The Need for Survivable, Trustworthy Secure Systems

Cybersecurity and cyber resilience measures are most effective when applied in concert

As 2021 draws to an end, security practitioners are scrambling to address multiple vulnerabilities identified in the widely used Apache Log4j Java-based logging tool that impact hundreds of millions of devices and software applications. These security holes (CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-45105) expose many organizations to attacks and exploitation, illustrating once more that there is no silver bullet when it comes to protecting against cyber-attacks. More and more security professionals acknowledge that modern enterprise infrastructures are made up of large and complex entities, and therefore will always have flaws and weaknesses that adversaries will be able to exploit. In this context, they propagate the concept of cyber resilience to ensure that an adverse cyber event (intentional or unintentional, i.e., due to failed software updates) does not negatively impact the confidentiality, integrity, and availability of an organization’s business operations. But how does this compare to traditional cybersecurity practices?

Cybersecurity applies technology, processes, and measures that are designed to protect systems (e.g., servers, endpoints), networks, and data from cyber-attacks. In contrast, cyber resilience focuses on detective and reactive controls in an organization’s IT environment to assess gaps and drive enhancements to the overall security posture. According to MITRE, cyber resilience (or cyber resiliency) “is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on cyber resources.” Most cyber resilience measures leverage or enhance a variety of cybersecurity measures. Cybersecurity and cyber resilience measures are most effective when applied in concert. 

Organizations that are interested in learning more about cyber resilience should refer to the Department of Homeland Security’s Cyber Resilience Review (CRR) guidance on how to evaluate an organization’s operational resilience and cybersecurity practices or the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-160 Volume 2. The latter helps organizations anticipate, withstand, recover from, and adapt to adverse conditions, stresses, and compromises on systems – including hostile and increasingly destructive cyber-attacks from nation states, criminal gangs, and disgruntled individuals.

Interestingly enough, NIST just announced a major update to its guidance, which offers significant new content and support tools for organizations to defend against cyber-attacks. The document provides suggestions on how to limit the damage that adversaries can inflict by impeding their lateral movement, increasing their work factor, and reducing their time on target. In particular, it 

● Updates the controls that support cyber resiliency to be consistent with NIST SP 800-53, Rev. 5.

● Standardizes a single threat taxonomy and framework. 

● Provides a detailed mapping and analysis of cyber resiliency implementation approaches and supporting controls to the framework techniques, mitigations, and candidate mitigations.

The publication also adds a new appendix containing analysis of the potential effects of cyber resiliency on adversary tactics, techniques, and procedures used to attack operational technologies, including industrial control systems (ICS). The analysis shows how cyber resiliency approaches and controls described in NIST guidance can be used to reduce the risks associated with adversary actions that threaten ICSs and critical infrastructure.

A Blueprint to Success

Like Zero Trust, cyber resilience offers a blueprint to strengthen an organization’s security posture in today’s dynamic threatscape, establish security controls that require cyber adversaries to spend more time figuring out how to bypass them (which they often are not willing to do, as time is money), and the means to recover from cyber-attacks quickly and efficiently.

Cyber resilience strategies encompass, but are not limited to the following best practices:

Maintain a trusted connection with endpoints to detect unsafe behaviors or conditions that could put sensitive data at risk. This includes having granular visibility and control over endpoint hardware, operating systems, applications, and data gathered on the device. This always-on connectivity can help with reimaging the operating system in case of a ransomware attack.

● Monitor and repair misconfigurations (automatically when possible), as organizations cannot assume that the health of their IT controls or security will remain stable over time.

● Monitor network connectivity status, security posture, and potential threat exposure to enforce acceptable use via dynamic web filtering.

● Enforce dynamic, contextual network access policies to grant access for people, devices, or applications. This entails analyzing device posture, application health, network connection security, as well as user activity to subsequently enforce pre-defined policies at the endpoint rather than via a centralized proxy.

Conclusion

Cyber resiliency measures (i.e., architectural design, technologies, operational practices) assume that today’s threat actors can achieve a foothold in an organization’s infrastructure and in turn post-exploit activities must be contained and eliminated. When implemented properly, cyber resilience can act as a preventive measure to counteract human error, malicious actions, and decayed, insecure software. Ultimately, the goal of cyber resilience is to aggressively shield the entire enterprise, covering all available cyber resources (e.g., networks, data, workloads, devices, people).