The Trusted Source InCritical Assets Identification For Increased Cyber Resilience
For Increased Cyber Resilience
What are the High Value Targets?
High Value Targets (HVTs) are information systems, roles, third parties and data for which
unauthorized access, use, disclosure, disruption, modification, or destruction could cause a
significant impact to an organization’s ability to perform its mission or conduct business.
These systems may contain sensitive controls, configurations, instructions or data which is
then leveraged for critical information systems’ management, they may house unique
collections of secrets as well as be systems that perform defensive operations (such as
delivering protect, detect, investigate, respond capabilities).
HVTs can as well be referred to as transversal
technology supporting important business services (or an organization’s crown jewels),
which need to be identified and properly secured to better handle the environmental changes
caused by an advanced adversary.
Request a free copy of the High Value Target Methodology overview:
Why are High Value Targets important?
Current Cyber Resilience and Business Impact Analysis (BIA) industry best practices lack clear guidance on how organizations can identify the value that an advanced attacker places on possible targets, which defines the tactical reliance on the attack value chain from an architectural system standpoint.
By doing so, you can prioritize your security budget without over-investing in controls for some assets (Crown Jewels) and under-investing in others (HVTs).
The main purpose of an organization’s cyber resilience efforts is to implement best practices, strategies and techniques that would ensure survivability of essential functions during a coordinated, destructive cyberattack. This goal is achieved by making it costly and difficult for advanced adversaries to break into an organization’s environment, to maintain stealthy presence and hence strengthening the system-of-system’s ability to recover mission critical functions after adversity.
Once HVTs are identified, secured and continuously governed, an organization’s cyber resilience posture is significantly increased.
Read about the seven High Value Target design principles that underpin our work:
- > Open to the community, evolvable
- > Focused on inherent impact of assets
- > Produces a quantifiable outcome
- > Aligned to authoritative sources
High Value Target allows you to focus defenses where they matter most. Definitions can be hard, but certain systems are highly targeted by threat actors because they perform functions critical to trust and are thus stepping-stones into everything else. The High Value Target methodology hones in on often overlooked but critical assets.
Once you identify the High Value Target you can:
- Contingency plan, train and exercise for when things go wrong and increase readiness to adapt against imminent attacks based on predicted intelligence.
- Develop resiliency reporting that measures performance with transparency, accuracy and precision.
"The High Value Target (HVT) methodology is exactly what organizations and their leaders need to be thinking about as they seek to defend themselves, their critical infrastructure and their business. It is no longer good enough – frankly it hasn’t been for a while – to try to defend everything.
As Alexander the Great said, “if you try to defend everything, you defend nothing!”.
Using HVTM thinking, you integrate your cyber defense assets and your overall architecture into a MITRE ATT&CK supported, cyber resilience posture with an immediately useful, quantifiable risk method across all of your cyber terrain.
This is the way we need to go and High Value Target will get you there!"
John Felker
Former Assistant Director,
United States Cybersecurity and Infrastructure Security Agency (CISA)
What is Cyber Resilience?
Business world
Cyber Resilience is an outcome of Cyber Security and Operational Resilience and is defined as “the ability of an organization to transcend any stresses, failures, hazards and threats to its cyber resources within the organization and its ecosystem, such that the organization can confidently pursue its mission, enable its culture and maintain its desired way of operating” (WEF, 2022).
Technical world
Cyber Resilience is an extension of Cyber Security and is defined as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on cyber resources” (MITRE, 2018).
Cyber Resilience is grounded on NIST 800-160 and MITRE CREF (the most authoritative industry resources known nowadays).
Defining High Value Targets
Categories of HVTs
- Critical infrastructure targets, an organization’s assets whose unavailability, exposure, modification or corruption would significantly disrupt an organization's mission;
- Control plane targets, an organization’s assets which contain sensitive controls, configurations and instructions;
- Cyber defense targets, an organization’s assets which provide protective, detective, investigative and responsive capabilities;
- Informational value targets, an organization’s assets which contain significant value in the form of stored or transit data, otherwise referred to as crown jewels.
Pre-Compromise Attributes
- Stealthiness, the target could provide an adversary with the ability to bypass detection tools;
- Internal prospecting, the target could provide an adversary visibility into the control plane;
- External exposure, the asset could be exposed to an adversary due to its location in accessible zones for initial compromise, allows pivoting from non-trusted to trusted networks.
Compromise Attributes
- Stores secrets, the asset could provide an adversary access to stored secrets that can be stolen or abused;
- Infiltrate comms, the asset could provide an adversary access to defender in-band or out-of-band communication tools;
- Blindside defense, the asset could provide an adversary the ability to impair investigative capabilities and detective visibility to the defender.
Post-Compromise Attributes
- Tamper prone, the asset functionalities could be weaponized by an adversary to support malicious actions such as confuse defense;
- Inhibit restoration, the asset could provide an adversary the ability to permanently damage backup and restore capabilities;
- Stores data, the asset could provide an adversary access to highly valuable or large amount of data;
- Widespread presence, the assets’ pervasive implementation and capabilities could provide an attacker the means to dynamically establish a foothold within the environment.
NIST Special Publication 800-160 v2 and how High Value Target aligns to it
NIST Special Publication (SP) 800-160, Volume 2, focuses on cyber resiliency engineering—an emerging specialty systems engineering discipline applied in conjunction with systems security engineering and resilience engineering to develop survivable, trustworthy secure systems. Cyber resiliency engineering intends to architect, design, develop, implement, maintain, and sustain the trustworthiness of systems with the capability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises that use or are enabled by cyber resources. From a risk management perspective, cyber resiliency is intended to help reduce the mission, business, organizational, enterprise, or sector risk of depending on cyber resources.
Focus on Common Critical Assets
- Appendix E (E.5.1.1) – “A focus on critical assets (i.e., resources valued due to their importance to mission or business accomplishment) is central to contingency planning, continuity of operations planning, and operational resilience, as well as to safety analysis."
Focus on Common Critical Assets
- Appendix E (E.5.1.1) – “Determining which properties or attributes make the asset critical (e.g., correctness, non-observability, availability) or high value (e.g., providing access to a set of critical system elements, providing information which could be used in further malicious cyber activities)”.
Understand the context
- 3.2.1.3 Identify the Operational Context - “Identify whether the system is or contains high value assets (HVAs)”.
- 3.2.3 Analyze the system – “Second, an adversarial perspective is applied to identify high value primary and secondary targets of APT actors”.
- 3.2.3.2 Represent the Adversary Perspective - “Depending on the scope of the analysis, these attack scenarios can be complemented by scenarios driven by adversary goals, scenarios targeting critical assets or high value assets, or scenarios that take advantage of sources of fragility.”
Cyber Resiliency considerations
- Appendix F (SN-2.3) – “SN-2.3 Prioritize assets based on the adverse consequence of asset loss. an asset which initially appears to have low priority to stakeholders can be a high value target to an adversary”.
Additional Resources
High Value Target is a concept to enable the cyber community to be more effective at defining our defensive strategies and approaches.
Everyone is welcome to contribute at this public GitHub repo:
GitHub High Value Target Discussions
GitHub High Value Target Discussions
Cyber Resilience FAQ
We recommend to check out the ISSA.org Cyber Resilience Special Interest Group (SIG) FAQ page on GitHub.
We recommend to check out the ISSA.org Cyber Resilience Special Interest Group (SIG) FAQ page on GitHub.
Cyber Resilience Quotes
Various quotes aiming to inspire and help limit the gap between Cyber Security, Cyber Resilience and others.
Various quotes aiming to inspire and help limit the gap between Cyber Security, Cyber Resilience and others.
Cyber Resilience Definitions
An "all you need to know" small set of Cyber Resilience definitions from various authoritative sources.
An "all you need to know" small set of Cyber Resilience definitions from various authoritative sources.
Who Retains The Knowledge For High Value Targets?
The Cyber Resilience Officer is accountable for the organization’s ability to manage cyber resilience and for implementing cyber-resilience goals. As such, the Cyber Resilience Officer should drive the need for ensuring the High Value Targets are properly identified, protected, assessed and governed.
The Cyber Resilience Officer should have regular Board access, sufficient authority, command of the subject matter, experience and resources to fulfil these duties.
The role should be formally defined and documented with clearly understood expectations and obligations.
The organization has clear mechanisms for providing the Cyber Resilience Officer ready access to each of the following: communication with the Board of Directors; empowerment over cyber-resilience strategy, management and enforcement actions; cyber-resilience expertise and executive training; the acquisition of personnel, financial and technology resources.
Read about the "Cyber Resilience Officer" role and skills:
Strategic Partnership
The Chertoff Group and High Value Target have developed a joint offering to deliver cyber resilience managed services. It will help organizations better anticipate, withstand and recover from cyber threats. By identifying high value assets and developing plans to address gaps in resiliency, leaders can achieve confidence in the organization’s ability to survive and recover from a disruptive cyber attack.