Cyber Operations and Resilience

As Patrick Thielen, CPCU points out, the first thing any organization should focus on is threat actor access.  Those purchasable points of entry, when present, make it far more likely to be on some criminal’s ‘to-do’ list.  And the fastest way to be breached is to be targeted.

After setting the direction of the organization by implementing a culture of security, as Amanda Draeger discussed last week, the most important tactical lens for an organization to examine is its Security Operations, (SecOps, the Detect -, Respond, and Recover core functions of the United States National Institute of Standard and Technology (NIST) Cyber Security Framework (CSF)).

This may feel backwards.  You’re probably thinking a security engineering plan is first up but hear me out.  One thing we often overlook is why we engineer security controls.  It’s not to keep the attackers out.  You can’t engineer a wall tall enough, long enough, thick enough, or deep enough to keep the bad folks out unless you’re actively guarding it.

Engineered security controls, as Jon Hawes will talk about, exist to facilitate security operations.  A SecOps team is a limited resource. If that team is being directed to threats that could have been prevented automatically, it is being diverted from threats that require active management.

And if a threat has gained access, you’ll likely need active management.  Though the perimeter defense approach isn’t perfect due to the complexity of modern IT estates, it does keep the attackers outside and with limited options.  Once inside, engineering away every pivot an attacker can use to further their compromise becomes impractical.  Instead, it is SecOps’ responsibility to minimize the impact of the compromise. 

While having security operations at all is good, monitoring and improving it is best.  That feedback loop usually starts by running a purple team exercise (https://www.crowdstrike.com/cybersecurity-101/purple-teaming/) or attack simulations and keeping track of what the red team does when, and when blue detects it.  From there, we can measure a few important things:

1.        Probability of detection

2.        Time to detect

3.        Time to respond

4.        Effectiveness of response

5.        Effectiveness of Recovery

All of these measurements require knowing what type of threat you are trying to detect, respond to, and recover from.  That requires Threat Intelligence: keeping up to date on threat actor trends and what type of attacks an organization is likely to face.

Threat intelligence doesn’t need to be difficult.  Many podcasts, newsletters, and industry reports are freely available.   Organizations needing more threat intelligence can hire vendors to support threat informed defensive.

Probability of detection  Incident response will fail if it doesn’t begin.  And it cannot begin without detecting the threat.  Organizations must invest in tools, processes, and teams to detect attacks.  This can be measured by simulating attacks, whether penetration tests or automated simulation, and identifying which are not detected.  This also helps provide training for security operations as well as informing which attacks are less likely to be detected. 

Time to detect and Time to respond  Even if an attack is detected, it may be over before security operations has responded.  Every ransomware is detected, but usually after the systems are encrypted.  Again, simulating attacks can help organizations understand the speed at which they are able to detect and respond to an attack.  Processes and tools to automate, aggregate, and prioritize alerts can help speed detection, while alert overload and fatigue may slow it.

Effectiveness of response  Even if a threat is detected and responded to quickly, if threat actors maintain access, the compromise is not over.  Measuring the effectiveness of a security operations response may be difficult, but it is possible with proper monitoring of purple team exercises.

Effectiveness of recovery  Recovery is a far easier activity to measure.  Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) provide targets for recovery.  Disaster Recovery exercises provide an opportunity to measure the organization’s ability to achieve these objectives.

At Liberty, our Cyber Risk Engineering team looks for observations in three foci when assessing organizations’ risks:

·      Tactical Intelligence

·      Incident Response

·      Disaster Recovery

Tactical intelligence helps us understand how well the organization understands the threat landscape.  It is the most advanced focus of the group, but a key part of any large organizations’ security.

Incident Response includes detection and response.  We look for documented incident response plans and tools necessary to detect and respond to threats.  But the best organizations exercise and measure their incident response plans, document their lessons learned, and apply them to improving their processes!

Disaster Recovery may be due to intentional attack, unintentional error, or natural disaster.  As with incident response, a disaster recovery plan and business continuity plan are key to effective recovery of organization operations.  Both plans should be exercised regularly with lessons learned recorded and implemented.  Additionally, organizations should regularly test backups including restoring both systems and data from backup.  Infrastructure as Code organizations should regularly exercise their rebuild process to ensure it functions as expected.

And more than anything, organizations should remember that nothing is perfect, not people, processes, or technology.  For their own organization it means expecting to have to respond to operational challenges.  But it also applies to attackers.  They are imperfect as well.  No organization should feel that a cyber disaster is inevitable.  And as Mea Clift will expand on; by working together we improve our chances!