Cyber Resilience | The Framework you Should Follow

Have you sometimes found yourself bewildered by the sheer volume of bad news out there especially about emerging cyber threats and actual attacks. It is not uncommon to wonder when you will come under a similar threat or worst still is it happening already but you just haven’t detected it yet. What would give us more comfort is understanding that we were cyber resilient to threats to a large extent, sure nothing is ever 100% guaranteed but it would sure be good to a high a high level of confidence about our ability to survive such an eventuality.

So what would good cyber resiliency actually look like?

Cyber resiliency is really about keeping the business operational despite an attack or incident. It is about the organisation having the systems, processes and controls in place to detect an attack, contain it, recover or maintain operations despite the attack and clean up the affected systems.

Some specific objectives of cyber resilience would include the following.

• Prevention–apply basic cyber protection mechanisms as well as more advanced cyber security controls to reduce the risk. In addition, threat intelligence is applied to keep the protection relevant
• Cyber response preparation– create and maintain cyber incident scenarios to train staff and maintain a good level of readiness. If an incident happens, there is a plan and people know what to do
• Minimise service degradation- in the instance of an attack
• Identify potential damage- and change resources to limit further damage
• Maintain trust relationships- and review trust of restored systems
• Effective controls- understand the effectiveness of cyber security controls in relation to the nature of the adversaries
• Review systems architecture and restructure to reduce risks

The NIST have published some recommendations that could help with achieving cyber resilience and some of these are outlined below.

A word of caution, this is not for the faint hearted as it reads as if from a military manual.

Adaptive Response- maximise the ability to respond in a timely and appropriate manner to adverse conditions thus limiting business impact and maintaining operations.

Coordinated Protection– implemented a range of protection measures that follow the defence in depth principles thus ensuring that attacks will need to overcome multiple mechanisms in order to be successful

Deception– conceal critical equipment or resources from the attacker, this could include techniques such as encryption or multi-layered firewall approach

Diversity– limit the likelihood of successful attacks on common replicated systems forcing attackers to breach different systems necessitating multiple variants of malware

Dynamic Positioning– distribute and dynamically relocate system resources, this could easily be achieved in a resilient cloud environment, this could go a long way to supporting recovery and continuity as well as making it more difficult for attackers to determine the infrastructure topology

Non Persistence– generate and create resources as needed and avoid the likelihood of intrusions through backdoors left on unused resources

Privilege Restriction– restrict access privileges based on attributes of users and systems as well as environmental considerations i.e. do not give admin rights to a user connected via an Internet café or via a country you have no business with

Redundancy–provide multiple instances of critical business systems to aid recovery from failure of primary systems

Segmentation– define and separate elements of your systems based on their criticality and attribute permissions accordingly. This will help to prevent the spread of malware and give further protection to critical systems

Unpredictability– make random and unpredictable changes to increase uncertainty for attackers thus making it more difficult for them to determine their attack sequence

These techniques put together will go a long way to achieve a high degree of cyber resiliency, which will result in the ability to manage the cyber risk and maintain operational services especially in times of persistent attack