COMMENT
In recent years, it has become painfully clear that defense industrial base (DIB) companies and those providing critical infrastructure are being actively targeted by threat actors nationwide. Various federal agencies have sounded the alarm and done their best to push companies to do better. That of the Department of Defense Cybersecurity Maturity Model Certification (CMMC) it’s the toughest push to date and will (hopefully) soon become a strictly enforced mandate.
Companies that achieve membership in the CMMC (which has been aligned to NIST 800-171 at the “Advanced” certification level) will become a more difficult target. But will they be safe from the world’s most advanced threat? Unfortunately no. Compliance will certainly be a step forward, but entities like China’s PLA unit 61398 the unit will find ways to infiltrate, persist, steal and, when required, destroy.
Companies that want to build true protection and resilience against cyber threats must go beyond “check-the-box” CMMC/NIST 800-171 compliance. They must shift to a proactive and continuous mindset of hardening, detecting and responding with modern security operations.
Harden-Detect-Respond (HDR) operations.
As a 30-year cybersecurity veteran, I have come across many truths about cybersecurity. The first is that policies, controls and secure configurations continually rot due to other business priorities and IT entropy. Establishing a strong policy and control structure helps make cybersecurity a top-down operational mindset. However, the pace of IT change and the need for businesses to prioritize speed and efficiency over absolute security often undermine the effectiveness of established protections and controls, leaving gaps for attackers to exploit.
An HDR mindset and operational capability helps address this issue:
-
Proactively identify, correct, and restore operational and IT weaknesses to a strengthened state.
-
Immediately detect and investigate possible intrusions into your IT environment, 24/7.
-
Hunt and eliminate threats integrated into the IT environment.
-
Contain, mitigate and respond quickly to incidents.
CMMC/NIST 800-171 mandates most HDR capabilities. However, the rigor and depth with which a company implements them can make the difference between remaining vulnerable or being highly resilient and protected against the advance of a homegrown cyber threat or a motivated cybercriminal.
Seven critical HDR practices
The following HDR practices can help businesses achieve resilience and protection from cyber threats.
Harden people
People remain the easiest target. Security awareness training can reduce the risk of employees falling prey to phishing and other social engineering attacks.
Strengthen your IT and cloud infrastructure
Software vulnerabilities and misconfigurations are constantly being introduced. Conduct routine vulnerability scans and cloud security posture assessments. Prioritize fixing vulnerabilities and weaknesses that are most likely to be exploited.
Harden endpoints
For most organizations, endpoints (along with people) form the perimeter of their defenses. They are often attacked and are the most common way to access IT infrastructure. Properly configured modern endpoint protection and visibility are critical to guarding against this risk.
Increase visibility
The best way to detect threat tactics, techniques and procedures (TTPs) is to increase visibility into your IT and cloud environment. Data from a Security Information and Event Management (SIEM) system provides high visibility into endpoint activity, authentication activity, data access activity, and data movement.
Increase detection
Ensure that endpoint and network security solutions are configured correctly to detect the types of TTPs they have visibility into. Leverage security visibility and analytics (e.g. via SIEM) to expand the scope of detection. Deploy advanced detection solutions such as user behavior analytics that can detect attackers impersonating employees. The ultimate goal is to achieve 100% TTP detection coverage, according to the MITER Framework.
Threat hunting
The sad reality is that many companies are compromised and don’t realize it. If your intellectual property is of interest to nation-state cyber spies, backdoors may already be installed. The surest way to find and eliminate embedded threats before data is stolen or operations are disrupted is to proactively search for them. Threat hunting requires endpoint detection and response along with broad visibility. It also requires human expertise and threat hunters, making this one of the most challenging operational capabilities to achieve.
Investigate and respond 24/7
Threats don’t take weekends and holidays off. Indicators of high risk of intrusion and compromise must be assessed within minutes, regardless of the time or day they occur. A threat over time is one that can penetrate deeply into your environment and become more difficult and expensive to remove. Left to linger long enough, it will eventually cause you harm. You need to have the operational capability to quickly investigate threat indicators and, if an incident occurs, contain and mitigate it within hours.
Prioritize HDR
Defense and critical infrastructure companies face a difficult problem: building profitable businesses while protecting their inventions and operations from highly advanced threats. Those looking to get ahead of compliance and reduce the risk of cybercrime are wise to prioritize HDR. Not only is it necessary for compliance, but it can protect and defend you as you add additional requirements and controls. Over time, maturing HDR operations can help you reliably detect and deter nationwide cyber threats if they turn their attention to you.