICE and a Cyber Resiliency competency area is being added. In addition, the HVT concept is part of the OASIS Indicators of Behavior work now and a proposal for addition of HVT attributes is on the table for STIX/TAXXI.

More about High Value Target: www.highvaluetarget.org More about Cyber Resilience Officer: www.cyberresilienceofficer.org

As an example (please bear in mind I am not an OSCAL expert yet): <?xml version="1.0" encoding="UTF-8"?>

High-Value Target Protection Profile 1.0 1.0.0 This profile aligns NIST 800-160 controls to protect against cyber attacks, with a focus on safeguarding the "stealthiness" asset from being used to bypass detection tools by adversaries. Stealthiness Asset Defense The organization implements measures to defend the "stealthiness" asset from being exploited to bypass detection tools by adversaries. stealthiness NIST Special Publication 800-160 High-Value Target Definition The definition and criteria for identifying high-value targets are based on the information provided by www.highvaluetarget.org.

[iMichaela]

@fchiarini - Thank you for submitting this research issue . I believe this is an interesting idea and I would like to encourage you and your team to contribute and develop the HVT catalog of controls and any derived profile(s) you find suitable. While what you are providing as an example is not OSCAL, we are confident OSCAL can represent already the HVT controls and profile(s) you are proposing. We are here to support you or any community member interested in generating information in OSCAL and make it available publicly. I cannot emphasize the excitement of seeing the community coming with new ideas and offering to work towards accomplishing them.