How to create effective cyber strategy

The task of crafting or revising cyber strategy is one that keeps many consultants and chief security officers up at night. The process might be intense, but the underlying fundamentals are straightforward.

1. Know yourself, know your business, know the battlefield

When I joined my unit in July of 2002 the President had declared major combat operations (in Iraq) over. Soon it became apparent that meant we were no longer fighting a uniformed enemy. The Iraqi Army may have surrendered, but now we were fighting an insurgency. The tactics, techniques, and procedures we used to fight a uniformed force were no longer applicable. To succeed we had to assess our unit’s capabilities (know yourself) in light of our mission (know your business), and understand the face of the new enemy (know the battlefield).

Cookie cutter strategies do not work. Each business is a different entity with a unique culture, mission, and even enemies. Security procedures used at Rack Space might not function at Bank of America or vice versa. Security strategies are a unique reflection of the risks, regulatory compliance requirements, business processes, and organizational culture within your firm.

2. Secure your human resources

The people we trust the most (our employees) often present the greatest danger. They already have the authorization and access an attacker needs to gain their first foothold. In 2015, SANS Institute reported over 50 percent of surveyed professionals believed negligent insiders posed the greatest threat. In 70 percent of cases, the initial compromise is only a staging point. The first compromise allows the attacker to get closer to their actual target, a secondary victim.

The Target breach provides us with an excellent example of this strategy. Hackers exploited Target’s HVAC vendor using a form of social engineering known as phishing. The Citadel malware allowed the criminals to steal credentials to Target’s web-based vendor services. Now the attackers were on the inside and virtually undetectable. Why were they undetectable? They were using the credentials of an authorized user and all due to the negligent actions of a business partner who fell prey to social engineering.

The 2015 Verizon Data Breach Investigations Report estimates 23% of recipients open a phishing email and 11% click to open attachments. 50 percent do so within one hour of receiving the email. Considering, most cybercrime syndicates are run similar to legitimate businesses this is very revealing. They coordinate their actions based on ROI (return on investment) and target their victims based on risk and potential impact. Social engineering schemes (especially phishing) are low cost and require very low success rates to gain access to your network infrastructure.

Lance Spitzner (Training Director, SANS Securing the Human) says, “one of the most effective ways you can minimize the phishing threat is through awareness and training.” Spitzner estimates that you can reduce the success rate (the number of people that fall victim to such emails) to less than 5%. In the process, you create a stable of human sensors to supplant your technology. Ellen Powers, of the MITRE Corporation, estimates their human sensors detect approximately 10% of advanced phishing attacks.

3. Assume you’re already compromised

Passive technologies and processes provide limited situational awareness. Certification and accreditation are focused on making sure new technologies (or upgrades to existing technologies) are properly configured and tested. Likewise continuous diagnostics and mitigation (CDM) focuses on “fixing known cyber flaws”. Technicians then perform mitigation based on their organization’s unique risk profile.

Neither of those processes actively hunt for attackers already embedded with your infrastructure. They will not find someone who uses authorized credentials to access your network. Also, consider less than 25% of organizations detected compromise within days or less. Contrastingly 60% of the time an attacker compromised a victim in less than an hour.

Unless you have definitive proof, you’re not compromised you should operate under the assumption of compromise.

4. A sound cyber strategy is intertwined with business strategy

In a recent blog post, I outlined the importance of understanding your business and effective communication. As cyber leaders and technicians, we have to learn to communicate according to the bottom line. The bottom line translates into understanding how a particular strategy supports the core business processes of the organization. In the military, we used to speak of combat multipliers. Those actions that would support the unit’s core mission such as troop health readiness, vehicle maintenance, wills, and powers of attorney.

You must be able to demonstrate how your proposed strategy directly supports the organization’s overall strategy. Until then your priorities and the priorities of the C-suite will never be the same.

There is no easy way to create a sound cyber strategy. It requires a detailed analysis of your entire firm. And it also requires a team effort. Stakeholders from every facet of the business should be working alongside your information security personnel. It should be a reflection of the unique culture, risk profile, and core business strategy with your firm. Cookie cutter solutions don’t work!