How Zerotrust Network Security Can Enable Recovery From Cyberattacks

Corporate risk managers and security professionals understand that risk is not a problem that can be solved, but rather a process that must be managed. As such, they are constantly searching for new risk mitigation methods and tools in a “cat-and-mouse” game to stay ahead of evolving threats that overtake their ability to manage the threats. Today, within the realm of cybersecurity, a cyberattack from malware is one of those threats.

Late last year, reports surfaced of data breaches at Target, Neiman Marcus and other organizations, making cybersecurity a hot-button issue for most corporate boards, senior executives and government agencies. Incidents like these, targeting retail point-of-sale systems, are believed to be the result of advanced persistent threat (APT) attacks. APT attacks are typically planned and executed by patient hackers over extended periods of time with the intention of stealing or destroying specific data (e.g., customer credit card numbers). Such attacks can remain latent and unidentified as they spread their infection, often surfacing weeks or months after the initial network breach. APTs often start with a brute-force attack designed to steal a privileged user ID and password, or with attempts to trick an employee with privileged system access into opening an email with a viral payload. Once the payload is opened, the infection can then capture the employee’s user ID and password or otherwise access an organization’s information systems to retrieve confidential data or damage computer systems.

Cyberthreats are not unique to the US. In August 2012, Saudi Aramco and Qatari firm RasGas announced that they had been hacked by what would later become known as the Shamoon virus. Ultimately, the Shamoon attack exfiltrated confidential data and then destroyed thousands of user workstations within each firm. It is believed by many experts that the Shamoon virus was introduced onto the corporate networks of these firms by a disgruntled employee or other insider using a thumb drive that was inserted into a computer server from within each company’s data center.

Regardless of the method by which a malware infection is introduced, the consequences of a cyberattack can be significant, both financially and in terms of its impact on the company’s reputation. Given that the number of similar events is expected to grow in the coming years, it is important to revisit the fundamental elements of risk management and ask whether the organization recognizes and responds effectively to the threat of cyberattacks.

Holistic Management of Cyberrisk
The three major elements of risk management, at their most fundamental level, remain constant as they apply to all potential threats, including cyberattacks. These elements include threat avoidance, operational recovery and risk transfer. How management chooses to balance its investment of limited risk capital across these three elements depends on a number of factors. Most certainly, one of these factors is whether there exists a viable and cost-effective control to mitigate a particular component of risk. For example, as of yet, no one has devised a cost-effective avoidance control for mitigating the aftereffects of an exploding dirty bomb. However, investment in operational recovery can relocate critical business and IT resources to another geography that is sufficiently distant from a bombing site in order to enable continuity of business.

As it pertains to cyberattacks, most organizations have allocated their risk capital to preventive threat avoidance controls. Point solutions such as legacy firewalls, intrusion protection devices, virtual private networks (VPNs) and antivirus scanning reflect some of the controls that companies have relied on to fend off cyberattacks. Additionally, an August 2013 study released by Experian showed that 31 percent of companies have purchased some form of cybersecurity insurance, the most common form of risk transfer.1 However, when reviewing current literature pertaining to operational recovery from cyberattacks, one finds very little has been written on the subject. A major reason for this is because there are few controls or countermeasures currently on the market that have been designed specifically for cyberrecovery. This is particularly true for cyberthreats that can remain latent and undetected on a network while they have the ability to compromise the integrity of traditional disaster recovery backups.

Therefore, how does one ensure that a company is properly prepared to rebuild and recover its critical information systems and data in the aftermath of a successful cyberattack? One answer is Cyber DRaaS™ (see figure 1), a publicly available IT reference architecture for cyber Disaster Recovery as a Service (DRaaS) that organizations may implement as an investment in cyberrecovery.

Cyber DRaaS—A Reference Architecture for Cyberrecovery
Cyber DRaaS has two components that are combined to enable cyberrecovery in an organization:

* Cyber DRaaS cloud infrastructure—Cyber DRaaS integrates the Next Generation Firewall (NGF) technology with cloud-based data backup services to create, retain and protect trusted image backups. Trusted images represent base-level backups that will be used to recover critical servers and data in the aftermath of a successful cyberattack. The integrity of trusted images is assured using a combination of end-to-end encryption during data backup, advanced high-performance malware scanning, network-based behavioral analytics that detect malware and data integrity checks within the storage cloud.
* Cyber DRaaS computer event response planning—Cyber DRaaS requires careful planning to enable a competent response to a cyberattack. Effective contingency planning for cyberattacks complement Cyber DRaaS infrastructure investment by delivering computer event response team (CERT)-compliant organizational readiness. This includes a customized set of tactical processes and procedures for identifying and responding to cyberattacks.

The two components of Cyber DRaaS combine to deliver a viable and workable capability to recover from the damage inflicted to critical information systems by cyberattacks. The benefits of Cyber DRaaS are significant when compared to those of traditional disaster recovery strategies. Such benefits include:

* Cyber DRaaS incorporates NGF, a disruptive network security technology that blocks unsecure port-level access while delivering enhanced authentication and authorization security at the application and user-ID levels.
* Cyber DRaaS architecture carries with it flexible deployment options that include phased implementation within an existing fortress/moat network or as part of a fully deployed zero-trust network.
* Cyber DRaaS’s improved security protections enable an organization to establish real-time connectivity between the production network and the Cyber DRaaS backup cloud. As such, Cyber DRaaS represents an alternative to traditional air-gap solutions that many organizations establish to physically separate a production network from off-line trusted images backups.
* Cyber DRaaS reduces the amount of time that will be required to recover from a cyberattack by simplifying the process of recovery and enabling early recognition that an attack has occurred.
* Cyber DRaaS offers a highly secure alternative to traditional data backup architectures that may become the next-generation solution model for production disaster recovery backup.
* For corporate officers and directors, investment in Cyber DRaaS clearly demonstrates due diligence in mitigating the growing threat from cyberattacks, thereby limiting potential liability from shareholder derivative suits.

The NGF is one of several critical components of Cyber DRaaS (see figure 2) because it represents a disruptive technology in network architecture, one that has been described as a firewall on steroids. That is because the NGF integrates common network security point solutions, such as remote access, intrusion protection, token authentication and deep-packet scanning, into a single high-performance device (see figure 3). The NGF also offers stronger access-control capabilities than the current generation of port-based firewalls because authorization occurs at the application and user levels while simultaneously blocking all port-level access. By combining both authentication and authorization, neither one of which offers sufficient protection in and of itself, the NGF virtually eliminates the likelihood of unauthorized intrusion into the Cyber DRaaS cloud to corrupt trusted image backups.

Cyber DRaaS also incorporates two vendor-provided cloud services. The first cloud service includes automated backup and restore functions, offering end-to-end encryption of data from the source server to the destination storage cloud. Backup data are scanned for malware signatures as they pass through the NGF by first decrypting the data to validate their content and then reencrypting the data before transmission into the cloud. The integrity of data stored in the cloud is also periodically checked using hash totaling or other algorithms. Organizations should check with their chosen cloud service provider to understand what service options it provides in terms of frequency of integrity checks, specific hashing algorithms used and encryption alternatives.

The second cloud service includes behavioral heuristics used by the NGF against all data traffic to identify suspect and unknown malware that is then redirected and isolated into a cloud-based sandbox. Once isolated, the malware can be further analyzed to define its signature. Each newly identified signature is then automatically redistributed back to the NGF’s malware signature database, thereby ensuring that scanning profiles remain current as each new threat is identified.

Cyber DRaaS in a Zero-trust Network
Organizations looking for a more advanced architecture for cyberresiliency should consider deploying Cyber DRaaS under what John Kindervag of Forrester Research has termed a zero-trust network (see figure 4). Zero-trust network architecture replaces the fortress/moat model comprised of core, distribution and access layers with an alternative architecture reflecting a hub-and-spoke design. Zero trust places a high-performance NGF cluster at the center of the network to act as a data traffic distribution hub, segmenting the network into isolated work groups. Zero trust also assumes that all data traffic on the network is untrusted. Therefore, all traffic must be scanned for malware and then authorized by the NGF according to a predetermined rule set before being allowed to traverse the network within a work group. As such, Cyber DRaaS can be easily deployed under its own security zone within the zero-trust network architecture to enable secure recovery from any potential cyberattack.

Adoption of the NGF and deployment of a zero-trust network architecture are still in their infancy today as many enterprises remain committed to their existing investments in fortress/moat network defenses and point security solutions. Most enterprises that have deployed the NGF have done so on a limited basis around highly critical applications, such as Payment Card Industry Data Security Standard (PCI DSS) compliance or to protect critical customer databases. This type of limited deployment is precisely how Cyber DRaaS can be implemented under a fortress/moat network to protect trusted images. However, as the frequency and sophistication of cyberattacks continue to increase, organizations may come to see the benefits of enterprise deployment of a zero-trust network model and expand its use to build a more cyberresilient data network.

Cyber DRaaS does not reflect a future theoretical architecture for cyberrecovery, but rather one that can be implemented today with existing technology and proper planning. Therefore, managers who are looking for a strategy to comply with the US National Institute of Standards and Technology (NIST) Cybersecurity Framework requirements for response and recovery, or who are more generally concerned about how they can mitigate cyberrisk, should give due consideration to Cyber DRaaS. By deploying Cyber DRaaS, management will have the tools it needs to proactively respond to cyberthreats before they happen and to recover critical data and information systems from cyberattacks after they occur.

1 “Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age,” Ponemon Institute, August 2013, sponsored by Experian® Data Breach Resolution, /innovation/business-resources/ponemon-study-managing-cyber-security-as-business-risk.jsp?ecd_dbres_cyber_insurance_study_ponemon_referral

Eric A. Beck is a cofounder and Principal of Risk Masters Inc., a consulting firm specializing in risk management services. Beck has more than 25 years of business continuity and IT disaster recovery consulting experience across a wide range of clients and industries. Prior to cofounding Risk Masters, Beck led Protiviti’s Northeast US business continuity management (BCM) practice as an associate director. Beck is also a former member of the Deloitte & Touche’s enterprise risk services BCM practice and global BCM leadership team. He can be reached at