Cyber Resilience Manifesto

Cyber Resilience is achieved by making it costly and difficult for intruders to break into our environment and maintain presence in the systems, as well as strengthening the system-of-system’s ability to recover business functions after adversity. One of the first steps to kick-start a Cyber Resilience program is by identifying critical data, processes and systems that are high value assets and develop plans to address gaps in resiliency. 
Once identified, those key assets can be designed, implemented and maintained appropriately by leveraging existing cyber resilience best practices. This perspective is particularly relevant to address Advanced Persistent Threats (APT) which may execute a coordinated, destructive long-lasting attack towards an organization. APT actors aim to compromise not only the most vulnerable or less protected assets in order to carry out their mission. 
In fact, they may specifically decide to attack assets that can provide them maximum gain towards the achievement of their objectives. These assets are referred to as High Value Targets.

The 4RRT Model (reads as "art" ) is a simplistic yet powerful approach that helps professionals to consider the key elements needed for kick-starting the right defensive initiatives and strategies. It's based on four key components: Assets, Risk, Requirements, Threats.

Infographics for the 4RRT Model 

The 4 key differences between Cybersecurity and Cyber Resilience


We'll start by pointing out the ultimate definitions of Cyber Resilience:

  • Business world - Cyber Resilience is an outcome of Cyber Security and Operational Resilience and is defined as “the ability of an organization to transcend any stresses, failures, hazards and threats to its cyber resources within the organization and its ecosystem, such that the organization can confidently pursue its mission, enable its culture and maintain its desired way of operating” (WEF, 2022).
  • Technical world - Cyber Resilience is an extension of Cyber Security and is defined as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. Cyber resiliency is intended to enable mission or business objectives that depend on cyber resources to be achieved in a contested cyber environment.” (NIST 800-160 v2 r1). Cyber Resilience is grounded on NIST 800-160 v2 r1 and MITRE CREF (the most authoritative industry resources known nowadays).


This brings us to conclude the first two differences between cyber resilience and cyber security.


  • Difference #1: Cybersecurity encompasses a wide set of controls from NIST 800-53 r5 (by definition, a set of security baseline controls), ~ 1100 controls. Cyber resilience aims to extend the depth at which a small set of controls are designed and then perform (this set of controls is outlined in NIST 800-53 but NIST 800-160 and 800-172 expand these), ~ 200 controls.
  • Difference #2: Cybersecurity focuses on protecting all assets, with special focus on high value assets (business view). Cyber resilience focuses on protecting primarily high value targets (adversary view).


There are five strategic pillars of Cyber Resilience – they are articulated in both NIST 800-160 and MITRE CREF: 

  1. Limited organizational resources need to be applied where they can provide the greatest benefit. This results in a strategy of focusing first on assets which are critical, and ensuring our environment works in our favour, and not the attackers, avoiding saturation of response capabilities. 
  2. Not only does the threat landscape change as adversaries evolve, so do technologies and the ways in which individuals and organizations use them. Both agility and adaptability are integral to the risk management strategy in response to the risk framing assumption that unforeseen changes will occur in the threat, technical, and operational environment through a system’s lifespan. 
  3. A large attack surface is difficult to defend, requiring ongoing effort to monitor, analyze, and respond to anomalies. Reducing attack surfaces reduces protection scope costs and makes the adversary concentrate efforts on a small set of locations, resources, or environments that can be more effectively monitored and defended. On top of this, disrupting the attack surface is key in order to make it harder for adversary to achieve a foothold. 
  4. Systems and system components, ranging from chips to software / running services, can be compromised for extended periods without detection. Some compromises may never be detected. Systems must remain capable of meeting performance and quality requirements, nonetheless. 
  5.  Advanced cyber adversaries invest time, effort, and intelligence-gathering to improve existing and develop new TTPs. Adversaries evolve in response to opportunities offered by new technologies or uses of technology, as well as to the knowledge they gain about defender TTPs. As well in short time, the tools developed by advanced adversaries become available to less sophisticated adversaries. This is why systems and missions need to be resilient in the face of unexpected attacks. 
Therefore Cyber Resilience needs to articulate key -continuously evolving- risks from advanced adversaries which expand beyond the traditional “severe but plausible” and fit to the “extreme but plausible” scenarios, in order to develop artifacts that can translate into best practices, strategies, and techniques to ensure the survivability and evolvability of the Group essential functions during -and after- an advanced destructive cyberattack. 


  • Difference #3: Cybersecurity focuses on “severe but plausible” threat scenarios against adversaries who go after the less protected and the most vulnerable – NIST 800-53 controls allow to provide adequate protection against these. Cyber resilience focuses on “extreme but plausible” threat scenarios against adversaries who may pivot from primary organizational impacts to secondary impacts potentially causing unknown harm to the organization as a whole – NIST 800-160 and NIST 800-172 provide the needed techniques and approaches which have corresponding controls in NIST 800-53 r5 however at a deeper level of detail.


If we aligned the eight objectives of Cyber Resilience with known risk methodologies (FAIR, OpenGroup), we will realize that a key focus area to build cyber resilient systems is to reduce magnitude of impact as this requires the application of specific architecture and engineering concepts defined by NIST 800-160, NIST 800-172, MITRE CREF: 

  1. Reducing impact (Constrain, Continue, Reconstitute) - (i.e., the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability). 
  2.  Reducing likelihood of occurrence (Understand, Prevent) - (i.e., the likelihood that a threat event or a threat scenario consisting of a set of interdependent events will occur or be initiated by an adversary). 
  3. Reducing likelihood of impact (Understand, Prepare, Constrain, Transform, Re-Architect) - (i.e., the likelihood that a threat event or scenario will result in an impact given vulnerabilities, weaknesses, and predisposing conditions). 

  • Difference #4: Cybersecurity focuses on reducing likelihood of occurrence as well as reducing likelihood of impact through the application of security frameworks such as the NIST CSF. Security is about keeping adversary from doing harm. Cyber resilience focuses on reducing magnitude of impact which can be achieved by specific security architecture and engineering practices such as MITRE CREF. Resiliency recognizes harm may occur and how to maximize mission achievement despite that.

How does a good Cyber Resilience strategy look like

A cyber resilience strategy recognizes that despite the best protection measures implemented by organizations, the APT may find ways to compromise or breach boundary defenses and deploy malicious code within a defender’s system. When this situation occurs, the organization must have access to safeguards and countermeasures to detect, outmaneuver, confuse, deceive, mislead, and impede the adversary—that is, “removing the adversary’s tactical advantage and protecting the organization’s high value assets” (NIST 800-172). In order to assess whether our systems are cyber resilient, we need to perform Cyber Resilience Analysis which “is intended to identify where, how, and when cyber resiliency techniques can be applied to improve architectural resiliency against advanced cyber threats” (MITRE, 2016). 

To wrap up, a state-of-the-art cyber resilient Enterprise is able to achieve the following high-level outcomes: 
  •  Identify (and plan for) impacts and risks that emerge from its own attack surface and the external threat landscape, then dynamically re-define defensive architecture mitigations to project its core assets. 
  •  Design its processes (risk, architecture and more) to be resilient by default by identifying the goals, objectives, techniques and approaches required. 
  • Identify and protect the assets that allow the Enterprise to withstand a long-prolonged fight against an advanced adversary, assuming a period where the attacker may be undetected or is present in components outside of the organization’s visibility (e.g. suppliers or software supply chain). 
  •  Identify and protect its own Enterprise assets that can be weaponized against the company itself due to the architectural nature of these systems. 
  • Identify and protect its own Enterprise assets which constitute last-resort capabilities to recover in case of the existing and DR environments being compromised (hence cannot be trusted for recovery). 
  • Identify (and address) lessons learned from other Enterprises that believed to be resilient but got annihilated by advanced adversaries. 
  •  Effectively measure its capabilities, spotting potential weak spots before they become failures through tracking our capabilities against peers and analysis of events. 

All these outcomes are achieved by exhibiting mastery of the following ten objectives of a cyber resilient enterprise: 
  1.  The organization needs the ability to predict adversary attacks. 
  2.  The organization needs the ability to prevent adversary attacks. 
  3.  The organization needs the ability to prepare for adversary attacks. 
  4.  The organization needs the ability to fight through cyberattacks. 
  5.  The organization needs the ability to contain or defeat the adversary. 
  6.  The organization needs the ability to determine damages caused by a cyber adversary. 
  7.  The organization needs the ability to restore. 
  8.  The organization needs the ability to determine reliability. 
  9.  The organization needs the ability to transform existing processes and behavior. 
  10.  The organization needs the ability to re-architect.

Who Drives Your Cyber Resilience Risk Stratetgy?

The Cyber Resilience Officer is accountable for the organization’s ability to manage cyber resilience and for implementing cyber-resilience goals. 
A Cyber Resilience Risk Strategy is a document which defines the north-star towards a cyber resilience enterprise and should be an integral part of a well crafted cyber security strategy. 
The Cyber Resilience Officer should have regular Board access, sufficient authority, command of the subject matter, experience and resources to fulfil these duties. 
The role should be formally defined and documented with clearly understood expectations and obligations. 
The organization has clear mechanisms for providing the Cyber Resilience Officer ready access to each of the following: communication with the Board of Directors; empowerment over cyber-resilience strategy, management and enforcement actions; cyber-resilience expertise and executive training; the acquisition of personnel, financial and technology resources.

Read about our proposal for a new role for the industry called "Cyber Resilience Officer":
www.cyberresilienceofficer.org

Follow Us

Copyright ©2022 High Value Target, All Rights Reserved.

High Value Target ®

Email: contact@highvaluetarget.org

We are a research firm that specializes in designing methodologies aimed at significantly increasing an organization’s cyber resilience posture against sophisticated cyber threats. We are actively engaged in leading cybersecurity communities and collaborate with best-in-class peers such as MITRE, ISSA, FIRST, NIST, OASIS Open.