In a previous blog, I looked at the key differences between cybersecurity and cyberresilience, and why cyberresilience is a better approach for organizations to follow in 2021 because it is holistic.
The IT cyberresilience is a complex objective requiring a solid understanding and a structured approach. NIST Special Publication 800-160, Developing Cyber Resilient Systems is one the most comprehensive resources available for those enrolled on this journey. Although a bit difficult to navigate, the value of this publication is in its ability to provide the why, the what, and indications for how to approach the topic of cyber resilience.
Over the course of several blogs, I will extract several key learnings, with practical value for any organization looking to improve their resiliency to attacks.
NIST defines cyberresilience as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” The systems and environments that are cyberresilient can withstand cyberattacks, faults, and failures and can continue to operate even in a degraded or debilitated state. Also, of great importance, they can continue delivering mission-essential functions while ensuring that safety and information security are preserved during an incident.
To bring further clarity on the topic, four key cyber resilience characteristics (or guiding principles) are defined within the framework:
- Focus on the mission or key business functions
- Focus on the effects of Advanced Persistent Threats (APTs)
- Assume an adversary will compromise or breach the system or organization
- Assume an adversary will maintain a presence in the system or organization
Why are these principles important? They have a special practical significance as they help to correctly frame any approach to cyber-resilience. Here is what these characteristics are stating:
- Focus on the mission or key business functions – Cyber resiliency initiatives must focus on the capabilities supporting organizational missions or key business functions. Critical business elements should continue operating despite an attacker’s presence in systems and infrastructure, threatening mission-critical systems, and system components.
- Focus on the effects of APTs – Cyber resiliency has in scope all threats related to systems, but the focus must be on the effects of APT. Why APTs? Because of the persistence and long-term effects on the organization. The longer an attacker dwell time, the higher the likelihood to access sensitive data or influence the behavior of systems in ways that can directly or indirectly inflict damage to the organization.
- Assume an adversary will compromise or breach the system or organization – The framework states that a sophisticated adversary cannot always be kept out of a system or be quickly detected and removed, despite the quality of the system design and the functional effectiveness of the security components. This assumption acknowledges that modern systems are large and complex, and adversaries will always be able to find and exploit weaknesses in the systems, environments, or supply chains.
- Assume an adversary will maintain a presence in the system or organization – Lastly, any discussion on cyber resiliency must assume that the adversary presence may be a long-term issue because of the stealthy nature of the APTs. An extreme example is the attack on a major hotel chain’s reservation system that started in 2014 and maintained persistence for four years, before being detected.
In other words, any cyberresilience initiative should be focused on advanced attacks that target critical business functions, with a special consideration for the attacker’s stealthy actions and persistence in the environment. These are key premises that organization looking to improve its cyber resilience should always consider.
In the next part of this series, I will explore the 5 steps Cyber Resiliency Analysis Process and provide a practical and effective way to address cyber resiliency.
To learn more on the importance of cyber resilience for organizations and how to improve the ability to withstand advanced threats, check-out the on-demand webinar: How to increase the cyber-resilience of your business.