Cyberresilience in an Evolving Threat Landscape

Author: Larry Marks, CISA, CRISC, CGEIT, C|CISO, CCSK, CFE, CISSP, CSTE, ITIL, PMP
Date Published: 30 June 2021

It is important to know if one’s organization is robust enough to survive in the event of a security event, let alone expand and improve. Many reputable cybersecurity organizations are publishing guidance on how to respond in the event of a theft or data breach. If sensitive enterprise data or accounts have been compromised because of theft or loss of a laptop, smartphone or other device, or because of a breach of network security or an account, actions to take include:¹

Reporting the loss or breach to IT or security personnel immediately, and to the bank when appropriate
Changing all passwords used to log on to the affected device
Contacting the service provider for help in wiping the data from affected smartphones and other mobile devices

From an engineering point of view, it is also helpful to know how to maintain the ability to “anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyberresources.” ² An organization can identify and plan use cases to test its cyberresilience as it matures its baseline level or approach, and it can spend an inordinate amount of funds to protect its infrastructure and other related assets. However, there is no guarantee that an organization can withstand and adapt to adverse events.

The digital world has revolutionized how people live, work and play. However, it’s a digital world that is constantly open to attack, and because there are so many potential attackers, it is necessary to ensure that the right security is in place to prevent systems and networks from being compromised. Unfortunately, there is no single method that can successfully protect against every single type of attack. This is where a defense in depth (DiD) architecture comes into play. ³

DiD is “an approach to cybersecurity in which a series of defensive mechanisms are layered in order to protect valuable data and information. If one mechanism fails, another steps up immediately to thwart an attack. DiD is commonly referred to as the castle approach because it mirrors the layered defenses of a medieval castle. Before a castle can be penetrated, attackers face moats, ramparts, draw bridges, towers, battlements and other defenses.⁴

Other than DiD, the current approach that professionals are discussing is to expect that a cyberattacker has been in the organization’s environment and remains there, waiting for the security professional to uncover the attacker through various means. How can the organization anticipate and recover from the stresses of a relentless attacker such as a nation-state?

The US National Institute of Standards and Technology (NIST) issued guidance that recommends organizations “bake in” cyberresilience to their policies, processes, procedures and applications. Organizations should ensure that cyberresilience is a priority during their systems development life cycle, from architectural decisions to stakeholder requirements. The NIST guidance can be used to identify a practical approach for its application. For example, should cyberresilience be implemented for all systems or only critical systems?

How Cyberresilience Differs From Other Types of Contingency Planning

Cyberresilience refers to the operational response and recovery planning efforts stemming from a cyberattack. Although the concept of cybersecurity has matured into an accepted profession and a component of a good risk technology program, cyberresilience is an evolution in maturity. In a way, it follows the evolution of business continuity as a separate and distinct idea from IT disaster recovery.

ALTHOUGH THE CONCEPT OF CYBERSECURITY HAS MATURED INTO AN ACCEPTED PROFESSION AND A COMPONENT OF A GOOD RISK TECHNOLOGY PROGRAM, CYBERRESILIENCE IS AN EVOLUTION IN MATURITY.

Incident management is the process of managing IT service disruptions and restoring services within agreed service level agreements (SLAs). “The scope of incident management starts with an end user reporting an issue and ends with a service desk team member resolving that issue.”⁵ Enterprises developing or testing their incident management generally develop a limited set of use cases to ensure a consistent and effective approach in the event of a security breach, determine how their infrastructure can respond and identify how to improve this process. The enterprise then convenes a lessons learned session to ensure that it was able to recover from the incident in a timely and effective manner.

Alternatively, many organizations have issued guidance on continuity planning.⁶ IT continuity planning is the process of ensuring continuous operations of business applications and supporting IT systems (e.g., desktops, printers, network devices). IT continuity planning is a subset of enterprise business continuity planning (BCP). A business continuity plan is an enterprisewide group of processes and instructions used to ensure the continuation of business processes in the event of an interruption. It provides the plans for the enterprise to recover from minor incidents (e.g., localized disruptions of business components) and major disruptions (e.g., fire, natural disasters, extended power failures, equipment or telecommunications failure). The plan is usually owned and managed by the business units and a disaster management or risk prevention function in the enterprise

The IT continuity plan addresses IT exposures and solutions based on the priorities and framework of the business continuity plan. The role of the IT audit/assurance function is to provide assurance that the risk has been addressed by the business/IT owners. As a best practice, the business continuity plan should be evaluated for any guidance addressing its framework, priorities, responsibilities and objectives.

The IT continuity plan must be aligned with the business continuity plan to ensure that:

Risk is appropriately identified and evaluated by focusing on the impact on business processes for known and potential risk
The costs of implementing and managing continuity assurance are less than the expected losses and within management’s risk tolerance
The business priorities are addressed (i.e., critical applications, interim processes, restoration activities, mandated deadlines)
Manual interfaces to automated processes are identified, personnel are trained and practice drills are conducted
Expectations are managed with realistic goals

Why is the difference between cyberresilience, BCP, IT continuity planning and incident response planning important?

There is currently an emergence of cyberresilience, which is seen as a discipline that can be impacted and influenced by related programs. These related programs include cybersecurity, IT disaster recovery, BCP, crisis/incident management, and third- and fourth-party risk management.
Cyberresilience goes beyond the typical prevent, detect and respond models found in cybersecurity and requires an operational resilience program to ensure that critical business processes can recover from cyberattacks with minimal disruptions and within prescribed recovery time objectives.
Cyberresilience requires enterprises to consider threats and risk that may impact their enterprise risk framework and the frameworks of their third-party suppliers and vendors.

Why Is NIST Guidance Important?

NIST expanded its guidance to ensure that organizations’ goals, strategies and systems incorporate cyberresilience analysis and approach. NIST suggests that the objectives of cyberresilience are prevent or avoid, prepare, continue, and constrain (figure 1).⁷

Source: National Institute of Standards and Technology (NIST), SP 800-160 vol. 2, Developing Cyber Resilient Systems: A Systems Security Engineering Approach, USA, November 2019, https://csrc.nist.gov/publications/detail/sp/800-160/vol-2/final

These objectives cover several areas, including:

Analytic monitoring—Monitor and analyze a wide range of properties and behaviors on an ongoing basis and in a coordinated way.
Contextual awareness—Construct and maintain current representations of the posture of missions or business functions considering threat events and courses of action.
Coordinated protection—Ensure that protection mechanisms operate in a coordinated and effective manner.
Deception—Mislead, confuse, hide critical assets from or expose covertly tainted assets to the adversary.
Diversity—Use heterogeneity to minimize common mode failures, particularly threat events exploiting common vulnerabilities.
Dynamic positioning—Distribute and dynamically relocate functionality or system resources.
Nonpersistence—Generate and retain resources as needed or for a limited time.
Privilege restriction—Restrict privileges based on attributes of users and system elements as well as on environmental factors.
Realignment—Align system resources with current organizational mission or business function needs to reduce risk.
Redundancy—Provide multiple protected instances of critical resources.
Segmentation—Define and separate system elements based on criticality and trustworthiness.
Substantiated integrity—Ascertain whether critical system elements have been corrupted.
Unpredictability—Make changes randomly

The two cyberresilience techniques that only address adversarial threats are deception and unpredictability. Cyberresilience techniques are also interdependent. For example, the analytic monitoring technique supports contextual awareness. However, the unpredictability technique is different from the other techniques in that it is always applied in conjunction with some other technique, for example, working with the dynamic positioning technique.

Figure 2 illustrates samples of metrics or key performance indicators (KPIs) that can be used to measure the overall objectives of cyberreslience. In fact, each of the main cyberresiliency objectives can be decomposed into sub-objectives to facilitate measurement, management, tracking and prioritization.

The use of NIST 800-160 objectives requires an organization to be proactive in its cyberresiliency approach and process. The NIST approach expands and matures the strategies identified by (ISC)² as part of the Cybersecurity Workforce Study, which studied the cybersecurity workforce, gap estimates and insights into methods for building a resilient team now and in the future.⁸

THE ORGANIZATION MUST DEVELOP AN INVENTORY OF USE CASES FOR CYBERRESILIENCE THAT IS APPLIED TO BUSINESS PROCESSES.

The Impact of NIST 800-160 on an Enterprise

When considering the topic of cyberresilience in relation to NIST 800-160, the question to answer is what are the key components, objectives and means to implement the guidance. How does this layer onto the cyberstrategies of information security and the enterprise in general? NIST 800- 160 provides an approach through the use of cyberresiliency constructs (figure 3). Specifically, enterprises can optionally select and implement the cyberresilience objectives, metrics and approaches on a phased approach as they meet the enterprise’s needs and risk assessment.

NIST provides examples of cyberresilient approaches as illustrated in figure 4.⁹

The NIST approach is more threat based. Every organization faces different internal and external threats depending on the nature of the organization and its processes. By using a threat-based approach to identify mitigating controls and business objectives, the organization develops an inventory of use cases to mitigate these threats using a prioritized approach. The organization must develop an inventory of use cases for cyberresilience that is applied to business processes, perhaps initially addressing the critical ones such as applications and supporting assets and the infrastructure supporting the business objectives. It is necessary to identify the gaps on a continual basis and continue to improve the process.

Example Checklist for Reviewing Cyberresilience Based on NIST 800-160

NIST 800-160 provides design principles that can be used to measure the cyberresilience of an organization (figure 5). Again, any strategic design principles are driven by an organization’s risk management strategy and its risk framing. In this case, developing and fine-tuning a risk management strategy includes identifying the assumptions and dependencies, threats and overall risk that impact the organization, its customer data and organizational priorities.

Cyberresilient examples are illustrated in figure 6.

Operational Checklist

Using the NIST guidance, the checklist illustrated in figure 7 an be operationalized to review an organization’s cyberresilience approach for completeness and overall robustness.

Source: https://encyclopedia.kaspersky.com/knowledge/strategies-for-mitigating-advanced-persistent-threats-apts/

Applying the Concept of Cyberresilience or the NIST Model

There are four steps organizations can take to strengthen their operational resilience programs:

Review the organization’s operational resilience program to understand how the program compares to regulatory requirements (e.g., Bank of England,¹⁰ US Federal Financial Institutions Examination Council [FFIEC]¹¹), industry standards (Disaster Recovery Institute International [DRII],¹² International Organization for Standardization [ISO] ISO 22301¹³) and generally accepted best practices. The creation and maintenance of a regulatory book of record, along with periodic assessments against those requirements, supports proper oversight controls.
Create a scenario library of severe but plausible disruptions, threats and events. This may include a mix of natural, man-made, third-party, human capital and technology threats. Within technology threats, cyberattack threats such as malware, phishing, distributed denial of service (DDoS) and ransomware should be included.
Validate the organization’s operational resilience program against the previously identified threat scenario library. Validation will be considered sufficient if testing is successful and processes can be reestablished within prescribed recovery time objectives.
Initiate a continuous feedback loop. Once a test is completed for a given scenario, the necessary program improvements should be made and then testing should begin against a new scenario. Testing should evolve along a maturity matrix with each subsequent test increasing in complexity and rigor. In addition, testing categories should be revisited on a regular cadence to ensure a state of readiness against a broad range of threats.

Conclusion

Cyberresilience is a relatively new term, but it requires organizations to apply basic common sense to their controls to mitigate threats, whether external or internal, using a thought-based approach. NIST guidance provides risk-based approaches and a framework that can be an important tool for organizations to improve their cyberresiliency.

THE CREATION AND MAINTENANCE OF A REGULATORY BOOK OF RECORD, ALONG WITH PERIODIC ASSESSMENTS AGAINST THOSE REQUIREMENTS, SUPPORTS PROPER OVERSIGHT CONTROLS.

Endnotes

¹ US Chamber of Congress, Internet Security Essentials for Business 2.0, USA, October 2012, https://www.uschamber.com/CybersecurityEssentials
² Ross, R.; V. Pillitteri; Graubart; D. Bodeau; R. McQuaid; Special Publication (SP) 800-160 vol. 2, Developing Cyber Resilient Systems: A Systems Security Engineering Approach, National Institute of Standards and Technology (NIST), USA, November 2019, https://csrc.nist.gov/
³ Forcepoint, “What Is Defense in Depth?” https://www.forcepoint.com/cyber-edu/defense-depth
⁴ Ibid.
⁵ ManageEngine ServiceDesk Plus, “What Is ITIL Incident Management?” 25 June 2020, https://www.manageengine.com/products/service-desk/itil-incident-management/what-is-itil-incident-management.html
⁶ ISACA^®, IT Contingency Planning Audit Program, USA, 2009
⁷ Op cit Ross
⁸ (ISC)², (ISC)² Cybersecurity Workforce Study, 2019: Strategies for Building and Growing Strong Cybersecurity Teams, USA, 2019, https://www.isc2.org/-/media/ISC2/Research/2019-Cybersecurity-Workforce-Study/ISC2-Cybersecurity-Workforce-Study-2019
⁹ Ibid.
¹⁰ Bank of England, Operational Resilience: Impact Tolerances for Important Business Services, United Kingdom, 5 December 2019, https://www.bankofengland.co.uk/prudential-regulation/publication/2018/building-the-uk-financial-sectors-operational-resilience-discussion-paper
¹¹ Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook Infobase, Business Continuity Management, USA, https://ithandbook.ffigov/it-booklets/ business-continuity-management.aspx
¹² Disaster Recovery Institute International (DRII), https://drii.org/
¹³ International Organization for Standardization (ISO), ISO 22301:2019 Security and Resilience—Business Continuity Management Systems—Requirements, Switzerland, 2019, https://www.iso.org/standard/75106.html

Larry Marks, CISA, CRISC, CGEIT, CFE, CISSP, CSTE, ITIL, PMP

Has focused his career on leading through collaboration to ensure that best practices are implemented to assist compliance and process improvement. He has focused on audit, security, risk, compliance, privacy and program/project management across financial services, healthcare and telecommunications. Marks has extensive experience in designing, managing, auditing and implementing IT processes, policies, controls and technology. He has managed teams, priorities and expectations across business and IT leadership while delivering fit-for-purpose services. He is a peer reviewer for the ISACA^®Journal and the Association of Certified Fraud Examiners (ACFE) Fraud Magazine. Marks is also associate editor for Information Security Journal: A Global Perspective, published by (ISC)², and contributes book reviews to InfoSecurity Professional. Marks was recently selected to be a member of the Rutgers University Cyber Advisory Council (New Brunswick, New Jersey, USA). He currently holds a leadership position in the ACFE New Jersey (USA) chapter. He has contributed to ISACA^® white papers and has authored/coauthored ISACA audit programs. Marks served on the Certified in Risk and Information Systems Control^® (CRISC^®) exam-writing team and is part of the Project Management Institute’s ISO Committee. He is also a blogger and contributor to the leadership section of ProjectManagement.com. His work has been published in the (ISC)²Security Journal, the PMI Journal and the ISACA Journal.