Practicing preparedness: Are you ready for your next cyberattack?
There is no escaping it: cyberwarfare is here, and on a daily basis, attacks upon every organization are taking place. How an organization responds to the inevitable successful intrusion will make all the difference between a quick recovery and a costly failure.
The World Economic Forum estimates the risk to organizations around the world as equal to that of natural disasters, and the potential losses just as high. Lloyd’s of London puts the potential damage to the global economy from a large-scale cyberattack at more than $120 billion, on par with the costliest hurricanes in US history, Hurricanes Katrina in 2005 and Harvey in 2017. That is because the information technology world is unique in that the level of knowhow and brainpower that has done so much to improve the lives of billions of people worldwide in a very positive way can equally be used to perform destructive cyberwarfare.
Government agencies are at as much risk, if not more, as anyone else. Despite commercial enterprises, the financial industry, and government agencies all dedicating significant resources and trying a variety of methods to harden themselves to cyber threats, the successful intrusion rate of a persistent actor remains to be high. The fact is, the likelihood of success by a threat actor persists because attackers, too, keep adding to their resources and changing their methods. Thus, the impact and scope of a potential intrusion still keeps Security Operation Center (SOC) chiefs, cybersecurity directors, Chief Information Security Officers (CISOs), and Chief Information Officers (CIOs) up at night. The challenge compounds for federated government agencies due to the number of uniquely independent organizations they are required to protect.
Nothing less than a warfighter's mentality is required for successful assurance in defensive capabilities. To a warfighter, realistic training is critical in increasing the odds of being on the winning side of each battle. To that end, utilizing a new, out-of-the-box approach to systematically practicing readiness alongside cyber security standards and procedures as they apply to the respective organization, will greatly improve defenses against cyberwarfare attacks.
Why what the industry has been doing has not been enough
Many cybersecurity leaders take a traditional approach to managing risk that involves increasing the budget and resources used to develop a solution to the problem. This usually results in costly on-demand charges and a poor understanding of how a given incident happened, how the defending organization responded, impact of the incident, and how to address the incident with stakeholders. Examples of these traditional approaches are:
- Contingency funds to funnel money into existing cybershops when disaster strikes;
- Comprehensive portfolios of ever increasing security tools;
- External commercial cybersecurity vendor(s) for hunt and incident response; and
- Teaming with other federal partners to help respond to threats.
However, despite the best efforts of IT professionals and outside vendors, such measures still are not enough to defend against and respond to threats. That is because they do not address the root problem many organizations face: A lack of quantifiable methods to analyze, measure, and adjust true organizational responses and procedures applied to attacks. This includes incident response policies, procedures, tools, and unique developed capabilities.
To address this shortfall, cyber decision makers can depend on an approach that draws from a text older than the Pyramids yet still very much relevant today.
Lessons from The Art of War
In The Art of War, the fifth century classic text often referenced by cyber defenders, Sun Tzu educates readers to both know yourself and know your enemy. Such knowledge is as much the key to successful cyber defense and response as any other kind of warfare.
In the context of cybersecurity, knowledge of self includes a full understanding of your organization's incident response plan, patch-management status, and digital footprint across on-premises and in the cloud as well as mobile and other devices, network design, user base, etc. It also includes such information as your organization’s unique risk tolerance, any moratoriums in place, risk factors unique to your industry, the results of any hazard vulnerability analysis, and the locations and capabilities of your cyber defense tools and processes. Internal analysis and simulations can help develop this crucial knowledge.
Critical knowledge of the enemy includes an understanding of what an attack has done or seeks to do, and, deeper than that, knowledge of the preferred techniques of given adversaries to help you predict what attackers might do next.
To effectively measure and defend against cyberattacks, you need to combine in-depth self-knowledge and knowledge of the enemy. This mentality and effort must be put it into practice, within the context of your unique processes, risk tolerances, moratoriums, governance procedures, rule sets, etc. Moreover, there's no better way to hone this knowledge than in the context of a simulation environment.
In other words, just as actual warfighters prepare for battle with exercises on a firing range, cybersecurity experts should seek opportunities to practice on in hyper-realistic cyber simulation.
Practice makes preparedness
Cyber simulations can help organizations prepare to handle their unique security challenges in a safe and controllable environment.
With realistic practice, analyst are able to keep their skills sharp overtime so they are prepared to face threat actors who are consistently changing tactics. Without a realistic simulation environment that can span across the entire kill chain of adversary activity, organizations risk aggressors getting stronger and the defenders getting weaker. If federal agencies seek out simulation environments that can be customized to their organization’s needs, CISOs and CIOs can obtain a better view into how their organization will respond to an attack and measure the results. This practice allows decision makers to make informed risk acceptable decisions on informed applicable data.
Practicing realistic cyber preparedness is critical so that organizations can measure and refine their effectiveness in a precise manor. Through precision, leaders are assured in the response capability of their organization and can “adjust fire” as needed. By doing more to know yourself and your enemy, organizations can more adequately prepare for cyberattacks when the inevitable happens.
Here at Leidos, we bake in hands-on experience into our CyberEDGE Academy program and into our cyber defense workforce strategy because we understand the challenges presented to federated organizations, we understand emerging technologies, and we understand emerging threats. We prioritize our people through innovative approaches and technologies for constant and increasing effectiveness to all the various missions we support.