Assuming a breach

The proliferation of high-profile, sophisticated ransomware attacks has brought cyber resilience into the spotlight. Board members, regulators and government leaders are asking CISOs to get their organizations "resilient" ASAP. But what does a cyber-resilient program actually look like? To answer this question, it's important to understand that a cyber-resilient posture is not preventive. A cyber-resilient model assumes a breach will occur, and when it does, the organization will be able to maintain critical business operations.

Many organizations mistakenly lean on the NIST cybersecurity framework of identify, protect, detect, respond and recover to implement their cyber-resilient programs. But the NIST framework is predicated on preventing breaches not getting ahead of them.  

Luckily, there is a proactive framework containing four pillars that organizations can follow to become cyber resilient.  

Pillar 1: Anticipate

The framework starts by anticipating the threats bad actors are most likely to use to disrupt your organization.  

For example, being cyber resilient is less important when it comes to the vulnerabilities in your guest lobby wireless access because a breach wouldn't impact critical business operations. It might however zero in on weak spots in your payroll's network as a breach would have enterprise-wide consequences.  

The anticipate pillar includes threat modeling and understanding your risk posture. With threat modeling, cyber teams research bad actors and the types of attacks and vulnerabilities that are a high priority given an organization's security posture.

This pillar also includes cyber intelligence to identify the biggest vulnerabilities in your network. Cyber intelligence helps teams understand what tactics bad actors would use to exploit these vulnerabilities and the business impact if successful.

One of the biggest benefits of establishing the anticipate pillar is that it starts to get everyone thinking proactively.

Executives start thinking about what areas of the business hold the most value to the organization. Business leaders start thinking about the workstreams needed to support critical operations. Cyber teams start looking for gaps in the kill chain. IT starts looking at gaps in legacy systems.

All this inspection allows teams to react quickly when an attack occurs.

Pillar 2: Withstand

When a bad actor successfully breaches your organization and starts exploiting your vulnerabilities, how do you manage through it?  

The withstand pillar is all about limiting the impact of an attack. This requires action not just from cyber operations but also IT and business leaders. While cyber operations perform incident response, IT and the business need to reroute systems and users and do everything they can to maintain successful business operations.  

For all this to work, a set course of actions (COAs) must be created based on the anticipate pillar. For example, cyber operations should be operating from a playbook of the most likely attacks on their organization. Traditional security tactics like an incident management plan is part of this, but it also includes tactics like cyber deception. For example, you might set a honeypot to draw attackers away from assets that are truly critical.  

The same playbooks should specify what actions IT should take to reroute traffic and what changes business leaders need to make sure the business can continue to operate.  

Hopefully, sound COAs, playbooks and streamlined cyber operations are enough to manage through an attack. But a cyber-resilient program should assume the worst. There's nothing wrong with actions in the withstand pillar failing under attack as long as you have a plan to recover.  

Pillar 3: Recover

Many organizations think they have a recovery plan in place because they have a disaster recovery plan that includes the ability to restore business-critical data. The problem is that this only accounts for recovering data, not the services and workstreams surrounding the data. Successfully restoring key systems from an attack means restoring applications, platforms and networks. It also means restoring account access, database services, access to cloud systems and all the security needed to stop an attacker from being successful.  

If you can't manage through an attack under the withstand pillar, you need to have the ability to very quickly redirect elements of your business to an exact duplicate of an application or series of applications and associated security wrappers so nothing else becomes infected.  

Ideally, duplicates of applications and associated services are stored in a cyber vault. Residing in an offsite location, a cyber vault allows organizations to recover accounts for application services like Active Directory, key management systems, public key infrastructure, DNS, VPNs, firewalls and authentication.  

Bad actors are counting on organizations performing a traditional disaster recovery restoration and not having a cyber vault. The bad actors can use advanced persistent threats to break other parts of the network. You might have protected your data from one type of attack, but it won't stay safe for long without the ability to recover the appropriate security services.  

Pillar 4: Adapt

A good cyber-resilient program does not end after managing through an attack; they always look back to see how well the organization was prepared for the attack. In doing so, organizational leaders can make tweaks to business functionality, architecture and cybersecurity to be better prepared for the next attack.

Some security and IT teams may end up killing legacy systems and moving more business-critical applications to the cloud. Others may find assets in the cloud need to be brought on premises. In some cases, business leaders might determine that they can streamline the number of services they need for business-critical applications to continue under an attack.  

This retrospective informs how you can bolster the anticipate pillar as your organization readies itself for the next attack.  

Answering the call

Despite our best efforts to reduce risks, we likely won't always be able to prevent attacks that target business-critical resources. While that may seem like a dreary reality, accepting this fact is far from defeatist.  

By starting to take steps to proactively protect our organizations when under attack, we demonstrate how cybersecurity can power business performance.    

Organizations cannot become cyber resilient overnight. But by leaning on the four pillars, CISOs can answer the call for their organizations to become resilient with confidence.