STRAT - A System-Centric Approach to Cyber Resilience

Transcript

1. Building Cyber Threat Resilience with STRAT A new Methodology for

   Cyber Threat Intelligence

2. Who We Are Chandler McClellan Scott J Roberts

3. Where We’re From

4. Where We’re From

5. The Problem Cyber Threat Intelligence is useful for 3 things:

   • Situational Awareness • Detection Engineering • Marketing

6. Building Resilience Should be Next

7. Setting the Stage A BRIEF INTRODUCTION TO SYSTEMS THINKING A

   BRIEFER INTRODUCTION TO RESILIENCE APPLYING STRAT TO CYBER RESILIENCE

8. Systems Thinking for Cyber Defense

9. What is Systems Thinking A structured approach for thinking about

   complex interactions Mapping attacker approaches to defensive approaches

10. Why Think in Systems ANTICIPATING 2ND & 3RD ORDER EFFECTS

    INTEGRATES RISK MODELING, SYSTEM DESIGN, AND THREAT INTELLIGENCE TO IMPROVE RESILIENCE LAST OF ALL…
11. None

12. Systems Thinking Concepts: Stock & Flow

13. Systems Thinking Concepts: Causal Loop Diagram

14. Introduction to Resilience

15. Resilience A system’s ability to recover or adapt to disturbances

16. Resistance The ability of the system to prevent the threat

    from impacting the system

17. Retention The ability of the system to maintain its core

    function after being impacted by the threat

18. Recovery The ability of the system to recover some baseline

    level of core function after impact from a threat

19. Resurgence The system’s ability to improve after a threat

20. How do we build resilience? • Redundancy • Diversity •

    Centralization or Decentralization • Adaptability • Imaging • Alignment • Stakeholder engagement • Self-organization • Communication

21. The STRAT Methodology Using Systems Thinking to turn Intelligence into

    Resilience

22. What is STRAT? • The System-Centric Threat and Resilience Assessment

    Tool (STRAT) is a methodology for practitioners across various fields to identify and build resilience in systems including both human and material components • Developed by Dr Jeannie Johnson and Briana Bowen • On-going Development & Active Research by Dr Jeffery Taylor at Utah State University for CAI5200 - Threats and Resilience in the Knowledge Century

23. The STRAT Method • Choose a system for study •

    Scatterplot potential threats across a Risk x Probability Matrix • Choose a group of threats for study • Map system properties • Identify resilience components of the system • Assess current resilience of the system to the identified threats • Provide recommendations to increase resilience

24. STRAT: Choose a system for study COMPLEXITY POTENTIAL VULNERABILITIES CRITICAL

    ASSETS STAKEHOLDER INTERESTS IMPACT ON OPERATIONS STRATEGIC OBJECTIVES

25. STRAT: Plot threats Risk x Probability

26. STRAT: Choose a group of threats for study Potential Impact

    Cascading Effects Resource Availability Organizational Concerns

27. STRAT: Map system properties • Dynamic Complexity • Impact Points

    • Propagation Paths • Feedback Analysis • Delay Considerations • Resilience Factors • Bounded Rationality

28. STRAT: Identify resilience components of the system Resistance: The ability

    of the system to prevent the threat from impacting the system Retention: The ability of the system to maintain its core function after being impacted by the threat Recovery: The ability of the system to recover some baseline level of core function after impact from a threat Resurgence: The system’s ability to improve after a threat

29. STRAT: Assess current resilience of the system to the identified

    threats • Develop a Scoring System (1-5 scale): rate the effectiveness of each resilience component against the threat • Resistance Metrics: Time to detect threats, percentage of threats prevented • Retention Metrics: Percentage of critical functions maintained during disruption, time critical functions can be sustained • Recovery Metrics: Time to restore full functionality, percentage of data/operations recoverable • Resurgence Metrics: Time to implement lessons learned, number of improvements made post-incident

30. STRAT: Provide recommendations to increase resilience TECHNOLOGICAL SOLUTIONS PROCESS IMPROVEMENTS

    ORGANIZATIONAL CHANGES TRAINING AND AWARENESS POLICY UPDATES PARTNERSHIP AND COLLABORATION

31. STRAT Case Study: MOVEit Application of the STRAT framework to

    CVE-2024-5806

32. STRAT Example: Choose a System • The system in focus

    is a company's IT infrastructure that uses MOVEit Transfer for secure file transfers. • This includes the MOVEit Transfer instances, connected endpoints, networks, and related data backups.

33. STRAT Example: Scatterplot Threats

34. STRAT Example: Choose In- Depth Threat • Threat: Ransomware deployed

    through MOVEit Transfer instances compromised via CVE-2023-34362, encrypting sensitive data handled by the platform and spreading to connected systems • Vulnerabilities: Unpatched MOVEit Transfer instances, inadequate network segmentation, lack of backup segregation • Potential impact: Encryption of critical data handled by MOVEit, operational disruption, reputational damage, financial losses • Probability: High, given the prevalent exploitation of the MOVEit vulnerability and the value of data handled by the platform

35. STRAT Example: Model the Threat

36. STRAT Example: Identify Resilience Comps Resistance: Network Security Retention: Access

    Controls Recovery: Backups, Incident Response Resurgence: Patching, After Action Report

37. STRAT Example: Assess & Score Resilience Resistance: 2/5 - Default

    security settings Retention: 3/5 - Regular backups, but not segregated from MOVEit Recovery: 1/5 - No incident response plan Resurgence: 2/5 - Patches applied, no after-action report Overall, the company's resilience to a MOVEit-enabled ransomware attack is lacking and needs significant improvement.

38. STRAT Example: Provide Recommendations Immediately patch all MOVEit Transfer instances

    to address CVE-2023-34362 Adaptability Implement strict network segmentation around MOVEit instances Alignment Configure granular access controls and logging on MOVEit Establish segregated, offline backups of all data handled by MOVEit Decentralize Conduct MOVEit-focused security awareness training for all users Stakeholder Engagement Perform regular threat hunting and penetration testing on MOVEit instances Imaging Evaluate transitioning high-risk data flows away from MOVEit to more secure solutions Redundancy

39. In Closing

40. Summary • Defense is more than just IOC & TTP

    lists • Defense is more than awareness, detection, and marketing • Meaningful recommendations mean a focus on Resilience, including Resistance, Retention, Recovery, and Resurgence • Structured analytic techniques make it possible to find emergent phenomena and find unexpected resilience enhancements • The STRAT process uses threat intelligence to develop organized recommendations for improving system resilience

41. Learning More • https://taurus.blue/strat_guide • Thinking in Systems by Donella

    H. Meadows • Business Dynamics: Systems Thinking and Modeling for a Complex World by John Sterman • Structured Analytic Techniques for Intelligence Analysis Third Edition by Randolph H. Pherson & Richards J. Heuer • https://usu.edu/cai

42. Questions? Chandler McClellan Scott J Roberts

43. Thank you!!!

44. None