Cyber resiliency is not just a marketing buzz phrase that security vendors use to push their products, but a set of practices that all cyber security professionals should know and embrace. What it boils down to is the acceptance that no matter how expensive or elaborate your cyber defenses are, the bad actor, i.e. an Advanced Persistent Threat (APT) is going to find a way into your system.

Cyber resiliency can provide the tools you need to detect and root the APT out while minimizing the damage they cause. But it is also prudent to assume the APT may gain a persistent, long-term foothold in the system with no guarantee of eradication. Instead, cyber resiliency techniques may only be able to slow the intruder down and hinder their ability to prevent the system from completing its intended mission.

Due to the complexity of systems, many cyber professionals do not have situational awareness of  their systems' information flows; that is, who is accessing what at which time, and are they authorized to do so. Even when security professionals monitor these information flows, an adept APT, knows how to creep around networks undetected by emulating what looks like normal traffic. The APT is also adept at maintaining permanence on systems by installing tool sets that ensure their access over time. In order to detect malicious activity and expose the bad actor, a comprehensive set of cyber resiliency tools are needed.

NIST 800-160 Volumes 1 and 2, Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, offer a blueprint for incorporating cyber resiliency into any system, but it is a relatively new concept for many organizations, technical managers and cyber security professionals. Meanwhile, cyber threats are evolving exponentially as are successful APT campaigns.

Cyber resiliency is defined by NIST as "the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources."

When designing information systems, security architects must change from a defense-design oriented mindset to a cyber resiliency mindset, baking into the system architecture the appropriate cyber resiliency solutions that will allow the system to survive an APT level attack. Think of how building architects design for new construction in an earthquake prone area, building in earthquake mitigation solutions, that ensure the survival of the structure. It is understood, that it is not just a matter of if, but when, the next earthquake will occur. Similarly, security architects must assume that APTs will eventually bypass even the most elaborate of defenses, and by building in the right combination of cyber resiliency solutions, ensure the system can survive.

As NIST 800-160 points out: "such solutions consist of combinations of technologies, architectural decisions, systems engineering processes, and operational policies, processes, procedures, or practices which solve problems in the cyber resiliency domain."

The cyber resiliency goals are to anticipate an APT attack, withstand the attack, recover from the attack and to adapt defensives accordingly in anticipation of the next attack cycle. The related cyber resiliency objectives are to prevent or avoid - that is to hold off an assault for as long as possible, prepare for when the attack does occur, continue the mission despite the ongoing attack, and constrain the attackers and limit the damage they cause, and reconstitute which means restore as much mission or business functionality as possible after the attack.

To meet these cyber resiliency goals and objectives, NIST 800-160 Vol 2, points out fourteen resiliency techniques to choose from and combine together:

• Adaptive Response: Implement agile courses of action to manage risks;

• Analytic Monitoring: Monitor and analyze a wide range of properties and behaviors on an ongoing basis and in a coordinated way;

• Contextual Awareness: Construct and maintain current representations of the posture of missions or business functions considering threat events and courses of action;

• Coordinated Protection: Ensure that protection mechanisms operate in a coordinated and effective manner;

• Deception: Mislead, confuse, hide critical assets from, or expose covertly tainted assets to the adversary;

• Diversity: Use heterogeneity to minimize common mode failures, particularly threat events exploiting common vulnerabilities;

• Dynamic Positioning: Distribute and dynamically relocate functionality or system resources;

• Non-Persistence: Generate and retain resources as needed or for a limited time;

• Privilege Restriction: Restrict privileges based on attributes of users and system elements as well as on environmental factors;

• Realignment: Align system resources with current organizational mission or business function needs to reduce risk;

• Redundancy: Provide multiple protected instances of critical resources;

• Segmentation: Define and separate system elements based on criticality and trustworthiness;

• Substantiated Integrity: Ascertain whether critical system elements have been corrupted; and

• Unpredictability: Make changes randomly or unpredictably.

Most cyber professionals can readily understand the stated resiliency goals and objectives, but may not be familiar with the available solutions, both open source and commercial, that implement the various fourteen resiliency techniques. And as there is no one design-fits-all, the security architect must make an in-depth analysis of each discrete system to select the appropriate combination of resiliency techniques to use, and then recommend available solutions for each technique.

My goal in this blog is to save you research time and effort trying to figure out what cyber resiliency solutions are available, by organizing and reviewing for each resiliency technique, the current marketplace solutions I believe are mature enough to be on your cyber resiliency solutioning list. In addition, I would like to walk you through APT attack scenarios and show you how the right combination of these cyber resiliency solutions can ensure a successful repulsion and retooling for the next attack to come.