01 logo

Developing Cyber Resilience: How To Think Like a Forensic Investigator

An Important Consideration Other Than Zero Trust Adoption

By Z3n Ch4nPublished 2 years ago 6 min read
Developing Cyber Resilience: How To Think Like a Forensic Investigator
Photo by Belinda Fewings on Unsplash

We all continue to have complete dependence on information technology deployed in critical infrastructures and applications in the public and private sectors. Yet, from the electric grid to voting systems to the vast "Internet of Things."

As a result, every company and organization remains highly vulnerable to sophisticated cyber-attacks from hostile nation-state-backed actors, criminal and terrorist groups, and rogue individuals.

Different advanced adversaries collectively called the Advanced Persistent Threat (APT), compromise critical systems and often are undetected within those systems for months, inflicting immediate and long-term economic implications and even national security threats.

That is why the whole cybersecurity communities promote Zero Trust Architecture, including Google's BeyondCorp, Gartner's CARTA, NIST SP800–207, and ZTX by Forrester, which adopts the idea of assuming that being compromised is inevitable. Thus, it would be better to introduce the idea of Cyber Resilience.

Cybersecurity vs. Cyber Resilience - Using An Analogy

The main difference between them is the focus of the response. In Cybersecurity, we have DR/ BCP to ensure organizations can resume operations as quickly as possible. However, the main focus of Cybersecurity is still on preventive controls.

Take a well-known notion — "Defence-in-Depth (DiD)" as an example; even with more than one barrier involved (i.e., layered security), there's no guarantee it will completely stop people from getting through.

Like you can be physically fit but get injured easily. Some bodybuilders who have little fat need a lot of energy to maintain. In opposite, a slim person can be strong and capable of withstanding different kinds of stress.

The difference may not reflect in the appearance — This is about the idea of resilience. Being resilient is the ability to adapt well in the face of adversity, trauma, tragedy, threats, or significant sources of stress.

NIST SP800–160, Vol. 2

In late 2019, NIST released a special publication SP800–160 volume 2, "Developing Cyber Resilient Systems — A Systems Security Engineering Approach." It is the first in a series of specialty publications developed to support NIST SP 800–160 Volume 1 — the flagship Systems Security Engineering guideline.

“the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that include cyber resources.”

In volume 2, it addresses cyber resiliency considerations for two essential yet discrete communities of interest:

  • Engineering organizations developing new systems or upgrading legacy systems employing systems life cycle processes and;
  • Organizations with existing systems as part of their installed base currently carry out day-to-day missions and business functions.

Cyber Resiliency is different from cybersecurity defense. It is about knowing bad things will happen. The question is not about if but when. To become cyber resilient, the scope of protection would be more than the "Crown Jewels." It involves a more extensive coverage: the ecosystem of the business or organization.

Cyber Resilience

Cyber-resilient systems have security measures or safeguards "built-in" as a foundation of their architecture and design, enabling them to endure cyber-attacks, faults, and failures and continue to operate even in a degraded or debilitated state to carry out the organization's mission-essential functions.

The current focus on resilience, on the other hand, doesn't lose sight of the leading edge of an adversary's initial compromise, even as the focus shifts elsewhere toward eliminating the probable impact of the entire attack chain. Thus, instead of relying heavily on preventative controls, resilience-based security goals look holistically at the full suite of available security controls.

As a result, the entire security infrastructure could disproportionately raise the expense of effort, material, and time an adversary must invest to progress forward with an attack while reducing the probability that such an attack will end with business or operation disruption.

Let's work through Cyber Resilience with two different well-known frameworks, PDC (Prevent, Detect, Correct) and CSF (NIST's Cybersecurity Framework).

1. Prevent, Detect, Correct… Adapt

In Cyber Resiliency, we assume that attacks are unavoidable, so we need to be well prepared for the impacts and learn from them. For example, I mentioned using the PDC security mindset (Prevent, Detect, Correct) framework to strengthen the Incident Response Triage. But there is one puzzle missing — Adaptation to threats.

PDCA: Prevent, Detect, Correct, and Adapt (Do not mix it up with Plan-Do-Check-Act!) should be the better approach against fast-changing malicious activities. To attach adaptation to the picture, we need a different approach.

When integrating this idea into a security mindset, you should put your focus in different places according to which phase you are at:

  • Prevention — Think like a Security Architect (Focus more on design and plan)
  • Detection — Think like a Security Engineer (Attack/Defense thinking and Finding the real threats)
  • Correction — Think like a Security Consultant (Resume Continuous business improvement)

Adding adaptation means:

  • Adaptation — Think like a Security Forensic Investigator (find the root cause after the event)

2. NIST's Cybersecurity Framework

Another way to discover the interconnection of Cybersecurity and cyber resilience is to examine them in terms of the National Institute of Standards and Technology (NIST) 's Cybersecurity Framework.

The framework identifies the five pillars that make up the cybersecurity "backbone":

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

For this post, "cybersecurity," as discussed, covers the framework's first three functions (Identify, Protect, Detect), and Cyber Resilience covers the last two (Respond, Recover). Collectively, they create comprehensive cybersecurity and data protection strategy.

These are the reasons why every company needs to plan for both Cybersecurity and Cyber Resilience. Resilience isn't just for cyberattacks; it goes hand in hand with your business continuity strategy to ensure that no matter what causes disruption, data can be recovered, and operations can get back up and running fast.

Final Words — Be A Michelin Man, And Think Like a Forensic Investigator

By Ye Massa on Unsplash

I like comparing security with health as both are my prime focus of interest. Being resilient is like making yourself become the "Michelin Man," who is surrounded by tires and can bounce around. I am not talking about the size, but the all-rounded airbag can protect the Michelin Man against attacks from 360 degrees.

Holistic healthcare focuses on maintenance rather than treatment. Therefore, the health maintenance examination is an opportunity to focus on disease prevention and health promotion, not medical treatment.

As an example, most metabolic illnesses are the result of prolonged inflammation. As a result, the symptoms are the "breaking point" or the weakest spot of your body. Maintenance can be in exercise, a mindful diet, or meditation to reduce stress in different aspects.

In a holistic cybersecurity approach, we adopt a security mindset in frameworks like PDC(Prevent, Detect, Correct) or PPT (People, Process, Technology) and an Adaptive approach to find the root cause of the problem.

PDC becomes PDCA:

  • Prevention — Think like a Security Architect (Focus more on design and plan)
  • Detection — Think like a Security Engineer (Attack/Defense thinking and Finding the real threats)
  • Correction — Think like a Security Consultant (Resume Continuous business improvement)
  • Adaptation — Think like a Security Forensic Investigator (find the root cause after the event)
By Andres Siimon on Unsplash

Another way to look into Cyber Resilience is by using the NIST's CSF. We should not ignore the last two functions (response and recovery). To achieve that, we need to:

  • be prepared to restore your systems and data to a pre-incident state at any time by backing them up;
  • be able to maintain its business processes consistently, despite possible security incidents; and
  • be able to react accordingly and support all business processes in a cyber attack.

A resilient security architecture is one where defenders maintain maximum visibility across their enterprise:

  • attacks are detected early, contained, and expelled before attackers realize their objectives;
  • and rapid response and recovery from any incidental damage.

It's an approach more adaptable to today's dynamic business factors of today's enterprise where digital and cloud transformation, as an example, are generally more cost-effective.

Adequate visibility, detection, and response are pillars of resilience. Cyber Resilience is an approach most likely to positively manage enterprise risk in a world of vanishing perimeters, mobile assets, and accelerating cloud adoption.


Thank you for reading. May InfoSec be with you🖖.


About the Creator

Z3n Ch4n

Interested in Infosec & Biohacking. Security Consultant. Love reading and running.


Reader insights

Be the first to share your insights about this piece.

How does it work?

Add your insights


There are no comments for this story

Be the first to respond and start the conversation.

Sign in to comment

    Find us on social media

    Miscellaneous links

    • Explore
    • Contact
    • Privacy Policy
    • Terms of Use
    • Support

    © 2024 Creatd, Inc. All Rights Reserved.