Developing Cyber Resilience: How To Think Like a Forensic Investigator

Important Consideration Other Than Zero Trust Adoption

We all continue to have complete dependence on information technology deployed in critical systems and applications in the public and private sectors. Yet, from the electric grid to voting systems to the vast "Internet of Things." As a result, every company and organization remains highly vulnerable to sophisticated cyber-attacks from hostile nation-state-backed actors, criminal and terrorist groups, and rogue individuals.

Different advanced adversaries collectively called the Advanced Persistent Threat (APT), compromising critical systems and often being undetected within those systems, inflicting immediate and long-term economic implications and even national security threats.

That is why the whole cybersecurity communities promote Zero Trust Architecture, including Google's BeyondCorp, Gartner's CARTA, NIST SP800–207, and ZTX by Forrester, which adopts the idea of assuming that being compromised is inevitable.

Today, organizations have to admit that the question is no longer how to keep bad actors out ­although this remains important. Instead, the focus should be on keeping going during an attack. And how to recover as quickly as possible to "business as usual" once an attack occurs.

I previously mentioned the importance of Zero Trust Security which brings me more insight into the situations. Thanks to everyone for giving me feedback and ideas on how to spread the concept further; it would be better to introduce the idea of Cyber Resilience.

Cybersecurity vs. Cyber Resilience

The main difference between them is the focus of the response. In Cybersecurity, we have DR/ BCP to ensure organizations can resume operations as quickly as possible. However, the main focus of Cybersecurity is still on preventive controls.

Take a well-known notion — "Defence-in-Depth (DiD)" as an example; even with more than one barrier involved (i.e., layered security), there's no guarantee it will completely stop people from getting through.

Like you can be physically fit but get injured easily. Some bodybuilder who has little fat in their body needs a lot of energy to maintain. In opposite, a slim person can be strong and capable of withstanding different kinds of stress.

The difference may not reflect in the appearance — This is about the idea of resilience. Being resilient is the ability to adapt well in the face of adversity, trauma, tragedy, threats, or significant sources of stress.

SP800–160, Vol. 2

In late 2019, NIST released a special publication SP800–160 volume 2, "Developing Cyber Resilient Systems — A Systems Security Engineering Approach." It is the first in a series of specialty publications developed to support NIST SP 800–160 Volume 1 — the flagship Systems Security Engineering guideline.

“the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that include cyber resources.”

In volume 2, it addresses cyber resiliency considerations for two essential yet discrete communities of interest:

• Engineering organizations developing new systems or upgrading legacy systems employing systems life cycle processes and;
• Organizations with existing systems as part of their installed base currently carry out day-to-day missions and business functions.

Cyber Resiliency is different from security defense. It is about knowing bad things will happen. The question is not about if but when. To become cyber resilient, the scope of protection would be more than the "Crown Jewels." It involves a more extensive coverage: the ecosystem of the business or organization.

Cyber Resilience

Cyber-resilient systems have security measures or safeguards "built-in" as a foundation of their architecture and design, enabling them to endure cyber-attacks, faults, and failures and continue to operate even in a degraded or debilitated state to carry out the organization's mission-essential functions.

The current focus on resilience, on the other hand, doesn't lose sight of the leading edge of an adversary's initial compromise, even as the focus shifts elsewhere toward eliminating the probable impact of the entire attack chain. Thus, instead of relying heavily on preventative controls, resilience-based security goals look holistically at the full suite of available security controls.

As a result, the entire security infrastructure could disproportionately raise the expense of effort, material, and time an adversary must invest to progress forward with an attack while reducing the probability that such an attack will end with business or operation disruption.

Let's work through Cyber Resilience in two different frameworks.

1. Prevent, Detect, Correct… Adapt

In Cyber Resiliency, we assume that attacks are unavoidable, so we need to be well prepared for the impacts and learn from them. For example, I mentioned using the PDC security mindset (Prevent, Detect, Correct) framework to strengthen the Incident Response Triage. But there is one puzzle missing — Adaptation to threats.

PDCA: Prevent, Detect, Correct, and Adapt (Do not mix it up with Plan-Do-Check-Act!) should be the better approach against fast-changing malicious activities. To attach adaptation to the picture, we need a different approach.

When integrating this idea into a security mindset, you should put your focus in different places according to which phase you are at:

• Prevention — Think like a Security Architect (Focus more on design and plan)
• Detection — Think like a Security Engineer (Attack/Defense thinking and Finding the real threats)
• Correction — Think like a Security Consultant (Resume Continuous business improvement)

Adding adaptation means:

• Adaptation — Think like a Security Forensic Investigator (find the root cause after the event)

2. NIST's Cybersecurity Framework

Another way to discover the interconnection of Cybersecurity and cyber resilience is to examine them in terms of the National Institute of Standards and Technology (NIST) 's Cybersecurity Framework.

The framework identifies the five pillars that make up the cybersecurity "backbone":

• Identify
• Protect
• Detect
• Respond
• Recover

For this post, "cybersecurity," as discussed, covers the framework's first three functions (Identify, Protect, Detect), and Cyber Resilience covers the last two functions (Respond, Recover). Collectively, they create a comprehensive security and data protection strategy.

These are the reasons why every company needs to plan for both Cybersecurity and cyber resilience. Resilience isn't just for cyberattacks; it goes hand in hand with your business continuity strategy to ensure that no matter what causes disruption, data can be recovered, and operations can get back up and running fast.

Final Words — Be A Michelin Man, And Think Like a Forensic Investigator

I like comparing security with health as both are my prime focus of interest. Being resilient is like making yourself become the "Michelin Man," surrounded by tires and can bounce around. It is not fat I am talking about, but the all-rounded airbag can protect you against attacks from 360 degrees.

Holistic healthcare focuses on maintenance rather than treatment. Therefore, the health maintenance examination is an opportunity to focus on disease prevention and health promotion, not medical treatment.

As an example, most metabolic illnesses are the result of prolonged inflammation. As a result, the symptoms are the "breaking point" or the weakest spot of your body. Maintenance can be in exercise, a mindful diet, or meditation to reduce stress in different aspects.

In a holistic cybersecurity approach, we adopt a security mindset in frameworks like PDC(Prevent, Detect, Correct) or PPT (People, Process, Technology) and an Adaptive Approach to find the root cause of the problem.

PDC becomes PDCA:

• Prevention — Think like a Security Architect (Focus more on design and plan)
• Detection — Think like a Security Engineer (Attack/Defense thinking and Finding the real threats)
• Correction — Think like a Security Consultant (Resume Continuous business improvement)
• Adaptation — Think like a Security Forensic Investigator (find the root cause after the event)

Another way to look into Cyber Resilience is by using the NIST's CSF. In which we should not ignore the last two functions (response and recovery). To achieve that, we need to

• be prepared to restore your systems and data to a pre-incident state at any time by backing them up;
• be able to maintain its business processes consistently, despite possible security incidents; and
• be able to react accordingly and support all business processes in a cyber attack.

A resilient security architecture is one where defenders maintain maximum visibility across their enterprise:

• attacks are detected early, contained, and expelled before attackers realize their objectives;
• and rapid response and recovery from any incidental damage.

It's an approach more adaptable to today's dynamic business factors of today's enterprise where digital and cloud transformation, as an example, are generally more cost-effective.

Adequate visibility, detection, and response are pillars of resilience. Cyber Resilience is an approach most likely to positively manage enterprise risk in a world of vanishing perimeters, mobile assets, and accelerating cloud adoption.

Thank you for reading. May InfoSec be with you🖖.