The National Institute of Standards and Technology (NIST) cyber security framework core is a set of cyber security activities, desired outcomes and applicable references that are common across critical infrastructure sectors. It consists of five concurrent and continuous functions: Identify, Protect, Detect, Respond and Recover (IPDRR)
Similarly, the Canadian Government Information Technology Security Policy, states that “departments must adopt an active defence strategy that includes prevention, detection, response and recovery (PDRR). Because prevention safeguards will be defeated, departments have to be able to detect incidents rapidly, respond quickly to contain damage, and recover systems and data [from disasters].”
Curiously, the policy directs that “departments must continuously monitor threats and vulnerabilities, and where required, take ‘proactive countermeasures.’ [Note: both active cyber defence and proactive countermeasures are understood by international law to mean ‘offensive operations’, but I doubt whether the authors intended it to be interpreted as such. It is more likely the text is referring to reactive cyber security functions.]
I- PDRR has been the mantra of cyber security for years. But is it wrong?
Although these are necessary functions as part of a security framework, one can argue that they are insufficient and omit the most effective cyber defence functions. Nor do they represent an active defence whatsoever.
They are, in fact, reactive by definition and establish failure as starting point of a strategy, thus ensuring disaster continuity.
This becomes clear if we deconstruct PDRR to: protect your network by being notionally compliance to IT security standards, detect that you have been breached, react and respond to the incident and then recover from the disaster. Wait to be attacked again. Repeat.
The challenge is that, historically walled gardens have never been successful for security. Similarly, a fortress strategy is always highly-susceptible to siege tactics and static defences will eventually be overrun.
PDRR is all behind the wall.
To borrow from an another Canadian analogy: PDRR is like only putting a goalie on the ice for an NHL hockey playoff game, and responding only after the puck is in the net. A cyber defence framework needs to field a full team and to execute winning game plan. [See the cyber forechecking article]
Furthermore, an organization will never be able to detect, identify, attribute or target advanced persistent threats (APT), without good intelligence, an active cyber defence hunt capability and persistent engagement with the adversary. There is certainly nothing in the I-PDRR framework or policy that will deter an attack or actor. APTs operate also outside of current IT security standards and a conventional protective function.
A winning cyber security strategy must include:
Predict - through intelligence and foresighting;
Prevent - by controlling vital high ground in cyberspace, actively pursuing and engaging the adversary, deploying countermeasures and defending forward; and
Prosecute – through threat reduction activities, by denying freedom of action for an adversary, degrading hostile operations, or eliminating the actor all together.