When it comes to cybersecurity, a multifaceted approach is needed for resilience. In any resilience model, you have a primary site, a secondary site and so on to maintain business continuity of operations – fail-safe measures, if you will. For instance, if your business is based in New York City and the power goes out, you can operate remotely from a data center in Utah. It is about reducing the risk of operational impact.
With cyber resilience, it is the same kind of philosophy: reducing your cyber incident risk and not just relying on one line of defense or one capability you think will be the one that finally stops the bad actors. Looking at the standards for cyber resilience in federal agencies will help businesses understand both the essentials and the additional steps they need to take to fully safeguard their assets.
Why cyber resilience?
Organizations are trying no shortage of different technologies to improve their cybersecurity posture – whether it is SIEM, EDR, network analysis, behavioral analytics or other tools. These are all being deployed, and yet bad actors are still operating freely. Organizations are spending billions of dollars each year on cybersecurity, yet they are not getting a return on investment that provides sufficient peace of mind.
Whether they are malicious actors, nation-states or other cyber criminals, they are still going undetected too often. In fact, according to the 2019 Verizon Data Breach Investigations Report, the average threat can lurk undetected inside an environment for over 100 days; 56% of breaches went undiscovered for months or longer. And according to the Mandiant Security Effectiveness report, released in May, more than 90% of attacks resulting in a breach didn’t generate an alert.
Part of the problem is the way solutions are being implemented. For the most part, everyone is implementing the same control-based approaches (which are more compliance and policy-based) and the same technology approaches (vulnerability-based, indicator of compromise-based and so on).
Over the past several years, there has been a great deal of analysis of these different approaches, and specifically on how they’ve been applied to protect our national infrastructure – think government agencies or financial services. The NIST framework, the MITRE ATT&CK framework and other policies or plans that address federal agencies have outlined a new baseline that plans for cyber resilience. While these are directly focused on federal agencies, other industries can gain valuable insights from them.
There are certain essentials that have to be in place – the primary effects. These include logging, firewalls, intrusion detection and more. These “effects” are focused on protecting your perimeter. You must have other tools as well, such as multifactor authentication and identity and access management. But then you need to take it a step further, because these solutions will not do much to defeat advanced persistent threats (APTs).
Cyber resilience becomes particularly important when APTs are attacking an environment. APTs usually access an environment through a low-value asset that is easy to compromise, such as leveraging social engineering against a user to gain access to their laptop. Then the attacker furtively moves throughout the environment, from asset to asset, until they gain unauthorized access to a high-value asset.
Intrusion detection systems and other traditional detection approaches monitor environments for activity that looks anomalous, so they usually have high false positive rates, and they typically miss APTs altogether because of their stealth. Without cyber resilience, it is highly unlikely to find an APT amidst all the false positive activity.
The deceptive approach
Adversaries are operating at sub-second speeds – they run a scan, determine what is exploitable, and are back out before you know it. That means they know exactly how to move next time. While some of your alerts might go off, it is unlikely you will be able to keep pace with that speed. Therefore, you need cybersecurity solutions that are undetectable and deceptive.
The NIST and Department of Homeland Security frameworks now require deception technology to protect against APTs. MITRE recently introduced the Shield knowledge base, aimed at encouraging a conversation about active defense and adversary engagement. Highlighted in Shield is the concept of using deception, which makes it harder for attackers to find their targets, by wasting attacker resources and slowing down attacks. An example of deception is planting false resources rigged with hidden abilities or characteristics, such as setting up a beacon within a particular file so when an attacker opens or copies that file, the beacon triggers an alert.
When you set up a distributed deception strategy making all endpoints sensors, adversaries are forced to engage with deceptions even on low-risk systems and are paralyzed by their interaction with realistic deceptions. Their actions trigger 100% positive alerts allowing defenders to stop them before they get to those most critical data sets. It is an active defensive strategy rather than the wait-and-respond-as-needed approach.
Deceive and defeat
It is clear that cybersecurity requires a diverse approach – and that what most organizations have been doing still isn’t working. Intruders still find ways into corporate networks and often stay for a long time, doing as they please. This means another layer, a stopgap measure, is in order. The frameworks outlined by NIST, the DHS and others not only recommend but require deception techniques as part of a holistic cybersecurity strategy. Distributed deception keeps adversaries occupied with worthless assets while alerting the IT security team to their presence for stronger protection of your organization’s digital crown jewels.