By Shane Steiger, Principal Cybersecurity Engineer, MITRE
The concept has been around for many years. No doubt you’ve seen the images, such as a tiny flower emerging among bricks; one tree bending to the wind while another crashes to the ground; or soldiers successfully pushing back attackers who’ve breached the castle walls. And, of course, there’s always the old chestnut of a tight huddle of computer experts combatting a shadowy figure in a hoodie.
These images fail to convey the most important point: that whether you run a hospital, factory, power grid, or a national security team, you have vital things to do beyond repelling cyber attackers. You can’t let your business/mission grind to a halt because of a cyberattack.
Being able to achieve your organization’s mission despite being under cyberattack is the most important part of cyber resiliency.
Start by assuming cyber attackers have made it over your organization’s moat and are already stealing from you and eroding your business or mission. How do you proceed? Admittedly, this can seem overwhelming. But while it is a complex challenge, it’s not insurmountable if you approach it with a solid plan.
To simplify this, my company, MITRE, released the Cyber Resiliency Engineering Framework (CREF) NavigatorTM. This free visualization tool allows organizations to customize their cyber resiliency goals, objectives, and techniques, as aligned with NIST SP 800-160, Volume 2 (Rev. 1), the National Institute of Standards and Technology’s (NIST) publication on developing cyber-resilient systems.
The CREF Framework follows the four guiding steps below, and I’ve included some key questions for you to explore:
#1 Anticipate: Maintain a state of informed preparedness to forestall compromises of mission/business functions from adversary attack. This means plan, plan, plan. Know your high-value assets or critical points in your cyber assets. Work with your stakeholders to determine what your business/mission needs to operate. Determine what systems and services must be up at a bare minimum? Also, learn what cyber events others in your sector have experienced. Then, once you have a plan, test it. Even a simulated tabletop exercise often will reveal undiscovered gaps in planning. Lastly, plan for worst-case scenarios, including events outside of computing that might exacerbate cyber risk—such as hospitals dealing with ransomware during a global pandemic.
#2 Withstand: Continue essential business/mission functions even when an adversary has successfully attacked. Okay, so you’ve been cyber attacked. As discussed in Step 1, if you planned for it, you are more likely to withstand it. First, what is happening to your assets? Can you easily move them around physically or logically—with virtualization? Can you reposition assets where an attack is not occurring? Do you have more than one system to achieve some business or mission functionality, such as a redundant system? Or do you have another way to achieve the same function if all similar systems are targeted? Is it a diverse system? Do you have key backup of systems in place? Do you have access to your cyber resiliency plan if systems or backups are completely unavailable? (You’ll need access to this information later to fight through and recover.) Is there an adaptive response from some of your tools? During this initial phase, and despite the intense pressure, I recommend you stop to take a breath. Amid fear, uncertainty, and doubt, take time to be clear which assets are being affected—and how that’s impacting your business/mission. If you do this “withstand” step well, you should be able to keep at least a minimum level of functionality in place and thus continue to achieve your core business/mission.
#3 Recover: Restore mission or business functions during and after adversity. This is where you bring your organization back from minimal to normal functionality. You’ll need to recover from backups or build new systems that are not vulnerable to the same attacks. Think about how to segment your systems or realign them to restrict access. Cyber adversaries may try to overcome your recovery steps as you proceed by adapting their responses to assumed capabilities. Remember, this step is often happening during the fog of adversity. Can you segment your recovery to keep an adversary from re-compromising it? Do you trust the integrity of the recovery? Can you coordinate your response with orchestration? Did you plan ahead and put forensic tools in place so you can better understand the event—and be confident you’ve fully recovered a trustworthy system?
# 4 Adapt: Modify business/mission functions and supporting capabilities to account for likely changes in the technical, operational, or threat environments. Take this opportunity to make things unpredictable for future attackers. Distributing different tools across the environment in waves can reveal things that a static environment does not. Furthermore, make things non-persistent. Create systems or services that live only as long as needed and then can be destroyed. (Sounil Yu, CISO of JupiterOne and creator of the Cyber Defense Matrix and DIE Triad, has an informative and entertaining discussion on this very concept.) Lastly, think about putting in a “canary in the coal mine” or trip wires. By salting your system with deceptive information or capabilities, you’ll receive warnings about active cyber threats. Plus, the mere existence of information like this may cause an adversary to pause—thereby slowing their advance or making them distrust all information, true or not. If you make things hard enough for them, they’ll go someplace else.
For more detail about the cyber resiliency concepts I’ve outlined, check out the CREF Navigator. This interactive website contains definitions, mappings, relationships and visualizations to other frameworks and standards to help you navigate your cyber resiliency journey.
A final note: We’ve all heard the rough definition of insanity is doing the same thing repeatedly while expecting a different result. This holds true in cyber. Resilient folks adapt. They don’t repeat unsuccessful actions. A quote often attributed to Charles Darwin is as accurate now as it was well over a century ago: “It is not the strongest species that survive, nor the most intelligent, but the ones most responsive to change.”
About the Author
Shane Steiger is a principle cybersecurity engineer with MITRE, with more than 24 years of experience across multiple large enterprises and industries with emphasis on cyber architecture and strategy. Steiger was an early adopter of MITRE’s Cyber Resiliency Engineering Framework (CREF) and the MITRE ATT&CK® Framework, incorporating each framework into the threat modeling, emulation, and defensive strategy choices of his organizations. He also contributed directly to NIST SP 800-160 Volume 2 (Rev. 1): Developing Cyber Resilient Systems: A Systems Security Engineering Approach. Steiger received his Bachelor of Arts in Mathematics and Latin from Susquehanna University and his Juris Doctor from Widener University Commonwealth Law School. He is a Certified Information Systems Security Professional (CISSP) and a member of the Pennsylvania Bar. Shane can be reached online at ssteiger@mitre and https://www.linkedin.com/in/shane-steiger-esq-cissp-6073a41/ and at MITRE’s website https://www.mitre.org.