Companies must have strategies to improve cyber resilience and ensure business continuity during attacks
A few days ago, the Spanish National Police warned about a new distribution campaign of the notorious Lockbit Locker ransomware, which targets architecture companies. The criminals send emails to potential victims posing as the photography company Fotoprix. In these emails, they ask the companies for quotes to renovate a premises. For the companies to prepare the estimates, the criminals send a file that theoretically contains the specifications of the renovation. However, when downloaded and executed, the ransomware is installed, and the sensitive data on the corporate computer is encrypted.
This case adds to an endless list of attacks against companies in all economic sectors, regardless of size or turnover. Once again, it highlights the need for businesses to pay special attention to a concept that is becoming increasingly relevant: cyber resilience.
Optimizing cyber resilience against attacks is of vital importance for companies to detect and respond to hostile actions, ensure business continuity, restore normality, safeguard their assets, and combine business objectives with cybersecurity requirements and needs.
In this article, we will dissect the concept of cyber resilience, present the future European cyber resilience regulation, and highlight the importance of hiring comprehensive cybersecurity services to protect a business over time.
1. What is cyber resilience?
The Dictionary of the Spanish language contemplates two meanings for the word resilience, which allow us to lay the foundations of what the concept of cyber resilience means and why it is relevant today:
- Adaptive capacity of a living being in the face of a disturbing agent or an adverse state or situation.
- The capacity of a material, mechanism, or system to recover its initial state when the perturbation to which it had been subjected has ceased.
Suppose we transfer this concept to the field of cybersecurity. In that case, we can see that cyber resilience refers, on the one hand, to the ability of companies to adapt their security strategies to the changing threat landscape to successfully deal with cyberattacks, optimizing their detection, containment, and response mechanisms and policies. And on the other hand, the ability to ensure business continuity and restore normality when a security incident occurs.
Cyber resilience combines a company’s security plans and defensive capabilities to protect its systems and information while safeguarding business interests. So that, in the event of a security incident, the company can continue to operate effectively, avoiding paralysis and the economic and reputational consequences that result. Or, at least, it can resume its business operations in the shortest possible time.
In a context such as the current one, in which new vulnerabilities affecting digital assets are detected daily, and cyber-attacks are becoming more common, sophisticated, and potentially damaging, companies need to have a cyber resilience strategy to address the risks and threats they face.
2. Characteristics and objectives of cyber resilient systems
What are the goals that a cyber resilience strategy should pursue? The National Institute of Standards and Technology (NIST) in the United States has designed a guide to help companies and cybersecurity professionals develop cyber resilient systems.
In this guide, NIST emphasizes that any cyber resilience strategy should:
- Focus on protecting the elements and systems that support critical business missions and functions to ensure business continuity in a security incident, even if this means sacrificing non-critical components.
- The threat environment is ever-changing. Technology evolves rapidly, and hostile actors continually develop new techniques, tactics, and procedures. Therefore, companies’ security strategies must be able to adapt to technical and operational changes.
- Focus on the effects of advanced persistent threats. Cyber resilience strategies must consider the entire threat landscape, but, above all, they must focus on APTs, i.e., the most sophisticated and complex threats, whose impact on a company’s operations can be more significant and more challenging to mitigate, even seriously affecting business continuity.
- Assume that hostile actors can compromise a company’s systems without being quickly detected and be able to persist for an extended period in the company’s IT infrastructure. Considering this hypothetical scenario is essential for designing a comprehensive cyber resilience strategy whose defensive capabilities are optimized to cope with the most dangerous and complex systems.
2.1. Objectives of a cyber resilience strategy
From these essential characteristics of a cyber resilient system, NIST summarizes and systematizes the fundamental objectives to be pursued when improving a company’s cyber resilience:
- Prevent the successful execution of an attack.
- Prepare for possible hostile actions by anticipating them.
- Maintaining the continuity of the company’s essential functions during a security incident.
- Limit the damage caused by a security incident.
- Restore the company’s processes and activities after an incident.
- Understand the dependencies and status of resources in a potentially adverse situation.
- Modify workflows related to critical functions and incident response and recovery plans for critical assets to address threats.
- Implement changes to critical systems and infrastructure architectures that support essential functions to increase their protection.
3. Cyber resilience to secure against the most common risks and APTs
The cyberattack described at the beginning of this article highlights some of the most common trends in the current cyberattack ecosystem: phishing campaigns, the proliferation of ransomware as a service, and large-scale attacks targeting large companies and SMEs…
Thanks to this example, we can highlight the importance of all companies designing and implementing a strategy to improve their cyber resilience against the most common attacks.
However, as NIST points out, the concept of cyber resilience becomes more relevant when we focus on advanced persistent threats (APTs). That is, those threats that are characterized by:
- Level of expertise, motivation, and high resources of the attackers.
- Use of different attack vectors.
- Malicious objectives are obtaining confidential information, stealing intellectual property, damaging company systems, and even endangering people’s health and undermining the reputation and operability of the attacked company.
- Duration and evolution of the attacks.
As these threats are highly sophisticated and persistent over time, they require companies to have a comprehensive and advanced security strategy to optimize their detection, response, containment, and recovery capabilities.
Such a strategy must combine permanent and proactive monitoring to detect APT groups’ tactics, techniques, and procedures, with the strengthening of defensive capabilities, for example, through Red Team services that implement APT compromise exercises.
4. From DORA to CRA, cyber resilience in the European regulatory framework
Making European companies increasingly cyber resilient is a central goal of the European Union, as demonstrated by the consolidation of an increasingly demanding regulatory framework. Last year saw the final approval of the DORA regulation, which aims to ensure the digital resilience of financial institutions in the European Union.
The regulation focuses on IT risk management and digital operational resilience testing by highly qualified cybersecurity professionals to achieve this. It should be noted that DORA penalizes non-compliance with the required actions with administrative sanctions and corrective measures against members of the company’s management body who fail to meet their obligations.
Also, in 2022, the European Commission made public its proposal for a cyber resilience regulation, popularly known by its acronym CRA (Cyber Resilience Act).
This regulation, which still has to be negotiated between the Parliament and the Council, aims to protect businesses and consumers from digital products with inadequate security features, helping to improve organizations’ cyber resilience against attacks on their digital assets.
The current draft of the regulation, which should be approved in the coming months, envisages four specific objectives of the future standard:
- Ensure that hardware and software manufacturers enhance the security of their products from design and throughout their lifecycle.
- Put in place a coherent cybersecurity framework to be complied with by hardware and software producers.
- Make digital products more transparent about their security features.
- Ensure that businesses and consumers use digital products securely.
4.1. CRA: Penalties of up to 15 million euros for non-compliance with the essential requirements
To this end, several obligations are established for manufacturers, including the need to perform a cybersecurity risk assessment when placing a product on the common market, as well as various essential cybersecurity requirements that fall into two broad groups:
- Requirements relating to the properties of products with digital elements. For example, products must be designed and produced securely, delivered with a secure configuration, have mechanisms to control unauthorized access, protect the confidentiality and integrity of data, or defend the availability of critical functions, including resilience against denial-of-service attacks.
- Vulnerability management requirements. For example, identifying and documenting vulnerabilities and components of a product, creating security updates to address vulnerabilities in the shortest possible time, or performing regular security testing of products.
The European Commission’s proposal, which has yet to be amended and negotiated by the Parliament and the Council, provides for fines of up to €15 million or up to 2.5% of the worldwide turnover of companies that violate essential cybersecurity requirements.
5. Comprehensive cybersecurity services to ensure business continuity
As we have pointed out throughout this article, strategies to improve cyber resilience in the face of attacks have as their priority missions strengthening the organization’s defensive capabilities, guaranteeing business continuity, and facilitating the return to normality after a security incident.
To fulfill these missions, it is essential to rely on advanced cybersecurity services that help companies detect and prevent threats, manage vulnerabilities in their IT infrastructure, and optimize security mechanisms, policies, and plans.
Tarlogic Security offers companies a 360 solution to improve their cyber resilience, strengthen their assets’ security, and maintain business continuity when a security incident occurs, even when faced with advanced persistent threats.
5.1. Security testing, vulnerability management, compromise assessment and training
Tarlogic’s portfolio of cybersecurity and cyber intelligence services includes all essential activities to deploy an effective and adaptive cyber resilience strategy:
- Continuous security audits (DAST, SAST, SCA, SCS) to detect vulnerabilities affecting business assets and be able to mitigate them before they are successfully exploited.
- IT vulnerability management, 24/7 emerging vulnerability detection, denial of service (DoS) testing, and dynamic cybersecurity risk and threat prioritization to detect problems, prioritize their mitigation, and prevent attacks that threaten business continuity.
- Compromise assessment services to detect and analyze malicious activity, isolate compromised systems, and successfully expel hostile actors.
- Training and awareness-raising activities for a company’s professionals: advanced social engineering campaigns, secure programming, support and awareness-raising for senior management, training of response and mitigation teams in new criminal TTPs, etc.
5.2. Improving cyber resilience in the face of APTs
In addition to its extensive experience in designing and deploying the cybersecurity services described above, Tarlogic has developed a strategy to improve a company’s cyber resilience in the face of advanced persistent threats. This program combines offensive security services, such as Red Team exercises, with defensive security services, such as Threat Hunting:
- Targeted attack against the organization to deploy an APT and succeed in infecting corporate systems, control compromised computers, and perform all impact activities previously agreed with the company to analyze the effectiveness of its security mechanisms and policies and improve cyber resilience.
- Identification of APT cyber resilience improvement opportunities. Tarlogic’s Threat Hunting professionals carry out continuous monitoring of the main APT groups to study their TTPs, which provides them with a wealth of information to design improvements related to threat detection, APT response, security team training (Blue Tea, Threat Hunting, SOC) or the maturity of the company’s defensive capabilities.
In short, every year, more cyber-attacks cause substantial economic losses to companies globally, especially regarding security incidents that affect business continuity.
To combat this trend, companies must implement strategies to improve their cyber resilience against the most common attacks and, above all, against advanced persistent threats. Security and business must go hand in hand, and company management must place this binomial at the top of their strategic priorities. Protecting their business models means hiring advanced cybersecurity services, complying with the regulatory framework, and improving their security posture.