How to Best Assess Cyber Resilience

Businesses can learn a lot about cyber resilience from nature. Nature provides the perfect example of how systems adapt to persist in dynamic environments with unpredictable threats. The more resilient a natural system, the better prepared it is to absorb and recover from harm.

With cyberattacks on the rise, organisations realise that preventative cybersecurity alone isn’t enough to prepare for major incidents. Organisations are opting to evaluate investments and expenditures through the lens of cyber resilience, which focuses on a system’s ability to continue in the face of adversity.

The concept of resilience allows business leaders to use a set of principles that can help businesses to prevent, detect, respond, recover and learn from even the most severe cyber threats.

Organisations must move away from the traditional reactive stance of building a moat and keeping everything out of their systems and toward the mindset that no barrier is impermeable and devise security strategies accordingly. This requires a focus on detective and responsive controls and building a system that can learn from prior incidents.

Cyber Resilience Versus Cybersecurity

Cybersecurity has traditionally been defined by the ability to protect against attacks through a defence-in-depth model and, if these controls fail, by detection and response. As the traditional network perimeter dissolves, so has the concept of protecting the organisation through security-protected “moats.”

Conversely, cyber resilience is the ability to endure any adversarial incident, learning and recovering from it with as little impact on system operations as possible. In a resilient organisation, an incident should provide a closed-loop system with control validation and effectiveness at the core of a well-operating detection and response capability. While these two are different in principle, they complement each other by providing overlapping benefits. Resilience allows companies to withstand even the worst of incidents by mitigating effects and being able to spring back quickly, while good cybersecurity minimises overall damage.

Cyber Resilience Frameworks

Cybersecurity frameworks articulate essential ideas in a tested and shareable way. The MITRE ATT&CK combines different techniques from other specialist disciplines, where concepts like redundancy, recovery and survivability have helped keep power grids and other vital systems operationally resilient. Frameworks have main objectives, which alone do not make an organisation more cyber resilient. However, they provide a scaffold of ideas and outcomes from which businesses can build.

The Objectives

Understand: Threat intelligence keeps track of adversaries in the threat landscape; past, present and future activities; motives and capabilities; and any circumstances that may be an indicator of a cybersecurity event. Organisational intelligence identifies any common critical resources across functions and systems by which IOCs can be detected, identified and assessed for damage and reliability. It’s impossible to protect all assets against every threat; therefore, cybersecurity resources must be focused on where they are most needed and have the biggest impact.

Prepare: Maintain a set of policies, processes and actions that can be used to counteract anticipated events. Organisations should make use of existing resources that are feasible to employ when required. Breach and attack simulation or red-blue-purple teaming is a recommended active preparation.

Prevent: The techniques useful for cyber resilience include hardening assets based on information gathered from the “understand” objective—systems that reduce the attractiveness of a target and reduce the attack surface. In today’s perimeter-less environments, things such as multifactor authentication are vital.

Continue: This pushes organisations to keep their essential functions operating to their fullest capacity when facing an adversarial attack, such as avoiding single points of failure and brittleness of design, whether in organisational design, processes or in systems design. A business continuity function can provide services beyond the cyber domain, often providing insight that is valuable to the design process.

Constrain: The smaller the attack surface, the smaller the subsequent cost. This also gives organisations more time to focus on defence and monitoring. Third-party or extended supply chains represent an ever-expanding risk to organisations of all sizes. Internal attack surfaces will already exist and can expose any unexpected access to critical assets. Businesses should never make the mistake of focusing exclusively on externalities but start with a threat model that maps the most likely attack vectors in any given system against anticipated actors.

Reconstitute: This identifies how a known “good state” can be recognised, preserved and redeployed after suffering an attack. It requires a certain flexibility in design so that resources can be redeployed quickly, keeping disruption minimal.

Transform: With any customary processes, functionality and scope must be carefully examined and assessed. Organisations must use this to decide whether the cost of transformation outweighs the cost of a cyberattack. This is a matter of risk appetite.

Re-Architect: The way businesses and employees use old technologies and adopt new ones in their systems constantly changes. So, organisations must modify systems to achieve the goals of cyber resilience.

Adopting any framework requires tailoring the outcomes and principles to one’s own specific circumstances. To achieve cyber resilience, organisations must rethink the traditional “stop everything” approach to cybersecurity. Stopping every attack is impossible, and, ultimately, building more walls to handle novel attacks or adding more niche security technology into a fragmented security or IT stack only increases the impact when this approach collapses. Organisations will see more value by developing a system that sidesteps the binary success versus failure mindset and rather transforms itself post-attack and keeps operations running.

Granted, for many organisations, this isn’t an easy reality, as the transformative process can accumulate excessive costs. Strategies such as offsite backup, multiple servers to ensure redundancy and isolation of critical assets all have associated costs. In these circumstances, businesses must assess their risk appetite. Will the costs of a successful cyber incident outweigh the cost of achieving cyber resilience?

Cybercriminals will never stop evolving; we already suffer the consequences of highly sophisticated, new tactics, and this isn’t slowing down. Nature will always favour resilient systems, whether applied in ecology or cyberspace. Any system existing in an adversarial landscape that wants to survive must achieve resilience.

To find out more about Adarma’s cyber security services and how we can help prepare and protect your organisation against ransomware attacks, please Contact us.

Stay up-to-date with the latest threat insights from Adarma by following us on Twitter and LinkedIn.

This article was originally written by John Maynard, Adarma CEO, for Forbes Technology Council.