What CIRCIA Means for Critical Infrastructure Providers and How Breach and Attack Simulation Can Help - Cyber Defense Magazine

To prepare themselves for future attacks, organizations can utilize BAS to simulate real-world attacks against their security ecosystem, recreating attack scenarios specific to their critical infrastructure sector and function within that sector, including specific TTPs. Without visibility into cyber incidents across critical infrastructure sectors, it will be very difficult for the government, private sector operators, and the threat research community to understand and pre-empt future attacks, let alone coordinate effective responses to minimize impact during major incidents. On July 3rd the period for public comment closed for the U.S. Cybersecurity and Infrastructure Security Agency’s proposed Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) reporting rules announced earlier this year. BAS enables organizations with a similar profile to the victims of Akira Ransomware to implement information from such disclosures within their simulations and, in doing so, regularly validate their security controls—at scale and in a production environment—to ensure optimal performance against this and other new and evolving cyber threats. Breach and attack simulation (BAS) solutions can play an important role in helping critical infrastructure organizations prepare for and comply with these rules, as well as prepare for future assessments and audits. I’ll also explore how breach and attack simulation (BAS) programs can help organizations not only comply with the rules, but also prepare for future threats and regulations with new simulation, incident response, and reporting capabilities. It can be used to develop cyber risk mitigation and incident response plans that strengthen defenses and better prepare organizations to fend off future attacks. CIRCIA’s enhanced reporting obligations have the potential to drive greater transparency, accountability and, ultimately, much-needed improvements in cyber readiness and resilience across all U.S. critical infrastructure sectors. Below, I’ll discuss what CIRCIA means to organizations covered by these rules, the reason for its focus on critical infrastructure, and how organizations can prepare to meet its reporting requirements. BAS solutions are designed to safely and continuously run real-world attacks—based on the tactics, techniques and procedures (TTPs) used by cyber adversaries—against an organization’s production applications and infrastructure to validate how their security controls are performing and identify gaps before attackers do. Any nation-wide effort to detect, contain, and recover from cyber attacks on U.S. critical infrastructure would require speed in situational awareness and greater visibility into the nature and scope of an adversary’s offensive cyber operations. Increased reporting will likely enable CISOs to better prepare for cyber attacks through attack simulations trained on a much larger body of threat intelligence. CIRCIA should be understood within the context of the rising waves of government regulation, growing legal liabilities, and insurance costs commensurate with the scale and seriousness of today’s nation-state cyber threats to our critical infrastructure. To prepare for the reporting to come, CISOs must engage with legal, risk-management, and security teams to understand CIRCIA’s requirements, assess their cybersecurity postures, and implement robust detection, simulation and reporting mechanisms. A notable example can be found in the recent US-CERT alert around the indicators of compromise (IOCs) and TTPs for Akira Ransomware that were disclosed by the US FBI, CISA, Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL). Those essential preparations cannot be effective if information sharing fails to provide threat data specific to their critical infrastructure sectors and specific functions within those sectors. When given access to this type of information, organizations can evaluate their performance across different security control categories via side-by-side comparisons of blocked percentage scores and proactively identify areas for improvement to bring them more in line with industry standard performance. CISA anticipates CIRCIA will affect more than 316,000 entities, result in around 210,525 reports and cost critical infrastructure providers an estimated $2.6 billion in rule familiarization, data and record preservation, and reporting expenses​. Ultimately, no organization can effectively prepare for future cyber attacks if it lacks an understanding of the threats specific to its sector and potential implications to its business. Such improvements begin with providing SOC teams with a clear understanding of how security controls detect, prevent, and mitigate attacks across the entire cyber kill chain. In this regard, the CIRCIA rules could prove an important step in opening a floodgate of shared security-controls-efficiency data specific to critical infrastructure providers and the life-supporting systems they operate. While CIRCIA poses a tremendous opportunity to operationalize intelligence in their defense, forward-looking operators will also take the initiative to implement solutions and processes that prepare them for greater scrutiny of their cyber readiness from regulators and cyber insurance auditors. Reports can also provide important security posture assessments that allow CISOs to measure their baseline, track improvement over time, and align security program reporting, KPIs, and investments with business goals. The rules require covered organizations to report ransomware payments to CISA within 24 hours and all covered cyber incidents within 72 hours. This development, when combined with a comprehensive BAS program, will empower organizations to achieve their objectives of becoming more proactive in cyber defense, more efficient in risk reduction, and better informed to report on such matters to their executive teams and boards. The rules apply to a broad array of entities across 16 critical infrastructure sectors as defined by CISA, including energy, water, transportation, healthcare, and financial services, among others. We have substantial evidence from governments and private sector threat researchers that nation-state threat actors are attempting to compromise and pre-position cyber-attack infrastructure within U.S. and allied critical infrastructure systems. Finally, if an attack does occur, BAS frameworks can assist organizations not only in reporting the details of the incident, but they can also be transformative in identifying weaknesses that may have contributed, providing remediation advice, and retesting the resilience of the environment to ensure any gaps are closed. In areas such as the confidentiality of shared cyber attack information, CISA commits to only releasing such information as anonymized, aggregated data within quarterly reports. They also integrated both their ticketing system and security information and event management (SIEM) system with the BAS platform to determine whether their detection mechanisms and alert notifications were operational, effective, and capable of identifying and responding to specific security events. Cyber Defense Magazine - The Premier Source for IT Security and Compliance Information. But such rules will force the discipline necessary for CISOs to implement a more proactive approach to security that is focused on developing a continuous understanding of the efficacy of their security tools and their vulnerability to security events, which in turn will allow them to take action faster and engage government partners in a more timely manner. These priorities require BAS platforms that are able to identify risk exposure with security scores, establish benchmarks against which improvement is measured, and help effectively communicate progress over time through personalized reports that define investment priorities. The most effective BAS solutions are continuously and quickly updated with new cyber threat information, including incorporating the latest content from US-CERT and FBI Flash alerts. For instance, a global financial services firm recently used BAS to validate the end-to-end efficacy of its security tools, alert and detection systems, and incident response workflows.

This Cyber News was published on www.cyberdefensemagazine.com. Publication date: Tue, 01 Oct 2024 12:43:05 +0000