While risk management has been in use within information security doctrine for decades, cyber resiliency is a new paradigm has begun to gain ground.
It is no longer enough to solely focus on securing networks, as even the most robust controls may be circumvented by sophisticated adversaries. Organizations must now consider the inevitability that their organization’s cyber resources may be compromised.
Cyber resiliency bridges the gaps between cybersecurity, mission assurance, and mission continuity. It assumes that at some point, your organization’s cyber resources will be compromised and provides a framework for mitigating damage, recovering, and adapting to threats.
In this article, we will cover:
What is Cyber Resiliency?
The National Institute of Standards and Technology (NIST), Special Publication (SP) 800-160 Volume 2: Developing Cyber Resilient Systems: A Systems Engineering Approach, defines cyber resiliency as, “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that include cyber resources.” These goals of cyber resiliency can be defined as:
- Anticipate – Maintain a state of informed preparedness for adversity
- Withstand – Continue essential mission or business functions despite adversity
- Recover – Restore mission or business functions during and after adversity
- Adapt – Modify mission or business functions and/or supporting capabilities to predicted changes in the technical, operational, or threat environments
In other words, cyber resilience requires organizations to do more than just secure their systems. Cyber resilience requires an understanding of the threats within the context of your organization, your assets, the criticality of your assets, the adversaries, and other factors.
Objectives of Cyber Resiliency
To become more capable of withstanding adversities, organizations must assume compromise is already taking place or will take place in the future, continuously pursuing the cyber resiliency objectives of:
- Prevent or Avoid – Preclude the successful execution of an attack or the realization of adverse conditions
- Prepare – Maintain a set of realistic courses of action that address predicted or anticipated adversity
- Continue – Maximize the duration and viability of essential mission or business functions during adversity
- Constrain – Limit damage from adversity
- Reconstitute – Restore as much mission or business functionality as possible after adversity
- Understand – Maintain useful representations of mission and business dependencies and the status of resources with respect to possible adversity
- Transform – Modify mission or business functions and supporting processes to handle adversity and address environmental changes more effectively
- Re-Architect – Modify architectures to handle adversity and address environmental changes more effectively
Why? Because today, more than ever, it is important for organizations to be able to continuously deliver the intended outcome, despite adverse cyber events. To accomplish this and build more resilient systems reliant upon cyber resources, organizations must now consider:
- What are the threats that could impact your organization’s ability to effectively carry out its mission?
- How do you stop that event from taking place?
- If you cannot stop it, how do you mitigate the impact?
- If damage is done, how do you recover from it?
What does this all look like in practice?
Zero Trust Architecture
One approach that has gained significant traction as of late is the building (or rebuilding) of systems to be Zero Trust. According to NIST SP 800-207 Zero Trust Architecture, “Zero trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated. Zero trust architecture is an end-to-end approach to enterprise resource and data security that encompasses identity (person and nonperson entities), credentials, access management, operations, endpoints, hosting environments, and the interconnecting infrastructure.”
Zero trust is interesting because it assumes that the network has already been compromised and that to mitigate further damage, threats must be contained. However, it is important to understand that Zero Trust is not a defined standard or specification. It is a set of design principles and security model that has a specific objective/purpose and primarily entails robust monitoring and granular risk-based access controls.
In the case of authentication: is the user requesting a given resource who they say they are? In the case of authorization, is the request valid and does the requestor have sufficient privileges? If those two questions cannot be answered affirmatively, then the user and/or request should not be trusted.
Active Cyber Defense
Another trend in cyber resiliency is a concept referred to “Active Cyber Defense” (ACD). According to the National Security Agency’s (NSA) Information Assurance Directorate (IAD), ACD is defined as, “a component of the U.S. Government’s overall approach to defensive cyber operations. ACD elements complement preventative and regenerative cyber-defense efforts by synchronizing the real-time detection, analysis, and mitigation of threats to critical networks and systems.”
ACD is primarily focused on the detection of potentially malicious behavior on systems and the activities that take place in response to those detected behaviors, and encompasses the integration, synchronization, automated sense, sense-making, decision-making, and acting capabilities of an organization.
Characteristics of a comprehensive ACD solution may include: automated decision-making that enables the detection and mitigation of cyber-relevant speed; scalable enough to operate on any sized enterprise network; and works in an integrated manner with other network defense capabilities.
Conditional Access and Privilege Restriction
Some of the more compelling and readily implementable solutions entail placing greater limitations on privileged users and the functions they can execute.
Conditional access, or restricting privileges based on certain conditions (e.g., location, IP address, time of day, etc.), which helps to prevent malicious use of compromised login credentials. If a threat actor can log-in to an account, but cannot actually execute administrative functions – what use are the credentials?
Another compelling approach is Just-in-time (JIT) privileges. With JIT, privileged users are granted only the privileges necessary to execute a function and their request and actions are logged/audited. In addition, permissions granted with JIT are typically time-based, so that the privileges expire either after the function has been performed or a set period of time has passed.
Segmentation
Segmentation – or micro-segmentation – refers to the logical (mostly) and physical separation of network component and is a concept or component of Zero Trust Architecture. Within cyber resiliency specifically, segmentation of critical assets is of primary importance and can be achieved via some of the following means:
- Access control lists (ACLs)
- VLANs
- Internal Firewalls
- PEPs
However, even with segmentation, active cyber defense measures, limitations on privileged users and execution of privileged functions, and use of a zero-trust architecture, bad things may still occur. In that event, does your organization have a plan for and means to recover? Is there an institutionalized process and practice in place to mitigate the root causes that led to the event?
Recovering and Adapting
Even with the most robust security controls and organizational practices, sometimes, cyber resources will be negatively impacted by any number of threats. When that happens, it is important for organizations to have a plan and mechanisms in place to make recovery and business continuity possible.
In addition, lessons can always be learned when a compromise takes place. Organizations should conduct root cause analysis after an incident. What caused the issue to take place? Were there vulnerabilities taken advantage of (technical or otherwise)? How does the organization prevent the same incident from taking place in the future?
Depending on the cause of the incident, redefinition may be required as well (e.g., changes to system requirements, design, etc.).
How TestPros Can Help
No organization looks forward to their cyber resources being compromised, or the threat of such. However, TestPros is here to help your organization through the process of building more resilient systems. We can help your organization with:
- Defining system requirements and identifying critical assets
- Conducting a risk assessment to better understand the threat environment, as it relates to your organization and its systems
- Develop a plan to build, re-build, or modify a cyber resilient system
- Identify cyber incidents taking place and/or analyze incidents that already took place
- Assist your organization with recovering from a cyber incident
- Understanding causes of compromise and how best to mitigate future incidents
If your organization needs assistance with becoming more resilient cyber resources, please contact us today!