|
| 1 | +# Highlights and Quotes |
| 2 | + |
| 3 | +## Introduction |
| 4 | + |
| 5 | +Cyber resiliency is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. |
| 6 | + |
| 7 | +A system is a combination of interacting elements organized to achieve one or more stated purpose. |
| 8 | + |
| 9 | +An asset refers to an item of value to stakeholders. Assets may be tangible (e.g., a physical item, such as hardware, firmware, computing platform, network device, or other technology component, or individuals in key or defined roles in organizations) or intangible (e.g., data, information, software, trademark, copyright, patent, intellectual property, image, or reputation). |
| 10 | + |
| 11 | +Cyber-resilient systems operate like the human body. The human body has an effective immune system that can readily absorb a continuous barrage. |
| 12 | + |
| 13 | +The cyber resiliency problem domain is informed by an understanding of the threat landscape and, in particular, the advanced persistent threat (APT). |
| 14 | + |
| 15 | +## The Fundamentals |
| 16 | + |
| 17 | +The relative priority of the cyber resiliency goals and objectives and relevance of the cyber resiliency design principles are determined by the risk management strategy of the organization, which takes into consideration the concerns of, constraints on, and equities of all stakeholders (including those who are not part of the organization). |
| 18 | + |
| 19 | +Analysis of potential effectiveness considers the relative effectiveness of the solution against potential threat events or scenarios [SP 800-30] and the measures of effectiveness for cyber resiliency objectives. |
| 20 | + |
| 21 | +proposed cyber resiliency solution, while intended primarily to reduce mission, business, or operational risk, can also reduce other types of risk (e.g., security risk, reputational risk, supply chain risk, performance risk). However, like any solution to a risk management problem, it can also increase other types of risk (e.g., financial, cost, or schedule risk). |
| 22 | + |
| 23 | +## Cyber Resiliency in Practice |
| 24 | + |
| 25 | +The variety of circumstances and types of systems for which cyber resiliency can be applied means that no single cyber resiliency technique, approach, or set of approaches is universally optimal or applicable. |
| 26 | + |
| 27 | +Redundancy-supporting approaches—such as backup, surplus capacity, and replication—are well established in COOP programs. From a cyber resiliency perspective, however, these approaches are not sufficient to protect against the APT. |
| 28 | + |
| 29 | +Predefined Segmentation, as reflected in boundary demilitarized zones (DMZs), is a well-established construct in cybersecurity. One important distinction of cyber resiliency is that the segmentation is applied throughout the system, not just at the system boundary. |
| 30 | + |
| 31 | +Several of the cyber resiliency techniques and approaches are cyber adaptions of non-cyber methods used in adversary-oriented disciplines (e.g., medicine, military, sports). |
| 32 | + |
| 33 | +The rationale for selecting cyber resiliency techniques or approaches that have complete coverage of the potential effects relates to the long-term nature of the threat campaigns. Potentially, engagements with the APT may go on for months, if not years, possibly starting while a system is in development or even earlier in the life cycle. |
| 34 | + |
| 35 | +The decision to use less mature technologies depends on the organization’s risk management strategy and its strategy for managing technical risks. Many highly mature and widely adopted technologies and processes that were developed to meet the general needs of performance, dependability, or security can be used or repurposed to address cyber resiliency concerns. These pose little, if any, technical risk. |
| 36 | + |
| 37 | +Each of these key stakeholders has a risk management strategy focused on different potential risks (e.g., cost, schedule, and technical or performance risks for a program office or systems engineer; security risks for an authorizing official; mission or business risks for a mission or business function owner). When these entities are part of the same organization, the risk management strategies for their respective areas of responsibility instantiate or are aligned with the organization’s cyber risk management strategy. |
| 38 | + |
| 39 | +An appreciation of the different risk management strategies (i.e., how the various stakeholders frame risk, including what threats and potential harms or adverse consequences are of concern to them, what their risk tolerances are, and what risk trade-offs they are willing to make) will enable the threat model to be defined and cyber resiliency constructs to be interpreted and prioritized in subsequent steps. |
| 40 | + |
| 41 | +The programmatic context is not static. Technical, schedule, or security risks can include risks related to other programs or initiatives within the organization, its partners, or its suppliers. |
| 42 | + |
| 43 | +Federation typically restricts the set of solutions that can be applied and the metrics that can be defined and used since different system owners may be unwilling or unable to use the same technologies or share certain types or forms of information. |
| 44 | + |
| 45 | +Describe the system in terms of its intended uses, which include not only its primary mission or business function but also secondary or likely additional uses. |
| 46 | + |
| 47 | +If possible, identify measures of effectiveness (MOEs) and measures of performance (MOPs) for organizational missions or business functions. |
| 48 | + |
| 49 | +A threat model can also include potential threat scenarios related to non-adversarial threat sources. For these threat sources, the scope or scale of effects, duration or time frame, and types of assets affected are identified. If possible, provide a reference to a publicly available description of a similar scenario to serve as an anchoring example. |
| 50 | + |
| 51 | +Because senior leadership is often aware of issues and gaps, recommended cyber resiliency solutions will need to be characterized in terms of how and how well the solutions address the issues and gaps, as well as in terms of other benefits that the recommended solutions provide (e.g., improved stability, improved performance). |
| 52 | + |
| 53 | +How well the system’s capabilities cover (i.e., have at least one effect on) adversary activities as identified by the threat context. This can be expressed as a threat heat map [DHSCDM] or a simple threat coverage score. For an initial assessment, coverage can be in terms of attack stages. |
| 54 | + |
| 55 | +While identification of single points of failure is a result of the analysis methods mentioned above, network analysis or graph analysis (i.e., analysis of which system elements are connected, how and how tightly the system elements are connected, and whether some sets of system elements are more central) can determine whether the system is fragile (i.e., whether it will break if a stress beyond a well-defined set is applied). Similarly, graphical analysis of the distribution of different types of components can help determine how easily a given stress (e.g., exploitation of a zero-day vulnerability) could propagate. |
| 56 | + |
| 57 | +Attack scenarios can be represented as part of a model-based engineering effort; using attack tree or attack graph analysis; in terms of fault tree analysis or failure modes, effects, and criticality analysis (FMECA); or based on the identification of loss scenarios from System-Theoretic Process Analysis (STPA). Common elements across the attack scenarios (e.g., recurring adversary TTPs) can be starting points for identifying potential alternative solutions. |
| 58 | + |
| 59 | +How well the system, with the solution applied, addresses adversary activities or attack scenarios as identified by the threat context. As noted in Section 3.2.2.3, this can take the form of a threat heat map or a threat coverage score using a taxonomy of adversary activities (e.g., [MITRE18]). It can also take the form of an adversary return on investment (ROI) score or a more nuanced threat coverage score. Alternately or in support of scoring, performance metrics for specific types of effects on adversary actions can be defined and evaluated before and after the solution is applied (e.g., length of time it takes an adversary to move laterally across a system or an enclave). |
| 60 | + |
| 61 | +## Background |
| 62 | + |
| 63 | +The CSA tool created by the Air Force Research Laboratory (AFRL) [Reilly19] captures relationships between controls and control enhancements in [SP 800-53], which support cyber resiliency (see Table E.1) and the CSAs. The CSA tool also captures the mappings of cyber resiliency controls and implementation approaches to ATT&CK techniques (see Appendix F). |
| 64 | + |
| 65 | +# Questions |
| 66 | + |
| 67 | +1. Why are APT threats the highest priority and most realistic threat actor in 800-160 Vol. 2 Rev 1? |
| 68 | +1. What APTs were studied as research this document? |
| 69 | +1. When did the term risk framing come into being in NIST or elsewhere? |
| 70 | +1. "Other capabilities such as Non-Persistence and Adaptive Response are very common in cloud and virtualization architectures. Again, these capabilities were not designed or employed to specifically counter the APT but to facilitate the rapid deployment of implementations." Are the two concepts as goals mutually exclusive? Wording here suggests so. |
| 71 | +1. Is cyber resiliency more difficult or significantly more difficult without the practice of the Risk Management Framework in an organization? |
| 72 | +1. Are there quantitative methods for measurement of other quality properties used in cyber resiliency analysis (e.g., safety, system resilience, cyber resiliency) that can be researched for comparison and contrast to security analysis? |
| 73 | +1. Why does "the type of system determines which cyber resiliency techniques and approaches are most relevant"? |
| 74 | +1. Is there historical data on threat actors, ATPs and others, that targeted DOC or NIST in particular? |
| 75 | +1. How do we baseline cyber resilience with out subject matter experts or an expert system to make recommendations? How do baselines scale? (This appears to already be a problem in risk management.) |
| 76 | +1. Re 3.2.3, has any research unit in the USG attempt to use public data and build a best path analysis for HVA targeting through network effects of first and second-level system of system relationships? |
| 77 | +1. Is there any public research on APT engineering leadership? How do they plan and execute against targets? How do they mature the opposite of a cyber resiliency program in their long-term ops? |
| 78 | +1. If the MITRE Cyber Resliency Framework is cited as an important and suitable reference, why did 800-160 Vol. 2 Revision 1 need to be authored? |
0 commit comments