Implementing a cyber defense assessment strategy

As cyber criminals become increasingly capable, your organisation’s cyber defense too must grow. This requires a continuous improvement approach to cyber security. At the core of continuous improvement lies understanding where you are at any given moment and understanding where you want to go. Naturally, this applies to cyber defense as well.

Assessments (determining an object’s level of security and/or effectiveness) are a vital activity in gaining that insight and understanding. But there are many things that can be assessed in many ways. Thus, to determine the effectiveness of your organisation’s cyber defense, a clear strategy is required. I’ve come up with a model for a such a cyber defense assessment strategy, represented in the diagram below.

?The model consists of assessment methodologies, techniques and activities that will be explained in more detail hereafter.

Two notes on scope: there are real-time assessment techniques that are part of your security posture. For example: conditional access control mechanisms that assess whether an authentication attempt matches the requirements to gain access to resources. In this article, these techniques are considered policy enforcement rather than assessment and are out of scope. I also chose to exclude risk assessment and IT audits from this assessment strategy. Risk assessment is much broader than cyber defense. So, a cyber defense assessment strategy should be part of your enterprise risk management approach. IT audits were excluded too. IT audits can play a role in strengthening your cyber defense by auditing and helping to improve certain cyber defense capabilities. However, IT audits are not specific to cyber defense (or to even to cyber or security), which is why they are not included in this model.

1. Cyber security organisation

The cyber security organisation as a whole can be assessed using the NIST Cyber Security Framework (CSF), which helps to identify deficiencies in identification (assets/risks), protection (controls), detection (monitoring), response (to incidents) and recovery (from incidents) from a high-level. The NIST CSF is not created?specifically for cyber defense purposes but has sufficient elements that can be used to strengthen your cyber defense capabilities.

Note that the NIST CSF has overlap with other elements in the assessment strategy: the Detect phase also mentions vulnerability scanning, the Respond phase makes a reference to testing response plans, etc. Therefore, I consider the NIST CSF to be an umbrella for cyber defense assessment, with more detailed assessment methodologies to augment the high-level perspective that it provides. Chapter 4 of the NIST CSF documentation describes how to perform self-assessment using the framework.

As an alternative to the NIST CSF, the CIS Control framework is similar in that it provides an overall view of your cyber defense capability. Just like the NIST CSF, it overlaps with other elements in this strategy (such as vulnerability scanning and incident response). So it too, is an umbrella for cyber defense capabilities. The CIS Control framework has an online tool to support an assessment. Note that the NIST CSF has a mapping to the CIS Controls, so indirect assessment of CIS Controls through the NIST CSF is also possible.

2. IT landscape

The IT landscape is subdivided into the infrastructure landscape and the application landscape. There are several activities that should be carried out to ensure the security of the IT landscape. Some are more specific to applications, some more to infrastructure. The positioning of the activity shows how it relates to both. The activities in this area are:

-???????SAST/DAST/IAST. Static and Dynamic application testing should be conducted to identify potential issues with code that is being developed and deployed by the organisation. Static application testing focuses mostly on code analysis, while dynamic application testing evaluates to way the application handles input (for example, using fuzzers in input fields). Both SAST and DAST should be deployed in the development pipeline to provide automated testing and blocking of code with issues. IAST is a combination of SAST and DAST techniques and works from within the application in real time.

-???????Pen testing. Pen testing is a manual activity in which the tester determines if the IT object under investigation (either infrastructure or an application) is sufficiently secure. Pen testers use a plethora of tools to find security flaws. SAST and DAST tooling can be used in pen testing as part of the investigation. Since pen testing is time consuming, it is more difficult to do it continuously and thus it is an extension of- (and not a replacement for-) automated application testing.

-???????Vulnerability & configuration assessment. These activities (vulnerability assessment and baseline compliance assessment) are used to find security weaknesses (either due to misconfiguration, or lack of patching), which can then be remediated. Baseline compliance can be determined by performing baseline scans, often with the same tooling that is used to perform vulnerability scans. The CIS benchmarks are an excellent industry best-practice resource for baselines. Tuning CIS baselines will need to be done to match your organisation’s policies. Note that it is likely that not all your applications and infrastructure will have a CIS benchmark.

3. Cyber defense teams

Two main cyber defense teams are identified in the cyber defense assessment strategy . In large organisations there may be additional cyber defense teams (such as CTI teams, threat hunting teams, red teams, detection engineering teams, etc.). For purposes of modelling and simplification, these such teams are considered to be part of the SOC in this strategy. The following task areas have been identified:

-???????Maturity / capability assessment. This assessment is aimed at determining strengths and weaknesses in cyber defense teams. The SOC-CMM provides an overall and broad assessment of SOC capability and maturity (which includes several other elements of the cyber defense assessment strategy). For incident response,?SIM3 (Security Incident Management Maturity Model), as well as the ENISA maturity assessment and CREST assessment, can be used to determine the maturity level of the incident response (IR) team. Additional service-specific assessments / methodologies (such as the hunting maturity model, CTI capability?assessment, etc.) can be used additionally if the SOC-CMM and IR assessments do not provide sufficient insight.

-???????Preparedness assessment. Both the SOC and the IR team need to be prepared for incidents. This can be accomplished by doing IR exercises, for example a table-top exercise. In these exercises, an incident scenario unfolds itself and the team gets to test their capability to respond in a safe environment and test the quality of their incident response plan. Specifically for SOCs, cyber ranges, in which an incident is simulated in a virtual environment, can be used to train SOC personnel in a more hands-on approach. Note that both cyber ranges and IR?exercises can have a broad or narrow scope, depending on the requirements.

-???????Detection & response assessment. Red teaming and purple teaming are aimed at the detection and response capabilities of the SOC. The main difference is that in red teaming exercises, the blue team (SOC) is unaware of the exercise and in purple teaming, the SOC is fully aware. Using red / purple teaming, gaps in protection, detection and response can be identified in detail. IR teams may be involved in red team testing, if the incident response capability is separated from the SOC in a separate team.

-???????Security monitoring assessment. The effectiveness of security monitoring can be determined by conducting red or purple team exercises. However, red teaming and purple teaming is a relatively costly effort and is not aimed at establishing the completeness of the security monitoring process. Additional continuous activities must be employed to augment period exercises:

• Visibility assessment, in which the SOC determines their ability to detect ATT&CK techniques based on available logging. This can be done using DeTT&CT tooling that maps data sources to ATT&CK technique data requirements
• Automated defense testing, in which small (atomic) scripts are fired to mimic the use of ATT&CK techniques in the network. Atomic red team and Caldera are examples of such tools. Such tools can also be used to validate the correct working of automated response playbooks.
• Adversary emulation, in which a number of tools, tactics and techniques associated with a particular threat actor or campaign are used to determine cyber resilience. The Mitre Center for Threat Informed Defense has created a number of Adversary Emulation plans that can be used.

4. Implementation

With these activities, a mature cyber defense assessment strategy can be deployed in your organisation. Each assessment has its own purpose, and not every type of assessment will be relevant at all times. Some are on-demand, some periodic, and some continuous. Some have broad scope, while others are very focused. Thus, the actual implementation of a cyber defense assessment strategy will highly depend on your organisation’s goals and growth requirements.

Implementing a cyber defense assessment strategy can be complex and challenging. To reduce complexity, start by first selecting the right components in your strategy. Where are the greatest challenges and risks at the moment? What areas in your organisation lack visibility and are ready for an improvement program? For consistency purposes and coherence in your organisation, it is recommended to have a single steering committee to monitoring all elements of your cyber defense assessment strategy. This will help to avoid overlapping assessments, guide interdependencies between improvement initiatives and maximize the impact of your improvement program.

There may be other components to this strategy that I have not yet identified. So here’s my question to you: what assessment components should be added to this model? I’m curious to learn more insights!

Resources & links:

https://www.nist.gov/cyberframework

https://www.nist.gov/cyberframework/assessment-auditing-resources

CIS Critical Security Controls (cisecurity.org)

https://www.cisecurity.org/controls/cis-controls-self-assessment-tool-cis-csat

https://csrc.nist.gov/publications/detail/sp/800-115/final

https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final

https://www.cisecurity.org/cis-benchmarks/

https://www.soc-cmm.com/

https://opencsirt.org/csirt-maturity/sim3-and-references/

https://www.enisa.europa.eu/topics/csirts-in-europe/csirt-capabilities/csirt-maturity

https://www.crest-approved.org/cyber-security-incident-response-maturity-assessment/

https://github.com/rabobank-cdc/DeTTECT

https://github.com/mitre/caldera

https://github.com/redcanaryco/atomic-red-team

https://github.com/center-for-threat-informed-defense/adversary_emulation_library

?

?

?

?