Source: Cultura Creative RF via Alamy Stock Photo
COMMENTARY
Over the past few years, it has become painfully clear that companies in the defense industrial base (DIB) and those providing critical infrastructure are being actively targeted by nation-state threat actors. Various federal agencies have been sounding the alarm and doing their best to nudge companies to do better. The Department of Defense's Cybersecurity Maturity Model Certification (CMMC) is the hardest nudge to date and (hopefully) soon will become a strictly enforced mandate.
Companies that achieve adherence to CMMC (which has been aligned to NIST 800-171 at the "Advanced" certification level) will become a harder target. But will they be safe from the world's most advanced threat adversary? Unfortunately not. Compliance will certainly be a step forward, but entities like China's PLA Unit 61398 unit will find a way to infiltrate, persist, steal, and when called upon, disrupt.
Companies that want to realize true cyber threat protection and resilience must go beyond "check-the-box" CMMC / NIST 800-171 compliance. They must move to a proactive and continuous harden, detect, and respond mindset with modern security operations.
Harden-Detect-Respond (HDR) Operations
As a 30-year cybersecurity veteran, I have come upon many cybersecurity truths. One is that policy, controls, and secure configurations continuously rot due to other business priorities and IT entropy. Establishing a strong policy and control structure helps make cybersecurity a top-down operational mindset. However, the pace of IT change and the need for businesses to prioritize speed and efficiency over absolute security often erode the effectiveness of established protections and controls, leaving gaps for attackers to exploit.
An HDR mindset and operational capability help address this by:
Proactively identifying, fixing, and returning IT and operational weaknesses to a hardened state.
Immediately detecting and investigating possible intrusions into the IT environment, 24x7.
Hunting and rooting out embedded threats within the IT environment.
Quickly containing, mitigating, and fully responding to incidents.
CMMC / NIST 800-171 mandate most HDR capabilities. However, a company's rigor and depth in realizing them can make the difference between remaining vulnerable or being highly resilient and protected from the advances of a nation-state cyber threat or motivated cybercriminal.
Seven Critical HDR Practices
The following HDR practices can help companies achieve resiliency and protection from cyber threats.
Harden People
People remain the softest target. Security awareness training can reduce the risk of employees falling prey to phishing and other social engineering attacks.
Harden Your IT and Cloud Infrastructure
Software vulnerabilities and misconfigurations are constantly introduced. Conduct routine vulnerability scanning and cloud security posture assessments. Prioritize fixing vulnerabilities and weaknesses most likely to be exploited.
Harden Endpoints
For most organizations, endpoints (along with people) form the perimeter of their defenses. They are often attacked and the most common avenue into IT infrastructure. Properly configured modern endpoint protection and visibility are critical to defending against this risk.
Increase Visibility
The best way to detect threat tactics, techniques, and procedures (TTPs) is by increasing visibility into the IT and cloud environment. Data from a security information and event management (SIEM) system provides high visibility into endpoint activity, authentication activity, data access activity, and data movement.
Increase Detection
Ensure endpoint and network security solutions are properly configured to detect the types of TTPs they have visibility into. Leverage your visibility and security analytics (e.g., via SIEM) to expand your detection scope. Deploy advanced detection solutions such as user behavior analytics that can detect attackers impersonating employees. The ultimate objective is to achieve 100% TTP detection coverage, per the MITRE Framework.
Hunt for Threats
The unfortunate reality is that many companies are compromised and don't realize it. If your intellectual property is of interest to nation-state cyber spies, backdoors may already be in place. The surest way to find and kill embedded threats before data is stolen or operations are disrupted is to proactively hunt for them. Threat hunting requires endpoint detection and response along with broad visibility. It also requires expertise and human threat hunters, making this one of the most challenging operational capabilities to realize.
Investigate & Respond 24x7
Threats don't take weekends and holidays off. You must evaluate high-risk indicators of intrusion and compromise within minutes, whatever time or day they occur. A threat given time is a threat that can burrow deeply into your environment and become harder and more expensive to dislodge. Allowed to linger long enough, it will eventually cause you harm. You must have the operational capability to quickly investigate threat indicators and, if an incident occurs, contain and mitigate it within hours.
Prioritize HDR
Defense and critical infrastructure companies face a hard problem — building profitable businesses while protecting their inventions and operations from extremely advanced threats. Those seeking to get ahead of compliance and reduce the risk of cybercrime are wise to prioritize HDR. Not only is it required for compliance adherence, but it can protect and defend you as you layer in additional requirements and controls. Over time, maturing your HDR operations can help you reliably detect and deter nation-state cyber threats if they turn their attention to you.