Cyber Resilience in Action: Focusing Defenses Where They Matter Most – An Adversarial Perspective

This talk proposes a practical methodology to significantly increase an organization’s cyber resilience posture against advanced adversaries. Security practitioners are increasingly held to heightened expectations for cyber resilience – that is, the ability to anticipate, withstand, recover and adapt from cyber threats. However, anticipating the many potential threat groups and the hundreds of tactics, techniques and procedures (TTPs) they employ is difficult. Understanding how to withstand their attacks across thousands of assets is a challenge for even the largest of organizations. This talk will propose an approach for focusing defenses where they matter most. Definitions can be hard, but certain systems are highly targeted by threat actors because they perform functions critical to trust and are thus stepping-stones into everything else. We hone-in on often overlooked but critical assets by accounting for the value that these threat actors place on a given asset instead of solely focusing on the asset’s value from a business criticality or informational value perspective. Traditional reliance on Business Impact Analysis should be complemented with a “Voice of the Adversary” approach – i.e., an attacker viewpoint which is often focused on gaining access, sustaining that access, selling the access on, or seeking out opportunities for extortion, theft or fraud regardless of how the organization classifies the asset relevance. The talk starts by explaining what a cyber resilience operating model looks like, describes the attributes of high value targets, and provides use-cases for implementation across the balance of the operating model – e.g., assurance, preparedness, reporting, etc. The proposed approach is pluggable into existing frameworks such as NIST, MITRE and SABSA.