3

What is a Cyber Strategy?

Introduction

A cyber strategy is a documented approach towards various aspects of the cyberspace. It is mostly developed to address the cybersecurity needs of an entity by addressing how data, networks, technical systems, and people will be protected. An effective cyber strategy is normally on par with the cybersecurity risk exposure of an entity. It covers all possible attack landscapes that can be targeted by malicious parties. Cybersecurity has been taking the center-stage in most cyber strategies because cyber threats are continually becoming more advanced as better exploit tools and techniques become available to threat actors. Due to these threats, organizations are advised to develop cyber strategies that ensure the protection of their cyber infrastructure from different risks and threats. This chapter will discuss the following:

  • Why do we need to build a cyber strategy?
  • Best cyber attack strategies (Red Team)
  • Best cyber defense strategies (Blue Team)

Why do we need to build a cyber strategy?

Organizations are constantly dealing with threats emanating from hardened professionals in cyber attacks. It is a sad reality that many intrusions are carried out by nation states, cyber terrorists, and powerful cybercriminal groups. There is an underground economy of hackers that facilitates the purchase or hiring of intrusion tools, techniques or personnel, and laundering of the monetary proceeds from successful attacks.

It is often the case that attackers have far more technical expertise in cybersecurity than the average IT employee. Therefore, the attackers can leverage their advanced expertise to easily bypass many cyber defense tools set up by the IT departments in many organizations. This, therefore, calls for a redefinition of how organizations should deal with cyber threats and threat actors because leaving the task to the IT department is just not enough. While hardening systems and installing more security tools would have worked just fine a few years ago, today, organizations need a tactful cyber strategy to guide their cyber defense approaches. The following are some of the reasons why cyber strategies are essential:

  • A move from assumptions: Some of the cybersecurity defense mechanisms used in organizations today are based on assumptions from the IT department or cybersecurity consultants. However, there is always a chance that assumptions could be misleading and perhaps tailored only towards a certain goal such as compliance. Cyber strategies, on the other hand, are informed plans of action that cover different cyber threats and risks. They are also developed with a common end goal in sight.
  • Better organization: Cyber strategies bring centralized control and decision making to matters regarding cybersecurity since they are built in collaboration with different stakeholders. This ensures that different departments in an organization can coordinately set and work towards achieving a common set of security goals. For instance, line managers could discourage junior employees from sharing login credentials to prevent phishing. Such small contributions from different departments, as informed by the cyber strategy, help improve the overall security posture of an organization.
  • Details on security tactics: Cyber strategies lay out high-level tactics of ensuring the security of the organization. These tactics touch on incidence response, disaster recovery and business continuity plans, and behavioral responses to attacks to help calm stakeholders, among other tactics. These can help to inform stakeholders about the preparedness of an organization to dealing with cyber attacks.
  • Long-term commitment to security: A cyber strategy provides assurance that the organization will commit considerable efforts and resources toward securing the organization. Such commitment is a good sign to stakeholders that the organization will remain secure during attacks.
  • Simplifying cybersecurity to stakeholders: A cyber strategy helps to break down the complexities of cybersecurity. It informs all stakeholders about the cyberspace risks and threats, and then explains how these are mitigated through a set of small achievable goals.

Figure 1: Why do you need a cybersecurity strategy, and what exactly is it?

Cyber strategies might take two approaches towards security; a defense or an offense perspective. From the defense perspective, the cyber strategy focuses on informing stakeholders about the defense strategies that an organization has put in place to protect itself from identified threats. On the other hand, from the offense perspective, cyber strategies might be focused on proving the effectiveness of existing security capabilities so as to find flaws and fix them. Therefore, the strategies might extensively cover the different methods that will be used to test the organization's preparedness for attacks. Lastly, some strategies might be a mix of the two perspectives, thus covering the testing and strengthening of existing defense mechanisms. The following section will discuss some of the commonly used cyber attack and defense strategies.

How to build a cyber strategy

In this section we will introduce how you can build an effective cyber defense strategy. The steps are not always in the given order and its given to you to just help you to have an idea, and of course you can customize it as you wish!

Understand the business

The more you know about your business, the better you can secure it. It's really important to know the Goals of your organization, Objectives, the People you work with, the Industry, the current Trends, your Business risks, how to Risk appetite and tolerance the risks, as well your Most valuable assets. Everything we do must be a reflection of the business requirements that are approved by the senior leadership, as it has been manded also in ISO 27001.

As Sun Tzu said in the 6th Century BC:

"If you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle."

A strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat. In order to develop a strategy, we must first understand the threats and risks that we will be dealing with.

Understand threats and risks

It's not too easy to define risk, as in literature, the word "risk" is used in many different ways. According to ISO 31000, risk is the "effect of uncertainty on objectives" and an effect is a positive or negative deviation from what is expected.

The word "risk" combines three elements: it starts with a potential event and then combines its probability with its potential severity. Many Risk Management courses are defining risk as: Risk (potential loss) = Threat x Vulnerability x Asset:

Figure 2: Risk as a combination of Threat, Vulnerability, and Asset value/impact

It's really important to understand that all risks are not worthwhile mitigating. For instance, if a risk is extremely unlikely yet highly expensive to mitigate, or if the severity level of the risk is lower than the cost of mitigation. Such risks may be accepted.

Document

As in everything else, documentation is really important and it's a key aspect of every Strategy. When it comes to treatment settings, or helping assurance of business continuity, documentation plays a critical role. Documenting the cyber strategy will ensure efficiency, consistency, and peace of mind for anyone who is involved. Documentation helps to establish standardization between processes, and ensures everyone in your organization is working the same way toward the same outcome.

The following illustration shows what good cyber strategy documentation should look like:

Figure 3: The elements of a good cyber strategy

A good Strategy document should list what the strategy is, and why it's needed. It has to be clear, and easy to understand. It should highlight any urgency with some mitigation options that should highlight the benefits of the given choices and how they are going to address the issues facing the business.

Having the cyber strategy documents can help you to be more closely aligned with the business strategy as well as with the business drivers and goals. Once this has been aligned, you can build the technical aspects and the cyber transformation plan to be more Cyber Safe.

It is important to appreciate the mindset of a hacker in order to implement effective cyber strategy, so in the upcoming section we are going to discuss cyber attack strategies.

Best cyber attack strategies (Red Team)

One of the best ways to secure an organization is to think like a hacker and try to breach into the organization using the same tools and techniques that an adversary would use. The following are the best cyber attack strategies that organizations should consider:

External testing strategies

These strategies involve attempting to breach the organization externally, that is, from outside its network. In this case, cyber attacks will be directed at publicly accessible resources for testing purposes. For instance, the firewall could be targeted via a DDoS attack to make it impossible for legitimate traffic to flow into the organization's network. Email servers are also targeted to try and jam email communication in the organization. Web servers are also targeted to try and find wrongly placed files such as sensitive information stored in publicly accessible folders. Other common targets include the domain name servers and intrusion detection systems that are usually exposed to the public. Other than technical systems, external testing strategies also include attacks directed at the staff or users. Such attacks can be carried out through social media platforms, emails, and phone calls. The commonly used attack method is social engineering, whereby targets are persuaded to share sensitive details or send some money to pay for non-existent services.

Internal testing strategies

This includes attack tests performed within an organization with the goal of mimicking other insider threats that may try to compromise the organization. These include disgruntled employees and visitors with malicious intent. Internal security breach tests always assume that the adversary has standard access privileges and is knowledgeable of where sensitive information is kept, can evade detection, and even disable some security tools. The aim of internal testing is to harden the systems that are exposed to normal users to ensure that they cannot be easily breached. Some of the techniques used in external testing can still be used in internal testing, but their efficiency often increases within the network since they are exposed to more targets.

Blind testing strategy

This is a testing strategy aimed at catching the organization by surprise. It is conducted without prior warning to the IT department, so that when it happens, they will treat it as a real hack rather than a test. Blind testing is done by attacking security tools, trying to breach into networks, and targeting users to obtain credentials or sensitive information from them. Blind testing is often expensive since the testing team does not get any form of support from the IT department so as to avoid alerting it about the planned attacks. However, it often leads to the discovery of many unknown vulnerabilities.

Targeted testing strategy

This type of testing isolates only one target and carries out multiple attacks on it to discover the ones that can succeed. It is highly effective when testing new systems or specific cybersecurity aspects such as incidence response to attacks targeting critical systems. However, due to its narrow scope, targeted testing does not give full details about the vulnerability of the whole organization.

Best cyber defense strategies (Blue Team)

The last line of cybersecurity often comes down to the defense systems that an organization has in place. There are two defense strategies that organizations commonly use; defense in depth and defense in breadth.

Defense in depth

Defense in depth, also referred to as layered securing, involves employing stratified defense mechanisms to make it hard for attackers to breach into organizations. Since multiple layers of security are employed, the failure of one level of security to thwart an attack only exposes attackers to another security layer. Due to this redundancy, it becomes complex and expensive for hackers to try and breach into systems. The defense in depth strategy appeals to organizations that believe that no single layer of security is immune to attacks. Therefore, a series of defense systems is always deployed to protect systems, networks, and data. For instance, an organization that wishes to protect its file server might deploy an intrusion detection system and a firewall on its network. It may also install an endpoint antivirus program on the server and further encrypt its contents. Lastly, it may disable remote access and employ two-factor authentication for any login attempt. Any hacker trying to gain access to the sensitive files in the server will have to successfully breach through all these layers of security. The chances of success are very low as each layer of security has a complexity of its own.

The common components in defense in depth approaches are:

  • Network security: Since networks are the most exposed attack surfaces, the first line of defense is usually aimed at protecting them. The IT department might install a firewall to block malicious traffic and also prevent internal users from sending malicious traffic or visiting malicious networks. In addition, intrusion detection systems are deployed on the network to help detect suspicious activities. Due to the widespread use of DDoS attacks against firewalls, it is recommended that organizations purchase firewalls that can withstand such attacks for a continued period of time.
  • An endpoint antivirus system: Antivirus systems are essential in protecting computing devices from getting infected with malware. Modern antivirus systems come with additional functionalities such as inbuilt firewalls that can be used to further secure a host in a network.
  • Encryption: Encryption is often the most trusted line of defense since it is based on mathematical complexities. Organizations choose to encrypt sensitive data to ensure that only authorized personnel can access it. When such data is stolen, it is not a big blow to the organization since most encryption algorithms are not easy to break.
  • Access control: Access control is used as a method of limiting the number of people that can access a resource in a network through authentication. Organizations often combine physical and logical access controls to make it hard for potential hackers to breach them. Physical controls involve the use of locks and security guards to physically deter people from accessing sensitive areas such as server rooms. Logical controls, on the other hand, entail the use of authentication before a user can access any system. Traditionally, only username and password combinations were used, but due to increased breaches, two-factor authentication is recommended.

Following you will see an illustration of what we have covered before:

Figure 4: An illustration of defense in depth

Layered security is the most widely used cyber defense strategy. However, it is increasingly becoming too expensive and quite ineffective. Hackers are still able to bypass several layers of security using attack techniques such as phishing, where the end user is directly targeted. In addition, multiple layers of security are expensive to install and maintain and this is quite challenging to SMEs. This is why there is an increase in the number of organizations considering the defense in breadth approach.

Defense in breadth

This is a newly adopted defense strategy that combines the traditional security approaches with new security mechanisms. It aims at offering security at every layer of the OSI model. Therefore, when hackers evade the conventional security controls, they are still thwarted by other mitigation strategies higher up the OSI model. The last layer of security is usually the application layer. There is an increasing popularity of Web Application Firewalls (WAFs) that are highly effective against attacks targeted at specific applications. Once an attack has been launched, the WAF can thwart it and a rule can be created to prevent future similar attacks till a patch has been applied.

In addition to this, security-aware developers are using OWASP (Open Web Application Security Project) methodologies when developing applications. These methodologies insist on development of applications that meet a standard level of security and address a list of common vulnerabilities. Future developments will ensure that applications are shipped while almost fully secure. They will therefore be individually capable of thwarting or withstanding attacks without relying on other defense systems.

Another concept used in defense in breadth is security automation. This is whereby systems are being developed with the abilities to detect attacks and automatically defend themselves. These capabilities are achieved using machine learning where systems are taught their desired states and normal environment setups. When there are anomalies, either in their state or environment, the applications can scan for threats and mitigate them. This technology is already being fitted into security applications to improve their efficiency. There are AI-based firewalls and host-based antivirus programs that can handle security incidences without the need for human input. However, defense in breadth is still a new strategy and many organizations are apprehensive about using it.

Summary

This chapter has looked at cyber strategies, their necessity, and different strategies that can be used when developing them. The key concern in most cyber strategies is security. Cyber strategies are essential because they move organizations away from assumptions, help centralize decision making about cybersecurity, provide details about the tactics employed towards dealing with cybersecurity, give a long-term commitment to security, and simplify the complexities of cybersecurity. The chapter has looked at the two main approaches used in writing cyber strategies; the attack and defense standpoints.

When written from the attack perspective, cyber strategies focus on the security testing techniques that will be used to find and fix security vulnerabilities. When written from a defense (Blue Team) perspective, cyber strategies look at how best to defend an organization. The chapter has explained the two main defense strategies; defense in depth and defense in breadth. Defense in depth focuses on applying multiple and redundant security tools, while defense in breadth aims at mitigating attacks at the different layers of the OSI model. An organization can opt to use either or both of these in the quest to improve its cybersecurity posture.

Further reading

The following are resources that can be used to gain more knowledge on topics discussed:

  1. https://www.cloudtechnologyexperts.com/defense-in-breadth-or-defense-in-depth/.
  2. https://inform.tmforum.org/sponsored-feature/2014/09/defense-depth-breadth-securing-internet-things/.
  3. https://www.gov.uk/government/publications/national-cyber-security-strategy-2016-to-2021.
  4. https://www.enisa.europa.eu/topics/national-cyber-securitystrategies/ncss-map/national_cyber_security_strategy_2016.pdf.
  1. https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.119.118.210