Cyber resilience is about responding to an attack and keeping things working in the face of an ongoing attack. But for me, this starts with first designing your system to make it easier to detect the attack quickly and slow down the attacker, and second, having a proven and practised response plan.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Due to financial pressures, many network engineers install flat networks with a simple firewall to the internet. This is cheap and very flexible, allowing everything to communicate with everything else, but it also makes it easy for an attacker with a foothold on one host to move freely in the network without being detected.
Adding zoning and separation in the network can create monitoring points, preventing the attacker moving laterally, and forcing them to be visible. Zoning, adding DMZ checking and server/user separation are often considered too costly, but this type of security architecture is actually very important.
Even with a flat network and firewall, the architecture can be modified to impede an attack and/or enable the presence of an attacker to be detected.
When approaching this, the main considerations are:
- Place your servers and user machines on separate network segments (or microsegments), which creates natural monitoring points.
- Implement application whitelisting on servers to reduce the risk of server compromise.
- Do not allow internal servers direct access to the internet (for example, by using a proxy in the DMZ), to prevent direct compromise and block any command and control communications.
- Block unnecessary communication between user hosts, for example by using a host software firewall, to prevent lateral movement by the attacker.
Making these simple changes enables reliable detection of attackers in the network and makes life much more difficult for them. As such, it is very cost effective, often requiring little or no investment in new equipment, or software, but just using what you have in a more effective way. Having these monitoring points which the attackers cannot avoid, helps early detection of an attack and also allows movement of the attacker in the network to be monitored by your security operations centre (Soc). This will help guide the response and minimise any damage.
Once the attack is detected, you need to put a tried and tested incident response plan into operation. This needs to have clearly identified responsibilities, reporting lines and escalation paths (in case, for example, you need to disconnect from the internet) with up to date contact information. This is essential to ensure that the right stakeholders are available and involved in making any timely decisions. In addition, you may also need to include a media engagement plan.
You also need to address resources, both personnel and technical. These may be from your own internal incident response team, an external provider on a standby contract, or a combination of both. In practice, most companies are not able to keep an internal IR team occupied and even if you can afford to keep them idle for long periods, these are highly skilled people and would probably get bored and leave.
Finally, any plan that has not been tested is not worth the paper it is written on, so the plan needs to be proven in the first instance and exercised at least once a year to validate that it is current and all contact information etc. is up to date. Taking these steps will help to lay the groundwork and stand your organisation in much better stead in the event of an attack.