Cyber resiliency goals (i.e., anticipate, withstand, recover, and adapt) support the linkage between the risk management decisions at the mission or business process and system levels and the organization’s risk management strategy. To address cyber resiliency, an organization’s risk management strategy needs to include its threat-framing with respect to cyber threats, its strategies for achieving cyber resiliency goals, and its choice of factors to use when prioritizing and interpreting cyber resiliency objectives at the mission or business process level and at the system level.
In the blog post “The Art of Attack vs. the Science of Resilience” Omri wrote
Resilience relies on the ability to anticipate and withstand cyber risk, so the path to resilience is through detailed cyber risk assessment and actionable, timely cyber risk management.
Let’s look a bit more closely at NIST’s cyber resiliency goals and the strategies for achieving cyber resiliency goals as part of the organization’s risk management strategy.
Anticipate – Maintain a state of informed preparedness for adversity.
Deterrence, avoidance, and prevention are strategies for anticipating potential threats. Other strategies include planning (i.e., identifying available resources and creating plans for using those resources if a threat materializes), preparation (i.e., changing the set of available resources and exercising plans), and morphing (i.e., changing the system on an ongoing basis in order to change the attack surface).
Withstand – Continue essential mission or business functions despite adversity.
Strategies for withstanding the realization of potential threats, even when those threats are not detected, include absorption (i.e., accepting some level of damage to a given set of system elements, taking actions to reduce the impacts to other system elements or to the system as a whole, and repairing damage automatically), deflection (i.e., transferring threat events or their effects to different system elements or to systems other than those that were targeted or initially affected), and discarding (i.e., removing system elements or even a system as a whole based on indications of damage and either replacing those elements or enabling the system or mission or business process to operate without them).
Recover – Restore mission or business function during and after adversity.
Strategies for recovery include reversion (i.e., replicating a prior state that is known to be acceptable), reconstitution (i.e., replicating critical and supporting functions to an acceptable level or using existing system resources), and replacement (i.e., replacing damaged, suspect, or selected system elements with new ones or repurposing existing system elements to serve different functions in order to perform critical and supporting functions, possibly in different ways). Detection can support the selection of a recovery strategy. However, a system can apply these strategies independent of detection to change the attack surface.
Adapt – Modify mission or business functions and/or supporting capabilities in response to predicted changes in the technical, operational, or threat environments.
Strategies for adaptation include correction (i.e., removing or applying new controls to compensate for identified vulnerabilities or weaknesses), hardening (i.e., reducing or manipulating attack surfaces), and reorientation (i.e., proactively orienting controls, practices, and capabilities to prospective, emerging, or potential threats). These strategies may result in redefinition (i.e., changing the system’s requirements, architecture, design, configuration, acquisition processes, or operational processes).
To link this back to our post, Omri said at the start of the series:
Cyber risk analysis and management is completely dependent on an understanding of how attackers attack in general, and specifically how attack techniques and methods can be used to threaten your organization. That understanding then needs to be translated into an operational resilience roadmap of the most cost-effective actions to lower your cyber risk. Just like attackers, this can’t be a one-time quick fix – it needs to be an on-going effort of continuous improvement.
Not only must we anticipate and withstand cyber attacks but we must adapt to the current and emerging threat landscape. This type of cyber threat susceptibility assessment we’ve discussed here in this blog series produces the information needed for the selection of strategies like reorientation to help companies better adapt to the complex and ever-changing threat landscape. It also produces the type of information that supports a form of resiliency analysis that permits us to answer some key motivating questions.
How do cyber risks affect mission, business, or operational risks?
We analyzed the system to identify critical resources, sources of fragility, and attack surfaces. We identified and prioritized opportunities for improvement.
How do stakeholder concerns and priorities translate into cyber resiliency constructs and priorities?
We understood the context by analyzing things like the architectural, operational, and threat contexts specific to the cyber environment of the organization.
How well is the system doing (i.e., how well does it meet stakeholder needs and address stakeholder concerns) with respect to the aspects of cyber resiliency that matter to stakeholders?
We established the initial cyber resiliency baseline by defining the evaluation criteria and making an initial assessment by identifying existing security capabilities, gaps, and issues.
How can mission or operational resilience be improved by improving resiliency?
TTP level threat susceptibility assessment enabled the selection of TTP level mitigations and security controls that support cyber resiliency goals and objectives. We defined and analyzed specific alternatives such as potential technical and procedural solutions for supporting systems and issues and analyzed them with respect to the criteria we defined for the evaluation.
What is the recommended plan of action?
We developed recommendations by analyzing and assessing alternatives and recommended a prioritized plan of action and milestones to reduce the risk and help achieve resiliency goals.