Overcoming Cyberresilience Design Challenge

Cyber shield with lock
Author: Larry Marks, CISA, CRISC, CGEIT, C|CISO, CCSK, CFE, CISSP, CSTE, ITIL, PMP
Date Published: 1 May 2024
Read Time: 13 minutes

In 2021, the US National Institute of Standards and Technology (NIST) issued NIST Special Publication (SP) 800-1601 to provide guidance for the development and maintenance of cyberresilient systems. This was in response to an increase in ransomware incidents and the subsequent understanding that enterprises needed help withstanding, adapting and recovering from cyberattacks and compromises. From a risk perspective, cyberresilience is intended to help reduce the risk of dependence on cyber resources.2 NIST’s guidance includes 14 system engineering techniques that are intended to ensure survivable, trustworthy systems:3

  1. Adaptive response—Implement agile courses of action to manage risk.
  2. Analytic monitoring—Monitor and analyze a wide range of properties and behaviors on an ongoing basis and in a coordinated manner.
  3. Contextual awareness—Construct and maintain current representations of the posture of missions or business functions while considering threat events and courses of action.
  4. Coordinated protection—Ensure that protection mechanisms operate in a coordinated and effective manner.
  5. Deception—Mislead, confuse, hide critical assets from, or expose covertly tainted assets to the adversary.
  6. Diversity—Use heterogeneity to minimize common mode failures, particularly threat events exploiting common vulnerabilities.
  7. Dynamic positioning—Distribute and dynamically relocate functionality or system resources.
  8. Non-persistence—Generate and retain resources as needed or for a limited time.
  9. Privilege restriction—Restrict privileges based on attributes of users and system elements, and on environmental factors.
  10. Realignment—Structure systems and resource use to align with mission or business function needs, reduce current and anticipated risk, and accommodate the evolution of technical, operational, and threat environments.
  11. Redundancy—Provide multiple protected instances of critical resources.
  12. Segmentation—Define and separate system elements based on criticality and trustworthiness.
  13. Substantiated integrity—Ascertain whether critical system elements have been corrupted.
  14. Unpredictability—Make changes randomly or unpredictably.

The optimal strategy is to identify, design, and implement a solution that includes a risk framework for managing people, processes, and technologies and developing the ability to withstand, recover from, and quickly adapt to a threat to or an apparent compromise of a system. According to Veeam’s 2023 Data Protection Trends Report, 85% of enterprises suffered at least one cyberattack in the preceding 12 months—an increase from 76% in the prior year.4 Despite enterprises’ efforts to minimize the vulnerability of their backups through the implementation of additional technology, the primary objective of NIST SP 800-160 is to establish robust processes that effectively defend and protect assets from threats, vulnerabilities, incidents, or disasters. It is important to note that while these measures are crucial, they are not sufficient in isolation. This is where the concept of cyberresilience comes into play, bridging the gap between protective measures and the ability to maintain operations despite adverse cyberevents.

As cyberthreats continue to evolve, the criticality of robust cyberresiliency measures has never been more apparent

Cyberresilience is considered a discipline that is impacted and influenced by related programs, including cybersecurity, IT disaster recovery, business continuity planning/disaster recovery (BCP/DR), crisis or incident management, and third- and fourth-party risk management. The question is: Why is it important to distinguish cyberresilience from other programs?

  • Cyberresilience goes beyond the typical prevent, detect, and respond models found in cybersecurity and requires operational resiliency to ensure that critical business processes can recover from cyberattacks with minimal disruption and within prescribed recovery times.
  • Cyberresilience requires enterprises to consider threats that may impact their own risk frameworks and those of their third-party suppliers and vendors.

Cyberresilient solutions cannot be developed in a silo separate from incident management, business continuity, and disaster recovery (figure 1).

Overcoming Cyberresilience Figure 1
Source: National Institute of Standards and Technology, NIST SP 800-160, USA, 2021, https://csrc.nist.gov/pubs/sp/800/160/v2/r1/final

As cyberthreats continue to evolve, the criticality of robust cyberresiliency measures has never been more apparent. In the context of NIST 800-160, an enterprise must have the capability to swiftly isolate any stress on a system, such as data corruption within a data domain or backup. This rapid response is crucial to minimize the impact and facilitate recovery, aligning with the guidelines of cyberresiliency outlined in NIST (figure 2).

Overcoming Cyberresilience Figure 2
Source: National Institute of Standards and Technology, NIST SP 800-160, USA, 2021, https://csrc.nist.gov/pubs/sp/800/160/v2/r1/final

Design Challenges

Implementing the NIST cyberresiliency model presents several challenges and prompts important questions related to people, processes, technology, and the organization:

  • People
    • Have roles and responsibilities been assigned and communicated to all?
    • Have these roles and responsibilities been tested, and have lessons learned been documented? – Has the significance of the operational resiliency scenarios been discussed with the business owners?
    • Have recovery time objectives (RTOs) been tested from scratch?
  • Processes
    • Has more than one simultaneous scenario been tested?
    • Were operations sustained while the system was under threat, duress, or attack?
    • Are expectations realistic? (Nothing can ensure perfect cyberresilience and provide an impenetrable steel door against ransomware attacks.)
    • Has the enterprise’s cyberrisk model and network diagram been reviewed against the MITRE ATT&CK D3FEND framework5 to generate an inventory of weaknesses that can be taken advantage of by a threat actor? (MITRE ATT&CK D3FEND is a knowledge base of adversary tactics and techniques based on real world observations. This knowledge base can be used to help develop threat models and techniques that an adversary can use and tips how to defend against these techniques.)
    • Have cyberresilience use cases been identified and tested in a lab or, at a minimum, a tabletop?
    • Have the enterprise’s critical processes, critical systems, and critical people been identified? (Critical processes may be subjectively interpreted as those systems that generate the majority of revenue or that impact the enterprise’s books and records. In some cases, these may be the processes relevant to US Sarbanes-Oxley [SOX] Act6–related systems.) – Are scenarios tested at least annually?
  • Technology
    • Is the enterprise’s reliance on technology to solve its cyberresilience challenges realistic? (Remember that technology is only a tool that can be supported by processes managed by IT.)
    • Are the enterprise’s staff, budgets, priorities, and processes maximized to get the most out of technology?
  • Organization
    • Is there a “tone at the top” to support cyberresilience testing?
    • Have adequate resources been allocated to support the cyberresilience program?
    • Have legal liabilities been identified in the event of a threat or attack? Is there a plan to mitigate these liabilities?
    • Does the enterprise culture accept the guidance of experts such as the US Cybersecurity and Infrastructure Security Agency to enhance scenario identification and risk mitigation?

As organizations research practical and cost-effective approaches to developing cyberresilient systems and the ecosystems that support cyberresilience for their systems, it is good to review the impact of the approach on people, their processes, their existing technology, and the organization.

Cyberresilience in Light of Recent Ransomware Attacks

In November 2023, the US arm of the Industrial and Commercial Bank of China (ICBC) was hit by a ransomware attack that disrupted trading in the US Treasury market. The ICBC ransomware attack was linked to a vulnerability affecting the cloud computing company Citrix, referred to as CitrixBleed. In October 2023, Citrix had released a security bulletin on two vulnerabilities that impacted Citrix NetScaler ADC and NetScaler Gateway.7 A cyberresilience paradigm requires that enterprises such as ICBC go beyond the prevent, detect, and respond models typically found in a cybersecurity program and instead implement a program to ensure that critical business processes can recover from cyberattacks with minimal disruption and within prescribed recovery times.

Did the ICBC Demonstrate Its Cyberresilience?
The impact of ransomware on ICBC and its interconnected business operations with other financial systems and vendors, customers, and providers showed that these attacks have cascading effects worldwide as they disable banking and financial operations, undermining the trust of customers and providing reputational and security risk. With the attack surface expanded by the impact on ICBC’s suppliers and customers, this serves as an example where cyberresilience measures should be implemented to minimize the shock and stress for enterprises and their customers. The overall global financial system has shown to be resilient, but the ICBC event shows that the risk is real and should be acted upon on a continuous basis.

A cyberresilience program should consider whether people, processes, or technology pose threats (e.g., insider or zero-day threats) that may impact the enterprise’s risk framework and the frameworks of its third-party suppliers and vendors. Evidence of testing BCP and DR with critical third parties is relevant in this endeavor.

The US Cybersecurity and Infrastructure Security Agency has issued guidance for the prevention of ransomware attacks that interleaves the details of the 10,000-foot (general) view with NIST general guidance at the 30,000-foot (big-picture) level (figure 3).8

Overcoming Cyberresilience Figure 3

Additional techniques to protect sensitive information are depicted in figure 4.

Overcoming Cyberresilience Figure 4

Cyberresilience in Light of ChatGPT and Artificial Intelligence

In response to the proliferation of artificial intelligence (AI) and software tools such as ChatGPT, enterprises are issuing guidance on internal use of these technologies. Some may be exploring guidance on how to rely on the functionality of AI to digest and analyze the ever-increasing amount of data and create more effective customer-driven products and marketing practices. AI uses large language models (LLMs) to ingest data.

The risk of cyberattacks using AI, for example, targeting either the LLM or more specifically the increased attack surface of confidential, sensitive data, makes it imperative to:

  1. Identify weaknesses in AI systems’ control and security postures.
  2. Incorporate the functionality of the AI system into its cybersecurity strategy, such as by using tools and techniques to ensure the cyberresilience of its control posture.

The key to these challenges is to return to the basics, such as blocking and tackling approaches. In other words, an enterprise must use the basic security techniques of control and risk mitigation, along with communication and collaboration with senior management, to fend off or mitigate the risk of attacks and deal with their impact. Even so, there are other techniques that an enterprise can use to improve defenses:

  • Strengths, weaknesses, opportunities, and threats (SWOT) analysis—This approach allows an enterprise to better understand its strengths and weaknesses and identify opportunities for threat analysis and mitigation. In an ever-changing threat landscape, this is an ongoing process.
  • Risk assessment—This approach identifies existing and potential risk factors, the controls already in place, any gaps in these controls, and short-term and long-term mitigation strategies. The key constraints are limited resources, capabilities, and budgets. Mitigation plans have to be prioritized and aligned with the degree of risk accepted by senior management.

The challenges of implementing a cyberresilience program involve the availability of adequate budgets and appropriate staff skills, processes, and technology. Key methods to mitigate potential risk include, but are not limited to:

  • Communication—Communicate the objectives of a cyberresilience program to business leaders, IT, and third parties.
  • Collaboration—Teamwork can collectively mitigate the risk related to non-robust incident management, BCP/DR, backup, and recovery. Prior performance should be considered the baseline to ensure that actions taken are mitigating today’s risk and not yesterday’s.
  • Act smarter, not harder—Principles of defense in depth and honeypots should be considered as a mesh of techniques, processes, and tools to mitigate risk to the enterprise.
  • Review links to third parties—If third parties cannot ensure the cyberresilience of their systems, a determination must be made whether the relationship should be continued or started.

Subobjectives and Metrics

NIST SP 800-160 identifies the subobjectives of cyberresilience scenarios and provides examples of metrics (figure 5). These subobjectives suggest starting points that can be used to develop a cyberresilience program and develop performance indicators to measure its effectiveness and efficiency.

Overcoming Cyberresilience Figure 5

One objective, Prepare, includes a subobjective to design playbooks against the varied population of threats and tactics used by cyberattackers. In addition, there should be a mechanism to measure the effectiveness of a playbook, whether simulated, scheduled, or random. Metrics of effectiveness may consist of time since the last playbook test or the percentage of cyberbackups effectively performed.

Conclusion

Developing a cyberresilient system, whether for a large, medium, or small enterprise, involves a continuous approach of process improvement. The US Cybersecurity and Infrastructure Security Agency and NIST provide valuable guidance and checklists to help meet these challenges. As long as the impact on the people, processes, and technologies is evaluated by cybersecurity professionals and the organization on a collaborative basis, then the approach remains to act smarter, and not harder.

Endnotes

1 National Institute of Standards and Technology (NIST), NIST SP 800-160v2r1—Developing Cyber-Resilient Systems, USA, December 2021, https://doi.org/10.6028/NIST.SP.800-160v2r1
2 Ross, R.; Pillitteri, V.; et al.; “Developing Cyber-Resilient Systems: A Systems Security Engineering Approach,” NIST Special Publication SP 800-160, vol. 2, rev. 1, December 2021, https://csrc.nist.gov/pubs/sp/800/160/v2/r1/final
3 Op cit NIST
4 Veeam, “Data Protection Trends Report 2023,” 17 January 2023, https://www.veeam.com/wp-data-protection-trends-report-2023.html
5 MITRE D3FEND, https://d3fend.mitre.org/
6 107th US Congress, H. R. 3763 Sarbanes-Oxley Act of 2002, USA, 30 July 2002, https://www.congress.gov/bill/107th-congress/house-bill/3763/text
7 Pallardy, C.; “Understanding the Ransomware Attack Fallout on China’s ICBC,” Information Week, 17 November 2023, https://www.informationweek.com/cyber-resilience/understanding-the-ransomware-attack-fallout-on-china-s-icbc-
8 Cybersecurity and Infrastructure Security Agency, “Protecting Sensitive and Personal Information From Ransomware-Caused Data Breaches,” USA, https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Protecting_Sensitive_and_Personal_Information_from_Ransomware-Caused_Data_Breaches-508C.pdf
9 Cybersecurity and Infrastructure Security Agency, Cyber Essentials Starter Kit, 12 March 2021, USA, https://www.cisa.gov/resources-tools/resources/cisa-cyber-essentials-starter-kit
10 Cybersecurity and Infrastructure Security Agency, Ransomware Guide, September 2020, USA, https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C_.pdf
11 Federal Trade Commission, Protecting Personal Information: A Guide for Business, October 2016, USA, https://www.ftc.gov/business-guidance/resources/protecting-personal-information-guide-business
12 Cybersecurity and Infrastructure Security Agency, Cybersecurity and Physical Security Convergence Action Guide, USA, 22 December 2021, https://www.cisa.gov/resources-tools/resources/cybersecurity-and-physical-security-convergence-action-guide

LARRY MARKS | CISA, CRISC, CGEIT, C|CISO, CCSK, CFE, CISSP, CSTE, ITIL, PMP

Has focused his career on leading through collaboration to ensure that best practices are implemented to assist compliance and process improvement. He has focused on audit, security, risk, compliance, privacy, and program/project management across financial services, healthcare, and telecommunications. Marks has extensive experience in designing, managing, auditing, and implementing IT processes, policies, controls, and technology. He has managed teams, priorities, and expectations across business and IT leadership while delivering fit-for-purpose services. He is a peer reviewer for the ISACA® Journal and the Association of Certified Fraud Examiners (ACFE) Fraud Magazine. He has contributed to ISACA® white papers and has authored/coauthored ISACA audit programs. Marks served on the Certified in Risk and Information Systems Control® (CRISC® ) exam-writing team and is part of the Project Management Institute’s ISO Committee. He is also a blogger and contributor to the leadership section of ProjectManagement.com. His work has been published in the ISC2 Security Journal, the PMI Journal, and the ISACA Journal.