If you’re like me, you are hearing a lot right now about cyber resiliency, the need to protect critical infrastructure across all sectors, and “be resilient” to the constant onslaught of attacks. OK, got it, but like many buzz words, what does it really mean?
Many people are accidentally and inappropriately comparing resiliency to prevention. They are not the same. Prevention speaks to keeping a bad actor out of the network – thwarting their attempt to break in, and catching them at the perimeter. It’s the traditional “build a higher wall” approach to ensure the criminals stay on the outside. Prevention-based solutions and strategies are necessary but in general work against existing and known threats and techniques. Bad actors evolve their tactics and techniques, discover new ways to get “through the wall”, and the wall evolves to thwart that particular exploit, whether it’s patching a zero-day issue or adding functionality to identify and block a new technique. While I consider it a necessary part of a complete solution, it’s a constant cat-and-mouse game that is, unfortunately, unwinnable. The sooner each organization realizes that, the better.
In contrast, a cyber resilency strategy assumes that bad actors will in fact breach the network. Criminals will break through the four walls and get inside your environment. It’s inevitable that everyone will be breached – and if you don’t believe it, I have a bridge that I’d like to sell you.
However, just because the cat-and-mouse game isn’t winnable, and just because the bad actors will get in, doesn’t mean that all is lost. In fact, cyber resiliency strategies can automatically identify the anomalies that occur because of breaches — can quickly, effectively and in near real-time identify that something inappropriate is occurring – and alert or otherwise shut it down, thereby rendering the attack inert. Driving resilency in near real-time means that despite the fact that the breach occurs, damage won’t.
Implementing Cyber Resiliency
Think about the way many other systems are designed. The airplanes we travel in on a daily basis are designed to stay airborne even if one engine fails; networks that need to be fault tolerant are designed to be self-healing. When I was designing WAP gateways for the earliest days of mobile Internet, we made sure that the overall design was resilient against individual bugs and defects so that the system continued to deliver service regardless of what fault occurred.
Our cyber defenses must be designed in the same way, which is why implementing cyber resiliency is so critical in 2024. Which raises the question – how?
Being resilient against cyber attacks requires understanding how they work. Today, regardless of how a bad actor breaks into the network, the first step in the attack is communication with their command-and-control – talking to adversary infrastructure that has been setup in advance to control, command, direct, and facilitate the attack. By properly inspecting all outbound communication activity, and knowing what is and isn’t adversarial infrastructure on the Internet, you can quickly and efficiently identify the earliest signs of a breach. When the bad actor first starts beaconing out to command-and-control, or even when the unsuspecting employee accidentally makes the first click on a phishing link, proper identification that the destination is nefarious allows you to stop the communication, and thus foil the attack itself.
Identifying the Communication to Adversary Infrastructure
Identifying the digital exhaust of an attack – the telltale signs that a breach has occurred and is active – by seeing the outbound communication to adversary infrastructure isn’t as hard as you think it might be. But it does require specific expertise and, depending on that level of expertise, can have varying levels of effectiveness. And to be honest, if you’re going to implement resiliency with the desire to improve confidence in your protection against all forms of digital risk, wouldn’t high efficacy be one of the main considerations?
First, you need to see all the outbound DNS requests. Given how easy it is to block a single IP at the firewall, and given how easy it is to change the IP and location of a given domain, more than 90% of all attacks today use DNS as the mechanism to identify how to communicate with their adversary infrastructure. The bad actors constantly invent new techniques and abilities, but cannot avoid the fact that the infrastructure they use to command, control, and direct their attacks must be DNS-routable on the open Internet. Seeing all the outbound DNS requests is the first step.
Second, each DNS request needs to be compared against an authoritative source that knows what is “good and bad” on the Internet – what is and isn’t owned and controlled by bad actors. While many have historically built such systems with lists from various feeds and other information, such implementations are limited in their effectiveness because they are constantly looking in the rear-view mirror at what has happened, not proactively what will be used as nefarious infrastructure in the future.
Getting to True Cyber Resiliency
The key to getting to true cyber resiliency is this ability to get proactive – to map what has happened and what is happening to be able to identify with high accuracy what will happen, which in this case is “will this domain or infrastructure be used for nefarious purposes in the future?”
The best in the business do this – and get their systems and approaches validated by third-parties such as AV-TEST so clients and partners can understand not just the efficacy but the potential for false positives as well. Ultimately, doing it right requires two things: (i) the gathering of data from authoritative sources and (ii) the assembling of that data into a constantly updating and evolving graph database. In this way, the raw information contained and the derived correlations and conclusions don’t just provide intelligence about what is currently being used for nefarious purposes, but proactively about what will be used for said purposes in the future.
That’s how you get to true cyber resiliency. Since the adversarial infrastructure must by definition be setup and established before the attack is launched, seeing the build-up means that your systems can be prepared for the next attack. Even if you don’t know where that attack will come from, and even if you don’t know how they will break in, once they do and they start trying to communicate with their infrastructure to advance their attack, you can see it, stop it, and prevent it.
That’s how we escape the endless and unwinnable cat-and-mouse game. That’s how we level the playing field and take a different approach to addressing cyber risk against all facets of the business and digital risk. And that’s cyber resiliency.
About the Author
David Ratner, CEO, HYAS
After obtaining his Ph.D. in Computer Science, David Ratner has spent his career in various areas of software and technology, from writing code to scaling and growing venture-backed, private-equity owned, and public companies. Currently he serves as the CEO of HYAS and leads both the long-term vision and the day-to-day mission to bring game-changing solutions to HYAS clients around the world. Previously, Ratner was the CEO of Realm, which he sold to MongoDB in 2019. Ratner has international B2B experience in all geographies, over two million lifetime flight miles, is a martial-arts black-belt, and currently resides in Silicon Valley.