“Cyber agility isn’t just about patching a security hole; it’s about understanding what happens over time. Sometimes when you protect one vulnerability, you expose yourself to ten others.”
– Jose Mireles, U.S. Department of Defense
Academics at the University of Texas at San Antonio (UTSA) recently developed the first cyber agility framework that scores the agility of cyber attackers and defenders. The cyber agility framework was conceived to expose and act in response to intensifying cyber-attacks. It’s believed that having formal metrics will help cyber professionals to understand the attacks better.
Jose Mireles, who now works for the U.S. Department of Defense, co-developed the cyber agility framework as part of his UTSA master’s thesis. Mireles explains, “In car crashes, we understand how to test for safety using the rules of physics. It is much harder to quantify cybersecurity because scientists have yet to figure out what are the rules of cybersecurity. Having formal metrics and measurement to understand the attacks that occur will benefit a wide range of cyber professionals.”
“The cyber agility framework is the first of its kind and allows cyber defenders to test out numerous and varied responses to an attack,” says Professor Shouhuai Xu. “This is an outstanding piece of work as it will shape the investigation and practice of cyber agility for many years to come.”
“The DoD and U.S. Army recognize that the Cyber domain is as important a battlefront as Ground, Air and Sea,” adds Purush Iyer, Ph.D. Division Chief, Network Sciences, Army Research Office. “Being able to predict what the adversaries will likely do provides opportunities to protect and to launch countermeasures.”
While the cyber agility framework developed through UTSA is geared toward evaluating state-sponsored, large-scale cyber-attacks and is meant to help prepare the military for cyber terrorism and war, there is an important lesson to be taken from the framework’s development for the business community. The framework’s use of metrics and measurements to evaluate vulnerability and success can easily be applied to an organization’s cybersecurity.
The following three cybersecurity metrics should help your company gain a more comprehensive understanding of where you fall when it comes to proactively mitigating cyber risk – or, in other words, how cyber agile you are.
- Amount of botnet infections per device over a select period.
This is a cybersecurity metric that every company should monitor. By tracking how many and what types of botnet infections have taken place across your network you can better prepare for these types of attacks and better prepare your cyber defence. A botnet is defined as several Internet-connected devices, each of which is running one or more bots. Botnets can be used for a variety of malicious activities: to perform distributed denial-of-service attacks, steal data, send spam, and, of course, allow the attacker to access the device and its connection. Once instructed, the botnets fulfill the action like a swarm of robots.
The cumulative number of unprecedented attacks on clients registered by Botnet Monitoring technology in 2018 fell by 23.46 percent against the previous year (from 20 009 attacks in 2017 to 15 314 in 2018). At the same time, 39.35 percent of the botnet attacks in 2018 were new.
If your organization can successfully track this metric, your ability to reduce the detection deficit will improve. As more IoT devices become connected and with the deployment of 5G speeding up the rate of connections – monitoring for botnets will become increasingly more important. The faster your team can identify a security breach or threat incident and repair it, the less likely you are to have something devastating happen to your company. If you’re able to keep the amount of time between detection and response as close to zero as possible, the threat actor will be less likely to get a foothold in your organization, and your company will be in far greater shape.
The problem is, many organizations don’t just have a gap of minutes between the detection and the fix —sometimes the detection deficit is days, weeks, or months long. However, through closely monitoring the amount and type of botnet infections and the time it takes you to remediate them, you’ll be taking necessary steps toward reducing your company’s detection deficit.
- The percentage of personnel with user access who are monitored.
Two essential questions to ask: Who has full network access? Do they need full network access to do their job?
As the number of employees who have the cyber keys to the kingdom – or unlimited network access – increases, so too does your cyber vulnerability. Hacked passwords account for 81 percent of data breaches. Whether a disgruntled current or former employee has chosen to go to the dark side or a threat actor is taking advantage of an employee’s credentials and privileges, knowing who has access to what and monitoring individuals for internal and external security concerns is an important metric. Also, this offers you insight in determining whether you’re providing too many individuals with unlimited network access and where you can reduce privileges.
In addition to this, you should know the number of days it takes to deactivate former employee credentials. Ideally, the user access of terminated employees from the company should be cancelled immediately.
- Continuously monitor and assess third parties.
Traditional vendor risk management practices only offer you a snapshot view of a vendor’s security posture at a single point in time. Even if you perform audits, penetration tests, and vulnerability scans, you still won’t know what’s going on with your vendors’ cybersecurity daily. However, continuously monitoring vendors’ risk allows you to look at the third parties you’ve deemed as critical.
You must maintain strict control and monitor the cybersecurity metrics of the vendors and partners that provide services for your business. Giving access to your network environment can be a considerable risk if that company doesn’t have effective cyber policies in place. Supply chain attacks, which use loopholes in third-party services to strike at a target, increased 78 percent between 2017 and 2018. With such vast increases in supply chain cyber-attacks, knowing how safe the third parties are before giving them access is vital.
Also, when network access is granted to third parties to complete a project, it’s important to monitor whether the access is cancelled at the end of service provisioning.
If you’re not already, start monitoring these three cybersecurity measures right away. Mapping all the critical systems for the company and knowing the internal and external users that can (and do) access them is imperative in the context of cybersecurity. Create your own agility framework and measure your threats and responses – it’ll help you identify your company’s vulnerabilities and improve your company’s cybersecurity.