Cyber Resilience: Planned and Practiced


Navigating the information superhighway is like threading your car through traffic on a dangerous rush hour freeway. The journey is full of perils that can prevent you from getting where you need to go and turn the trip into a bumpy ride. In the same way we plan for wrecks and try to avoid hazards on the road, businesses can minimize the impact of an incident and cruise confidently through the chaos by thinking with a resilience-first mindset.

Cyber resilience is both a mentality and a skill set that sharpens with continuous use and practice. Most organizations evaluate their cyber resilience skills through yearly tabletop simulations and penetration testing, practicing their resilience skills annually.  Shifting resilience practices into regular operations can significantly improve an organization’s defensive posture. Continuous resilience practice, like continuous control testing, regularly validates and refines an organization’s readiness. Establishing resilience in the organizational fabric means businesses are agile, prepared, and can recover from ever evolving cyber threats.

With regular communications and updates on the organization’s resilience, CISOs play a critical role in instilling trust in the business and executive teams.

  • Why Prioritize Resilience?
  • The Cyber Threat Landscape
  • Building A Resilient Organization
  • Resilience With MITRE ATT&CK & CREF

Why Prioritize Resilience?

Moving Beyond Compliance

Cyber resilience stands as the pinnacle for CISOs and cybersecurity teams. It emphasizes the importance of preparing for incidents to ensure an organization can withstand attacks and recover swiftly, thereby minimizing disruption and damage. This paradigm shift requires a reevaluation of cybersecurity from being a mere compliance checklist to a strategic priority aimed at safeguarding the organization.

Many organizations often confuse compliance driven by regulatory mandates with security. This is a belief carried over from previous decades, when non-compliance was the most serious potential financial impact they faced. While compliance remains critical, the focus must extend beyond legal conformity to encompass proactive defenses against evolving cyber threats. Today’s digital landscape, marked by rapid technological advancements and increasingly sophisticated cyber attacks, demands a resilience-first approach to cybersecurity with compliance as a result of well implemented security practices.  

Image Credit Tom Corneilius

The Cyber Threat Landscape

Threats are Bigger and Faster

The transition from the third to the fifth industrial revolution has brought a massive change in how industries operate, with Artificial Intelligence (AI), Internet of Things (IoT), and robotics significantly altering the cybersecurity environment. This evolution has shortened the cycle between technological breakthroughs, increasing the complexity and interconnectedness of digital systems and making securing them even more difficult to protect. The blurring of traditional defense boundaries has expanded that attack surface and the need for cybersecurity vigilance.

The complexity of software and the sheer volume of potential requires organizations to have a realistic approach to patch management and incident response. One source reports that 66% of organizations were impacted by ransomware in 2023, with the average incident cost rising to $1.85 million, underscoring the financial and operational stakes.  The number of vulnerabilities in software that require patching has steadily increased year over year, and the time from a known zero-day until it is actively exploited has decreased, with 25% of zero days being exploited the same day they were released. Recognizing the inevitability of an incident, organizations must prioritize strategizing for rapid recovery.

Building a Resilient Organization

Better with Practice

Building a resilient company involves a shift in thinking. It’s not only about defending against cyber attacks, but also about recovering and learning from incidents as they happen. Begin by assessing your organization’s security posture to determine preparedness against recognized threats.

The MITRE ATT&CK framework is the leading method for comparing your current controls against known threat tactics, techniques, and procedures. Once you understand your present status, you can add resilience activities and capabilities into everyday operations utilizing the MITRE Cyber Resiliency Engineering Framework (CREF)  framework.

MITRE ATT&CK & CREF

MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) MITRE ATT&CK and The MITRE Cyber Resiliency Engineering Framework (CREF)

The MITRE ATT&CK Framework is a valuable resource for threat intelligence professionals, government agencies, businesses, and cybersecurity providers. Its purpose is to follow enemies, establish mitigation strategies, and identify indications of compromise. By outlining attackers’ strategies and approaches, cybersecurity teams can more effectively detect, respond to, and mitigate cyber attacks. This approach gives detailed insights into adversary operations, allowing enterprises to monitor and anticipate future attacks. To effectively use the MITRE ATT&CK architecture, a company must first identify its key assets, systems, and data, as well as any vulnerabilities or gaps in controls.

The MITRE CREF supports enterprises as they develop cyber-resilient systems, moving from understanding adversary strategies, to designing resilience. Based on the concepts of anticipate, endure, recover, and adapt, CREF allows deliberate discussions on cyber resilience goals, objectives, strategies, and trade-offs. CREF, like other MITRE resources, is free to use but requires team effort to ensure effective implementation. The CREF Navigator, a free visualization tool accessible on the CREF website, depicts the connection between cyber resilience goals, objectives, techniques, and their relationship to MITRE ATT&CK TTPs and NIST SP 800-171/172 standards. It combines MITRE ATT&CK techniques with mitigations to assist engineers in creating cyber-resilient systems.

Resilience Pillars

Anticipate: Be prepared and knowledgeable to avoid any digital surprises thrown at the organization. The goals in the Anticipate pillar are to prevent or avoid an incident.

Withstand: Keep critical aspects of your business functioning efficiently, even when attackers strike. The goals in the Withstand pillar are to constrain the attack and continue business.

Recover: After an attack, be able to bounce back quickly. The goal of the Recovery pillar is to get the business back to normal status as quickly as possible.

Adapt: Change your approach or improve your technical defenses to mitigate the impact of current or future assaults. The purpose of the Adapt pillar is to recognize the dynamic nature of technology and evolve a resilience strategy with changes within the organization’s network, as well as new vulnerabilities and new attacks.

These examples demonstrate how to incorporate resilience into established activities. Teams are urged to look into the resilience techniques on the MITRE CREF Navigator website for ways to incorporate the practices into daily, weekly, and monthly tasks and establish resilience habits.

Anticipate

Withstand

Recover

Adapt

Prevent or Avoid

Constrain

Understand

Transform

Access reviews as an opportunity

Question monitoring

Dig in for policy reviews

Actively reduce attack surface

Do an unplanned table top exercises (TTX)

Event monitoring, take the next step

Sanity check IR during SOC2

Experiment & test

Look around the business corner

Regular adversary testing

Audits & assessments, validate & check controls

Practice

https://crefnavigator.mitre.org/navigator

Anticipate

  1. Access Reviews: During access reviews examine the existing method of provisioning access to critical assets and privileged accounts.
  2. Surprise Table Top: Instead of planning a tabletop, practice an urgent one. For extra stress, remove normal experts from the room.
  3. Look Around the Corner: Actively discuss defending or recovering from a future technical challenge or sourcing to a country where it may be difficult to work with their law enforcement.

Withstand

  1. Monitoring: How effective is current monitoring? Does the team have full visibility to all the systems on the network with minimal noise so actual unusual activity can be identified? Does abnormal device behavior trigger an alert?
  2. Event Monitoring: Make the step with forensic and behavioral analysis. Confirm that the information relating to the event is up to date. Is the current asset tracked? Is the current accurate network map up to date? Are the listed system owners accurate?
  3. Adversary testing: Actively run adversary simulation tools to test the effectiveness of your defenses.

Recover

  1. Policy review process: Integrate critical thinking and scenario-based analysis into the policy review process. Encourage team members to consider “what-if” scenarios, assessing how policies would hold up under various cyber-threat situations.
  2. SOC 2 tasks:  Develop and refine incident response plans during Service Organization Controls (SOC 2) preparation, ensuring they are comprehensive, regularly tested, and capable of rapid recovery.
  3. All assessment or audit activities:  Review listed controls. Are the controls applied in a coordinated, consistent way that minimizes interference, and avoids potential cascading failures, or coverage gaps?

Adapt

  1. Attack surface: Take action to habitually reduce the attack surface working with executive, legal, IT, and data teams to reduce unneeded systems, applications, or data.  
  2. Experiment and test: Review established tools and practices. Is there a better, more effective way to accomplish the task?
  3. Practice: Use low impact events as opportunities to consider practices and tools if these were high impact.

Summary

Resilient organizations are ready for a disaster and can minimize the impact and cost of an incident.

The journey toward cyber resilience is continuous and evolving. Like navigating a car through congested traffic, the path is filled with challenges that demand attention, skill, and preparedness. By embedding resilience into the core of organizational practices and philosophy, businesses can navigate the complexities of the digital age with confidence and agility. Changing how we think about cybersecurity and investing in the development of resilience skills and tools are the first steps toward building a more secure and resilient organization.


About the Author:

 

Sandy Dunn is a seasoned CISO with over 20 years of experience. She has spearheaded innovative solutions in AI Security and Cybersecurity and is a sought-after speaker and advisor in the field. Sandy’s expertise extends to Fractional CISO consulting, leadership roles within prominent cybersecurity organizations and is an Adjunct Cybersecurity Professor at Boise State University.

 Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.



Source link