Risk Management Strategies for Cyber Resiliency

Cyber resiliency, similar to security, is a concern at multiple levels in an organization. The cyber resiliency goals (i.e., anticipate, withstand, recover, and adapt) support the linkage between the risk management decisions at the mission or business process and system levels and the organization’s risk management strategy

Cyber resiliency solutions are intended to reduce the risk to missions or business functions, organizations, and individuals that depend on systems containing cyber resources. This cyber risk arises in several ways. For example, cyber resources and the systems that incorporate those resources are increasingly complex, so their behavior and properties in the presence of adversity (or even under expected levels of stress) can be difficult to predict. Software generally includes vulnerabilities and weaknesses, which can make it fragile and subject to exploitation by an adversary. Additionally, the presence of resources in cyberspace exposes them to cyberattacks. Cyber resiliency solutions are intended to reduce the risk of depending on systems that contain cyber resources by reducing the extent of the harm from threat events, the likelihood of the occurrence of threat events, and the likelihood that threat events will cause harm.

The risk model for cyber resiliency identifies the types of threat events and the classes of harm of interest to systems security engineers concerned with cyber resiliency. The extent of potential risk mitigation due to a cyber resiliency solution can be analyzed and assessed in the context of that risk model. The risk model for cyber resiliency builds on risk models for security, cybersecurity, resilience engineering, and survivability. However, the cyber resiliency risk model emphasizes the APT and the effects on missions and organizations of malicious cyber activities or harm to systems that include cyber resources. Thus, the threat model and the consequence model components of the cyber resiliency threat model have distinctive characteristics.

The threat model for cyber resiliency encompasses conventional security threat models that consider threat sources, including accident and human error, structural failure of system elements or supporting infrastructures, natural disasters, and deliberate human actions (including those by malicious insiders). Similarly, the threat model for cyber resiliency encompasses typical cybersecurity risk models.

However, the cyber resiliency threat model emphasizes the APT as a primary or secondary threat source. As a primary threat source, sophisticated adversaries execute cyber campaigns that can involve multiple systems and organizations and extend for periods of months or even years. In addition, these adversaries can use TTPs typical of less sophisticated cyber threat actors. As a secondary threat source, the APT can take advantage of threat events due to infrastructure failure or natural disasters and imitate or leverage human error or the loss of component reliability. Therefore, when cyber resiliency engineering analysis considers a potential disruption with a non-adversarial source, that analysis includes looking for ways in which the APT could take advantage of the disruption.

The consequence model for cyber resiliency encompasses consequences to information and information systems (i.e., a loss of confidentiality, integrity, or availability). These general consequences can be translated into more specific harms to information and systems that include or are enabled by cyber resources:

Confidentiality – Exfiltrated or exposed information

Data Integrity - Modified, corrupted, or fabricated information

System Integrity - Usurped or misused system resources

Availability - Degraded or disrupted functionality or performance.

However, the consequence model for cyber resiliency also considers the potential consequences to the missions or business functions supported by the system, to the organization, and sometimes to other stakeholders (e.g., individuals whose personal information may be exfiltrated or exposed, members of the public affected by environmental harms resulting from the failure of a critical infrastructure system).

In general, a cyber resiliency solution identified and implemented for a given scope is intended to reduce risks at the next level; for example, implementing a solution at the system level can mitigate risks to mission or business functions.

To address cyber resiliency, an organization’s risk management strategy needs to include its threat-framing with respect to cyber threats, its strategies for achieving cyber resiliency goals, and its choice of factors to use when prioritizing and interpreting cyber resiliency objectives at the mission or business process level and at the system level. Strategies for achieving cyber resiliency goals include:

Anticipate: Maintain a state of informed preparedness for adversity.

Adversity refers to adverse conditions, stresses, attacks, or compromises on cyber resources. Adverse conditions can include natural disasters and structural failures (e.g., power failures). Stresses can include unexpectedly high-performance loads. Adversity can be caused or taken advantage of by an APT actor. Informed preparedness involves contingency planning, including plans for mitigating and investigating threat events as well as for responding to discoveries of vulnerabilities or supply chain compromises. Cyber threat intelligence (CTI) provides vital information for informed preparedness.

Deterrence, avoidance, and prevention are strategies for anticipating potential threats. Other strategies include planning (i.e., identifying available resources and creating plans for using those resources if a threat materializes), preparation (i.e., changing the set of available resources and exercising plans), and morphing (i.e., changing the system on an ongoing basis in order to change the attack surface).

Withstand: Continue essential mission or business functions despite adversity.

Detection is not required for this goal to be meaningful and achievable. An APT actor’s activities may be undetected, or they may be detected but incorrectly attributed to user error or other stresses. The identification of essential organizational missions or business functions is necessary to achieve this goal. In addition, supporting processes, systems, services, networks, and infrastructures must also be identified. The criticality of resources and the capabilities of essential functions can vary over time.

Strategies for withstanding the realization of potential threats, even when those threats are not detected, include absorption (i.e., accepting some level of damage to a given set of system elements, taking actions to reduce the impacts to other system elements or to the system as a whole, and repairing damage automatically), deflection (i.e., transferring threat events or their effects to different system elements or to systems other than those that were targeted or initially affected), and discarding (i.e., removing system elements or even a system as a whole based on indications of damage and either replacing those elements or enabling the system or mission or business process to operate without them).

Recover: Restore mission or business functions during and after adversity.

The restoration of functions and data can be incremental. A key challenge is determining how much trust can be placed in restored functions and data as restoration progresses. Other threat events or conditions in the operational or technical environment can interfere with recovery, and an APT actor may seek to take advantage of confusion about recovery processes to establish a new foothold in the organization’s systems.

Strategies for recovery include reversion (i.e., replicating a prior state that is known to be acceptable), reconstitution (i.e., replicating critical and supporting functions to an acceptable level or using existing system resources), and replacement (i.e., replacing damaged, suspect, or selected system elements with new ones or repurposing existing system elements to serve different functions in order to perform critical and supporting functions, possibly in different ways).

Detection can support the selection of a recovery strategy. However, a system can apply these strategies independent of detection to change the attack surface.

Adapt: Modify mission or business functions and/or supporting capabilities in response to predicted changes in the technical, operational, or threat environments.

Change can occur at different scales and over different time frames, so tactical and strategic adaption may be needed. Modification can be applied to processes and procedures as well as technology. Changes in the technical environment can include emerging technologies (e.g., artificial intelligence, 5th generation mobile network [5G], Internet of Things) and the retirement of obsolete products. Changes in the operational environment of the organization can result from regulatory or policy changes, as well as the introduction of new business processes or workflows. Analyses of such changes and of interactions between changes can reveal how these could modify the attack surface or introduce fragility.

Strategies for adaptation include correction (i.e., removing or applying new controls to compensate for identified vulnerabilities or weaknesses), hardening (i.e., reducing or manipulating attack surfaces), and reorientation (i.e., proactively orienting controls, practices, and capabilities to prospective, emerging, or potential threats).

These strategies may result in redefinition (i.e., changing the system’s requirements, architecture, design, configuration, acquisition processes, or operational processes).

The risk management strategy for the organization is translated into specific interpretations and prioritizations of cyber resiliency goals and objectives, which guide and inform trade-offs among different forms of risk mitigation.

Cyber resiliency constructs, including goals, objectives, techniques, implementation approaches, and design principles, enable systems engineers to express cyber resiliency concepts and the relationships among them. The cyber resiliency relationship to the risk management strategy leads systems engineers to analyze cyber resiliency solutions in terms of potential effects on risk and on specific threat events or types of malicious cyber activities. The selection and relative priority of these cyber resiliency constructs is determined by the organization’s strategy for managing the risks of depending on systems, which include cyber resources—in particular, by the organization’s risk framing. The relative priority of the cyber resiliency goals and objectives and relevance of the cyber resiliency design principles are determined by the risk management strategy of the organization, which takes into consideration the concerns of, constraints on, and equities of all stakeholders (including those who are not part of the organization).

Ref: NIST 800-160 vol 2 rev 1