We have witnessed an unprecedented proliferation of cybercrime in the last several years that has sent waves of fear across all industries. Cybercriminals have standardized their operations, fully embraced the malware-as-a-service model, and learned how to scale their operations to maximize profits.
As many organizations learned the hard way, a cyberattack can seriously interrupt business operations and cause a negative downstream impact on business partners and customers, and in some cases, even interrupt a complex business ecosystem.
This blog post explores the topic of cyber resiliency and how it can help organizations overcome a cyberattack and ensure continuity of operations.
Can we anticipate cyberattacks?
Over the last several years, I have assisted numerous clients with ransomware response and recovery. Many of those clients invested millions of dollars into cybersecurity programs. This experience begs the question: “why do enterprises experience catastrophic cyber events despite pouring millions of dollars into cybersecurity?” Did we get it wrong as an industry?
Unfortunately, there is no straightforward answer to these questions. Cybersecurity is a complex problem domain that goes far beyond technology. However, when reflecting on past investigations, I realized that many of the impacted organizations lacked a direction for their cybersecurity programs. Instead, their approach focused on checklist requirements that did not consider the threat landscape of cyberattacks.
Rapid shifts in the threat landscape render checklist requirements and compliance ineffective. To anticipate and prepare for a potential cyberattack, organizations need to build cybersecurity capabilities based on threat scenarios.
Anticipation requires direction
You can derive goals for a cybersecurity program by identifying what is essential to the enterprise. Suppose you work for a healthcare provider. The organization had recently conducted a Business Impact Analysis (BIA) and identified the following mission-critical functions and the potential impact when each function was to be interrupted:
Healthcare information management
Based on the identified impact, the executive management asks you to ensure that your cybersecurity program supports the following operational goals:
Ensure operational resiliency of business-critical functions
Comply with the necessary laws and regulations
Ensure health and safety of patients
Ensure confidentiality of patient data
Your job is to translate those operational goals to cybersecurity goals to provide a direction for your program. As you embark on this task, you realize that operational resiliency is at the top of the list. Consequently, you determine that one of your goals is to ensure continuity of operations while under attack and facilitate speedy recovery to minimize operational disruption. This is where cyber resiliency comes into play.
What is Cyber Resiliency?
You have probably realized that cyber resiliency is not a standalone discipline. Instead, it is an approach and a set of goals centered around maintaining continuity of operations under adverse cyber events. NIST defines cyber resiliency as follows:
The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.
An understanding and continuously adapting capabilities to the threat landscape is critical to meeting cyber resiliency goals. For this reason, I have taken the liberty to redefine this definition as follows:
Cyber resiliency is the ability to anticipate, withstand, and recover from a cyberattack and continuously adapt capabilities to the evolving cyber threat landscape to ensure continuity of operations under adverse conditions.
You might ask how different it is from cybersecurity. Cybersecurity primarily focuses on safeguarding environments, protecting assets, and minimizing the risk of successful cyberattacks using approaches such as defense-in-depth. Furthermore, its scope includes domains such as data privacy, compliance, and safeguarding intellectual property and other information that gives a company a competitive edge.
In contrast, cyber resiliency assumes that cyberattacks are unavoidable. For this reason, in addition to protection, it emphasizes the need to build robust detection, response, and recovery capabilities to withstand cyberattacks and ensure continuity of operations. In other words, cyber resiliency attempts to answer the question, “What do we need to ensure our enterprise can withstand and survive a significant cyberattack and continue business operations under adverse cyber conditions?”
In simple words, cybersecurity strives to minimize the risk of a system compromise and unauthorized access to data. Cyber resiliency, on the other hand, focuses on minimizing the impact caused by a cyberattack, accelerating recovery, and ensuring continuity of operations.
The scope of cyber resiliency goes beyond traditional cybersecurity capabilities. Cyber resiliency requires the fusion or integration of key organizational functions to achieve the goals set by NIST, including:
Enterprise risk management
Technology resiliency and disaster recovery
Enterprise incident management
This concept is illustrated in Figure 1 below.
Figure 1: Difference between cybersecurity and cyber resiliency
The purpose of fusing these organizational capabilities is to ensure the enterprise collectively works toward enhancing cyber resiliency (Anticipate) and effectively responds to major cyber events to minimize their impact and ensure the continuity of critical business functions.
NIST set the following cyber resiliency goals (underlined in the definition):
Anticipate - understand the threat landscape of cyberattacks, establish scope, and implement capabilities to enhance the cyber resiliency of systems. This step is all about due diligence.
Withstand - ensure continuity of operations and essential business functions under a cyberattack.
Recover - restore systems and services supporting critical business functions following a cyberattack.
Adapt - continuously adapt security capabilities to stay abreast of new threats.
Each of those goals provides a direction to developing specific cyber resiliency capabilities and ensuring that system-level architecture and engineering and linked business-level objectives.
Threat-Driven Cyber Resiliency
Before conducting an operation, the military goes through a planning process involving understanding the enemy and the environment in which the operation will take place. This understanding then informs the strategy and tactics the commanders will employ as part of the mission.
We need to take the same directed approach to cyber resiliency. Compliance does not equal cybersecurity. Even the most compliant organizations can experience a cyber crisis as I discussed earlier in this blog. Without a directed planning process, no matter how many green metrics your executive status report contains, your threat exposure might still be significant.
To protect your organization from destructive cyberattacks, you need to understand how threat actors organize their capabilities, conduct their operations, and execute their attacks from the initial compromise to data theft and ransomware deployment. Equipped with this knowledge, you can determine what security controls would break the attack chain and impede the attacker’s ability to progress through the attack lifecycle.
A threat assessment is at the heart of threat-driven cyber resiliency. Anton Chuvakin and Augusto Barros published a paper in 2016 on planning and executing a threat assessment that outlines the following steps:
Understand threat assessment concepts
Assess the overall threat landscape
Gather and evaluate threat assessment resources
Gather and integrate threat intelligence
Execute a threat assessment process
Utilize threat assessment results
Refine threat assessment process
If you are interested in this topic, I encourage you to read the paper.
A threat-driven approach to cyber resiliency may be obvious and intuitive. However, checklist security requirements are still prevalent in the industry and give organizations a false sense of security. Without understanding threats, it is challenging to understand risks stemming from probable threat scenarios and make informed decisions regarding risk treatment options to enhance your cyber resiliency.
Cybersecurity must align to business objectives to provide value to an organization. For this reason, setting security goals based on business objectives is essential to the success of your cybersecurity program. One of such goals is cyber resiliency which focuses on maintaining continuity of operations while under cyberattack. Understanding the threat landscape of cyberattacks and continuously adapting capabilities as the landscape evolves is essential to ensuring your enterprise can withstand and recover from a cyberattack.