Could you continue to operate under cyberattack?
I try to be cautious with my use of the term “cyber war.” It is used much too often to describe any type of unpleasant online activity, and its misuse confuses our thinking about the very real threats of military engagement in cyberspace. But there is at least one area in which the military model of operation can be a useful model in cybersecurity.
In an IT environment where compromise is becoming inevitable, the concept of mitigating damage while operating in a degraded environment is becoming increasingly applicable.
An army does its best to protect itself from attack, but military leaders understand that when battle comes they will suffer losses and will be fighting under less-than-optimal conditions, often in situations not of their choosing. An army that cannot continue to operate under those conditions will likely lose the battle.
The false cries and fog of 'cyber war'
IT security traditionally has focused on defense, originally copying the military concept of a secure perimeter and defense in depth with multiple lines of protection. This concept has become less practical with the blurring or elimination of a recognizable perimeter in the enterprise. Attention has shifted to the security of individual components or functions of the enterprise, such as data, communications and access. But the stance still is defensive, and response is almost an afterthought.
In the past couple of years, however, a new reality has become apparent: Compromise is inevitable. It has always been acknowledged that complete security is impossible, but people are now beginning to take the implications of this seriously. In fact, the National Institute of Standards and Technology recognized this in a revision of its guidelines for incident response.
“Preventative activities based on the results of risk assessments can lower the number of incidents, but not all incidents can be prevented,” the NIST authors write in the new release of Special Publication 800-61. “An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computing services.”
In other words, although compromise might be inevitable, resistance is not futile. The question, said Phyllis Schneck, chief technology officer of McAfee’s Global Public Sector and a contributor to a recent report on cyber defense, is, “Can we do what the military does so well? Can we run while under attack?”
The job of incident response teams is in one way much simpler than that of the general in the field. The response team is not expected to defeat the attacker but to mitigate the impact and keep things operating as normally as possible. It will be up to others to carry the fight to the enemy. That does not mean the team’s job will be easy, but at least you don’t have to be a Napoleon to do it.
It might seem defeatist to some to accept that they will need to keep systems up and running while locating, identifying and isolating malicious code, rebuilding systems, and doing forensics. But if you are not prepared for this, it increases the likelihood that you will find yourself offline at some point while you are conducting these operations. Most incident response plans at least pay lip service to this fact, but real plans for operating in a degraded environment need to be in place in this new landscape.