Being Proactively Reactive to Cyber-Threats

JM Being Proactively Reactive to Cyber-Threats
Jake Margolis, CISSP, Metropolitan Water District of Southern California (MWD)

Prior to becoming a CISO, I was a soldier. Many of the lessons I learned during my time in the service, I continue to apply today in the realm of cybersecurity. I developed this mindset over time because I found that it works due to the analogous relationship between cyber and a modern-day battlefield. Over a decade ago, in 2007, was my first deployment to Afghanistan in support of Operation Enduring Freedom. The experiences garnered from this deployment later proved to be foundational to the development of my cyber-world view. The battlefield in a place like Afghanistan is not straightforward. There are no front lines. The enemy is unpredictable and is able to conduct offensive operations from nearly any place at any time. One might ask, how does this apply to cybersecurity? In the cyberspace, there are no front lines. The adversary is unpredictable and is able to conduct offensive operations against nearly any target from anywhere at any time. The key to proactively defending the enterprise is to prepare for cyber incidents by understanding relevant threats and developing plans to counter these threats.

While preparing for missions in counter insurgency environment, I quickly came to realize the adversary was afforded the majority vote in how my day was going to go.  As such, I accepted that I had no control over the adversaries’ part of the equation.  Given these circumstances, I focused on what I could control, what I could control was being prepared for the fight, should it occur.  We had a number of defensive and offensive technologies, and support services available to balance the terms of an engagement. My teams would regularly train on these technologies and rehearse actions that we would take to counter the adversary’s known tactics, techniques, and procedures (TTPs). This was the mind-set: accept what we could not control and control how ready we were to respond.

CIOs and/or CISOs also have a number of technologies, likely, already on hand to balance the terms of a cyber-incident. Like my time as a soldier, as a CISO, I know the adversary still holds the majority vote in how my day is going to go. Accepting the unpredictable nature of cyber-threats is a given, but it is important to take the time to understand bad actors’ TTPs and understand which ones are relevant to analyzing risks to the organization.  Most cybersecurity teams I have encountered are active with the various Information Sharing and Analysis Centers (ISACs) that are applicable to their sector of the economy. It is the burden of the CISO to translate to other executives and the Board the information gathered from these sources in terms of risk to the organization’s various lines of business and processes. Overtime, correlating relevant threat with risk will lead to a pervasiveness in the overall awareness of cybersecurity throughout the organization. The gained shared understanding of threat in turn eases the process of developing and refining cyber incident response plans.

As I stated before, we rehearsed plans to react to various enemy TTPs as part of our standard convoy preparation. Planning is key and is a proactive step in protecting the organization from cyber-threats. Consider cyber incident response and threat intelligence as book ends to development of a cybersecurity program and defense in depth architecture. Well-developed incident response plans establish roles and responsibilities, clear lines of communications and standardized sets of actions to address the most likely or common attack vectors. For an incident response plan to be effective, however, rehearsals must take place. A rehearsal is simply a tabletop exercise. Conducting these exercises is valuable to glean lessons learned and apply the newly obtained knowledge to refinement of new and existing incident response plans. It seems fundamental to be discussing cyber incident response plans in 2019. However, the reality is, many organizations actually struggle to develop a thoroughly tested and actionable response to cyber-attacks.  Developing these plans to react to incidents is not only a proactive stance but is also a fiscally responsible and methodical approach to protecting the organization. Planning and preparing are by their very nature, proactive activities.

Taking the soldier’s approach, CIOs/CISOs can look at emerging threats through a lens that measures the risk posed by emerging threats and the organization’s ability to respond. The approach is a thought framework that can help determine requirements of new technology or if the organization just needs to adopt a new process or policy to respond to a given cyber-threat.  I will leave you with this quote about the proactive nature of planning to prepare for cyber incidents: “If you fail to plan, then you are planning to fail” – Benjamin Franklin.