Validating NIST Requirements with Falco
The NIST organization, a non-regulatory federal agency in the United States, plays a crucial role in establishing guidelines across various domains, including cybersecurity. In this article, we focus on NIST 800-171 compliance checks, which pertain to the management of Controlled Unclassified Information (CUI) in non-federal systems & organizations. NIST 800-171 sets forth guidelines & requirements specifically aimed at safeguarding CUI.
It is worth noting that NIST 800-171 closely aligns with the NIST 800-53 framework. While the latter framework outlines security controls applicable to federal agencies and their contractors, NIST 800-171 specifically addresses the management of CUI, ensuring its protection and confidentiality within non-federal systems and organizations.
The inception of NIST 800-171 can be traced back to Executive Order 13556, signed by President Obama in 2010, which aimed to enhance the protection of CUI within federal agencies. The goal was to establish a standardized policy for data sharing and transparency across all agencies.
In the wake of significant breaches in government systems, most notably the 2020 United States federal government data breach that involved the exploitation of U.S. supply chain firms such as Microsoft, SolarWinds, and VMware to gain unauthorized access to federal systems, has exemplified the importance of strong cybersecurity controls at the federal level.
While delving into the extensive history of the NIST framework is beyond the scope of this article, we will focus on explaining the requirements of NIST 800-171 and explore how the open-source tool Falco can be utilized to detect potential control failures in cloud-native systems.
Listing the Requirements
The NIST 800-171 documentation provides a comprehensive list of 14 controls accompanied by their corresponding compliance requirements. For the purpose of this article, we will focus on how Falco can effectively address 3 of the 14 controls and their corresponding requirements to ensure compliance in-line with the NIST 800-171 documentation.
- Access Controls: Who has access to data and whether or not they’re authorized.
- Audit & Accountability: Know who’s accessing CUI and who’s responsible for what.
- Configuration Management: Follow guidelines to maintain secure configurations.
- Awareness & Training: Your staff should be adequately trained on CUI handling.
- Identification & Authentication: Manage and audit all instances of CUI access.
- Incident Response: Data breach preparedness and response plan protecting CUI.
- Maintenance: Ensure ongoing security and change management to safeguard CUI.
- Media Protection: Secure handling of backups, external drives, and backup equipment.
- Physical Protection: Authorized personnel only in physical spaces where CUI lives.
- Personnel Security: Train your staff to identify and prevent insider threats.
- Risk Assessment: Conduct pen testing and formulate a CUI risk profile.
- Security Assessment: Verify that your security procedures are in place and working.
- System and Communications Protection: Secure your comms channels and systems.
- System and Information Integrity: Address new vulnerabilities and system downtime.
The first control family in NIST 800-171, Access Controls, emphasizes the importance of enforcing secure access to systems and data. Open source Intrusion Detection System (IDS) tools like Falco can play a significant role in monitoring and enhancing access controls.
Falco can be used to monitor access enforcement by detecting unauthorized access attempts, unusual login patterns, or suspicious user activities. It can also aid in user identification and authentication, ensuring that only authorized users gain access to sensitive resources.
NIST AC-2 - Account Management
The NIST control AC-2 pertains to account management. It focuses on the establishment and management of user accounts; including the creation, modification, and termination of accounts, as well as the assignment of associated privileges.
The Falco rule System User Interactive detects any attempt to run interactive commands by a system user (i.e. non login user). By monitoring system user interactions, Falco can identify instances where system users, who typically do not engage in interactive sessions, attempt to execute commands interactively.
This rule helps enforce proper account management practices by flagging potentially unauthorized activities or misuse of system accounts. For example, if a non-login system user attempts to run interactive commands, it may indicate an unauthorized attempt to gain access or perform actions beyond their intended privileges.
- rule: System user interactive
desc: an attempt to run interactive commands by a system (i.e. non-login) user
condition: spawned_process and system_users and interactive and not user_known_system_user_login
output: "System user ran an interactive command (user=%user.name user_loginuid=%user.loginuid)"
tags: [host, container, users, mitre_execution, T1059, NIST_800-53_AC-2]
NIST AC-6 - Least Privilege
Regarding Least Privilege, organizations are expected to employ the principle of least privilege where possible. This means allowing only authorized and expected users accesses which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
There are several Falco rules that can support least privilege security observability and therefore proof of violations.
- rule: Unexpected K8s NodePort Connection
desc: Detect attempts to use K8s NodePorts from a container
condition: (inbound_outbound) and fd.sport >= 30000 and fd.sport <= 32767 and container and not nodeport_containers
output: Unexpected K8s NodePort Connection (command=%proc.cmdline pid=%proc.pid connection=%fd.name container_id=%container.id image=%container.image.repository)
tags: [network, k8s, container, mitre_persistence, T1205.001, NIST_800-53_AC-6]
As you can see in the above example, there is very little to configure since the port numbers are in a range between
30000 and 32767, and this is the expected range used by a NodePort service.
A macro named
inbound_outbound is defined to handle the types of events (
connect) as well as the expected localhost IP’s, as stated below:
- macro: inbound_outbound
((((evt.type in (accept,listen,connect) and evt.dir=<)) and
(fd.typechar = 4 or fd.typechar = 6)) and
(fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
(evt.rawres >= 0 or evt.res = EINPROGRESS))
Here are a number of Falco rules that can be fine-tuned to your organization’s environment to achieve least privilege control observability, such as:
- Unexpected outbound connection destination
- Unexpected inbound connection source
- Unexpected UDP Traffic
For each of these rules you’ll need to populate the associated list items with the allowed sources/destinations:
- list: allowed_outbound_destination_domains
items: [google.com, www.yahoo.com]
Audit & Accountability
The second NIST control family aims to establish mechanisms for recording and reviewing system activities to ensure accountability, detect security incidents, and support investigations. This control focuses on implementing robust audit capabilities, including the collection, protection, analysis, and retention of audit logs. By implementing this control, organizations can enhance their ability to track and monitor system events, detect suspicious activities or policy violations, and maintain an audit trail for forensic analysis and compliance purposes.
NIST AU-9 - Protection of Audit Information
Audit information pertains to all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities.
You can use Falco rules to maintain NIST compliance by detecting and alerting when there are modifications to your logging tools, such as the CloudTrail Logging Disabled rule below:
- rule: CloudTrail Logging Disabled
desc: The CloudTrail audit logging has been disabled, this could be potentially malicious.
ct.name="StopLogging" and not ct.error exists
The CloudTrail logging has been disabled.
tags: [cloud, aws, aws_cloudtrail, NIST_800-53_AU-9]
NIST AU-10 - Non-repudiation
In the context of NIST compliance, non-repudiation ensures that a party cannot deny their involvement in a particular action or transaction.
The Falco rule Clear Log Activities aligns with the requirement of non-repudiation by discouraging or preventing the deletion or modification of log activities. Logs are essential for capturing and preserving records of events and actions within a system or application. They serve as a crucial source of evidence for auditing, forensic investigations, and compliance purposes.
- rule: Clear Log Activities
desc: Detect clearing of critical log files
evt.arg.flags contains "O_TRUNC" and
not trusted_logging_images and
Log files were tampered (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline)
tags: [host, container, filesystem, mitre_defense_evasion, NIST_800-53_AU-10]
The above Falco rule monitors for activities or commands that attempt to clear or tamper with log files. By detecting and alerting on such actions, it helps ensure the integrity and non-repudiation of log data. This rule can help organizations comply with NIST guidelines by preserving the availability and authenticity of logs, making it difficult for malicious actors or legitimate users to manipulate or delete log entries of their activity/actions.
The third NIST control family encompasses a set of controls designed to establish and maintain an organization's baseline configuration for its information systems. These controls focus on effectively managing and controlling changes to hardware, software, and firmware configurations. The purpose of the Configuration management controls ensure that systems are securely configured, minimize vulnerabilities, and maintain the integrity and stability of the organization's IT environment.
By implementing robust configuration management practices, organizations can effectively track and manage configuration changes, reduce the risk of unauthorized modifications, and establish a foundation for secure and reliable operations. These controls play a crucial role in maintaining the overall security posture of an organization's information systems.
NIST CM-5: Access Restrictions for Change
The CM-5 requirement focuses on establishing and maintaining access restrictions for changes made to a system. The goal is to ensure that access to system components and resources is appropriately defined, documented, approved, and enforced throughout the change process. This control helps mitigate the risk of unauthorized or malicious changes that could compromise the system's security or integrity.
The below K8s Audit Log Falco rule effectively detects unauthorized service account creations in the kube-system and/or kube-public namespaces, aligning with NIST control CM-5 objectives. By monitoring these creations, it ensures that access controls are properly defined, documented, and enforced in line with security policies. This enhances compliance, provides visibility into potential deviations, enables prompt remediation, and upholds system integrity and security.
- rule: Service Account Created in Kube Namespace
desc: Detect any attempt to create a service account in the kube-system or kube-public namespaces
condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful and not trusted_sa
output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name resource=%ka.target.resource ns=%ka.target.namespace)
tags: [k8s, NIST_800-53_CM-5]
NIST CM-7: Least Functionality
The NIST control CM-7 emphasizes the implementation and maintenance of the least functionality principle, aiming to limit the capabilities of information systems to essential functions. Falco's capability to detect unauthorized inbound and outbound connections is one way to support the enforcement of the least privilege control.
- rule: Outbound or Inbound Traffic not to Authorized Server Process and Port
desc: Detects traffic that is not to the authorized server process and port.
container.image.repository in (allowed_image) and
not proc.name in (authorized_server_binary) and
not fd.sport in (authorized_server_port)
Network connection outside authorized port and binary
(command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id
tags: [container, network, mitre_discovery, TA0011, NIST_800-53_CM-7]
In conclusion, we have explored three essential NIST control families: Access Controls, Audit & Accountability, and Configuration Management. These control families address crucial aspects of information security, such as ensuring secure access to systems and data, establishing mechanisms for recording and reviewing system activities, and effectively managing and controlling configuration changes. By covering these control families, we have highlighted the significance of implementing strong security practices to protect sensitive information and maintain compliance with regulatory frameworks like NIST.
Moreover, it is crucial to detect misconfigured controls and insecure behaviors in real-time. Timely detection allows incident response teams to take immediate corrective actions, preventing potential security incidents and ensuring compliance with regulatory frameworks like NIST. Falco has open source rules that you can quickly and easily implement/use to comply with the nist framework. Falco’s real-time detections enable organizations to proactively identify and respond to security risks, minimize the impact of incidents, and safeguard sensitive data.
By maintaining compliance with NIST and other regulatory requirements, organizations can enhance their security posture, build trust with stakeholders, and mitigate the potential legal, financial, and reputational consequences of non-compliance. Prioritizing real-time detection and swift incident response is essential in maintaining a robust security posture and upholding regulatory compliance.
If you would like to know how Falco meets additional regulatory frameworks, check out the Falco blog on enforcing PCI/DSS controls in cloud-native systems - https://falco.org/blog/falco-pci-controls/.
As usual, if you have any feedback or need help, you can find us at any of the following locations.
- Get started in Falco.org
- Check out the Falco project on GitHub.
- Get involved in the Falco community.
- Meet the maintainers on the Falco Slack.
- Follow @falco_org on Twitter.