It is no secret that cyberattacks are inevitable, but two important words that organizations must focus on are cyber resilience. Combining elements of information security, business continuity, and organizational resilience, a cyber resilience strategy can enable rapid recovery from an inevitable attack with little to no operational disruption.
Traditional cyber security measures continue to be important — and preventing and detecting as many attacks as possible is an essential part of any cybersecurity program. The rapid pace of attacks and the significant business and regulatory implications of a successful attack are just a couple of reasons that it is so important for organizations to increase their readiness and resilience.
1. Implement a data recovery plan
Most organizations have backup and recovery systems in place to help in case of a data loss, whether the data loss is due to hardware or software failure, corrupted data, or a cyberattack. In the past, reliable, secure backups that were stored separately from the primary environment made it more difficult for an attacker to access and encrypt them. Today, double-extortion ransomware attacks encrypt and exfiltrate critical data, which means that they can publish potentially sensitive information regardless of whether you paid the ransom, and your offsite backup cannot prevent that. At the same time, access to reliable backups is still important for overall resilience.
2. Create an incident response plan
An incident response plan (IRP) provides you with a set of tools to use and processes to follow if an incident occurs. Many organizations, however, have (luckily) never experienced a significant incident and do not regularly review their response plan to ensure it still makes sense and aligns with their business, compliance, and regulatory requirements. Conducting red team, blue team, and tabletop exercises can help you assess your IRP, find gaps, and update the plan to address those gaps.
When building your IRP, you need to understand your technology stack. Many organizations have already moved significant portions of their environment to the cloud, which requires a plan that differentiates between cloud and on-premises environments. With a traditional on-premises environment, organizations typically deploy antivirus and endpoint detection and response (EDR) tools on every system. However, with platform, software, or function as a service (PaaS, SaaS, or FaaS) solutions such as AWS EKS, RDS, and Lambda, the cloud service provider (CSP) manages the underlying system. In that case, installing endpoint software is not possible, so you need to manage detection and response in other ways, such as proactively collecting forensic data from cloud and SaaS providers.
It is also important to understand the responsibility model that the CSPs use to share responsibility for security within customer cloud environments. In Infrastructure as a Service (IaaS), the CSP secures physical hosts and networks. In PaaS and SaaS, the CSPs secure the operating system and application, respectively. Your organization, as the customer, must secure your own information and identities. Some CSPs may help you with incident response (IR) by collecting logs or supplying recommendations during an incident that involves their services.
3. Collect and retain forensic data
Proactively collecting forensic data is a crucial step, especially in cloud environments, but it is not enough. You also need to ensure that the data you collect is the right data. A Crown Jewel Analysis can help you identify the digital assets that are critical for your organization to achieve its mission – the ones that if compromised would have a significant impact on your business. You also need to discover the critical pathways and digital assets that cyberattackers are likely to compromise on their way to accessing the crown jewels. One way to do this is to simulate potential critical cyber incidents and verify that you are collecting the right data based on the needs and requirements of your business.
Collecting forensic data, aggregating and organizing that data, performing data analytics upfront, and storing that data for an extended period (frequently organizations discover breaches months after they occurred) are a few of the key steps to ensure an IR team can discover leads, investigate the incident, and provide actionable information quickly.
4. Conduct proactive threat hunting in your environment
Conduct hunts based on up-to-date threat intelligence in your region and the assumption that your organization has already been breached. During these hunts, investigators search for forensic data that identifies malicious activity in your system or network (these are called indicators of compromise, or IoCs). Proactive threat hunting analyzes known adversaries to create hypothetical attacks focused on likely areas of compromise. This is typically an area that contains sensitive data, source code, or something else that is valuable to your organization. Hunts provide a great deal of value for you in two areas:
- Hunts allow you to uncover dormant threats in your organizations, undetected by traditional security solutions, before they are fully exploited and abused.
- Hunts allow you to simulate IR activities, uncovering potential pitfalls in the process, such as missing forensic data, limited access, or even discovery of assets that previously had not come to the attention of security staff.
Proactive threat hunting can leverage technology and automation to search automatically for threats based on previously identified attack patterns, their forensic footprint, and available threat intelligence. It is critical to run these types of hunts regularly and update the hypotheses you are investigating so that you keep up with changing threats and your own environment as it inevitably changes.
5. Find experts to help
You need to have the right experts in place, including:
- Legal resources (in house or outside firms) to aid in meeting regulatory compliance requirements. Regulatory governance (GDPR, HIPAA, FDIC, and so on) requires companies to notify impacted end users of critical incidents within a specified period. Cyber insurance policies may require both legal partners and incident response partners.
- Communications, both internal and external. You may need to prepare notifications for employees, partners, customers, and sometimes the larger public.
- Incident response. Your organization may or may not have a dedicated internal IR team with the time and ability to handle a critical incident. An outside IR partner has visibility into more environments and incidents than an individual organization, while a cloud IR partner will have greater ability in cloud and SaaS environments and cloud-specific security concerns. Make sure you have the right IR vendor(s) for your environment.
- Building partnerships with relevant agencies can also help you increase resilience. In the United States, the Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) offer timely and trusted information that can help you stay up to date on critical threats, identify ways to mitigate threats, and get access to essential information and resources.
Prepare for an incident to increase cyber resilience
Increasing your incident readiness and overall cyber resilience is not a straightforward process that can be done once and forgotten. It requires you to build and support critical plans and relationships and increase cyber awareness throughout your organization by conducting exercises to test your plans. These efforts will help you recover rapidly even if a critical incident occurs rather than escalating into a crisis.