Cyber Security Risk Management and Governance
Cyber Security Risk Management and Governance
GCE Program and Posture Overview
Grand Canyon Education (GCE) has invested considerable effort into having an exceptional security program , as well as in helping contribute to the broader cyber crisis society faces, through thought leadership, publication, and academic programs to help bridge the cyber workforce gap. This document will provide an overview of the vigilant security program that protects GCE from intrusion attempts including the technology, people and processes that have been aligned to prepare for a rapidly evolving threat landscape. This overview will start with a summary of the threat landscape and the key elements of what makes up an effective security program, followed by an outline of security controls, response strategy, followed by a walkthrough of our approach to vulnerability reduction and risk management. Note that the mention of specific products and other key details have been omitted, where it may be of strategic importance to limit disclosure of details that may be helpful to an adversary.
Threat Landscape: Rise of Ransomware as a Service (RaaS)
The topics of intrusion prevention and cyber resiliency have taken the world by storm, as a subject that was once the background chatter of researchers and practitioners has exploded into the foreground, culminating with disrupting the way of life for society in a real and tangible way. While momentum has built gradually over far too many breaches to name, the attacks of late such as the ransomware attacks that impacted the world's largest meat processor JBS (REvil) or the event leading to panic buying of gasoline due to attacks on Colonial Pipeline (Darkside).
While it has always been difficult to stop a determined and well-funded attacker, at one time most organizations could count on facing only lower-tier adversaries, while the most important (and best funded) organizations deal with the advanced techniques so often attributed to nation state actors. The RaaS and affiliate model has completely upended this notion, requiring practically all organizations to elevate security levels to deal with prevention and response of advanced tools and tactics. This model allows for criminal organizations with very advanced capabilities to develop and provide tools and delivery mechanisms, while much less sophisticated "affiliates" carry out the actual attacks using these platforms. It creates a precarious situation where full-featured frameworks can be used against the full spectrum of companies, schools and local governments with impunity – all the while, providing the true masterminds of these tools and platforms a degree of insulation and sometimes even deniability.
The natural evolution of RaaS and the affiliate model has expanded into a full range of markets including Malware as a Service such as BazarLoader or even Compromise as a Service where one group gains a large number of initial footholds into organizations, before selling this access. We have been broadly labeling this trend as XaaS to cover the full spectrum of bad things available via criminal markets. While these trends require action at every level, ranging from diplomacy and policy at the government level to industry wide actions such as better intelligence sharing, at a tactical level it means organizations need to elevate and evolve security prevention and response capabilities. GCE has taken this very seriously and has made considerable investments to improve security levels, along with contributing research and information to help other organizations along this journey.
Frameworks for Threat Prevention and Response
There are a large number of frameworks and standards available and knowledge can be gained from many of them. However, in our experience those that are practical, and that can be rapidly adapted as the threat landscape evolves, are the most useful. For exactly this reason, our approach is to leverage multiple frameworks combined with active threat intelligence to inform an overarching strategy that is consistently evolving. The most influential framework we use is Mitre ATT&CK, aligned with the CIS20, with secondary consideration given to compliance frameworks such as NIST 800-171 and SOX. We also rely considerably on information from SANS Institute, DHS/CISA and ACTRA.
Anatomy of an Attack
It is our view that the fundamental nature of attack is typically overcomplicated and that the best decisions arise from starting at a simplified view, and then layering in the more detailed attack flows, to build on for appropriate defensive strategies. At the most fundamental level, there are two types of attacks: those that involve a user and those that exploit a system or account without any user interaction. These are very important flows to differentiate because the types of controls and prevention methods required differ; moreover, many organizations excel at preventing one side of this equation, without properly dealing with the other.
Attacks involving user interaction are very salient and well known, in particular for the most pernicious point of entry: the Business Email Compromise (BEC). These initial compromise methods can also involve messaging, chat, malicious ads, apps or other approaches to get a user to either enter credentials in an attacker-controlled resource or to run attacker supplied code. After this point, the flow for attacks involving user interaction often converges back with the attacks that do not require user interaction.
Attacks that do not involve user interaction, typically start with an internet-facing resource that is exploited to give an attacker their initial foothold. This foothold could involve web applications, servers, network devices or accounts that allow remote authentication. Sometimes if the goal is data exfiltration for intrinsic value or for ransom extortion (e.g., CL0P via Accellion FTA), the attacker's goals can be accomplished entirely via the initial resource exploited. However, most of the time the initial compromised application, server or account is just a beachhead for expanded reach to carry out a more complex objective, such as enterprise ransomware delivery. In most modern ransomware attacks the objective is to have complete control of the environment to encrypt all files, incapacitate all systems, take out backups and leak sensitive data to include an extortion component (pay or we release it), which maximizes the potential for a payout. This is a significant advantage for defenders, insofar as it provides many opportunities to identify and contain an attack before the full attack is unleashed.
Irrespective of how an attacker gains the initial foothold, there is a commonality to the Tactics, Techniques and Procedures (TTPs) used to pivot across systems to gain control of an entire environment. For a basic idea of how this works, reference the Lockheed Martin Cyber Kill Chain and for the detailed constructs that inform our strategy at GCE, see the Mitre ATT&CK framework. Generally, most attackers will attempt to move from application to host, escalate privileges on the host and dump the credentials from memory and/or use the permissions of that host to compromise other systems. Their success at this will be a function of what vulnerabilities and misconfigurations exist compounded by control gaps and deficiencies in visibility and response. If vulnerabilities exist alongside limited inspection points and there is a clear path to expand reach in an environment, the attacker wins.
It is also worth noting that modern attack methods take advantage of native tools and resources that most companies need to effectively manage a modern enterprise environment. Projects such as LOLBAS illustrate how attackers may use native capabilities of host operating systems using frameworks such as PowerShell Empire or compiled scripts to make lateral propagation and expand of compromise very difficult to detect, in particular if advanced controls and capable response procedures (DFIR) are not in place. The attack techniques previously considered advanced are now industry-standard due to RaaS/XaaS.
Fundamental GCE Security Strategy
Based upon the aforementioned overview of the threat landscape and typical attacker playbook, here is the foundation of our cybersecurity strategy at GCE:
- Deploy, implement, and refine security controls to prevent initial foothold wherever possible.
- Cultivate a robust security intelligence and response process to rapidly identify and contain attempts to expand a foothold in the environment.
- Combine vulnerability management and environment hardening to reduce attack opportunities.
Key Elements of a Security Program
The strategy outlined is implemented via a robust security program that is formulated to reduce opportunities for exploitation, elevate the capability to identify, respond and contain intrusion attempts, as well as robust technology governance to reduce the overall risk due to factors such as technical debt.
This strategy is realized via a few key programmatic elements:
- Security Controls / Engineering and Architecture
- Vulnerability Management and Risk Management (VM)
- Security Operations and Incident Response (SOC/IR)
- Governance Risk and Compliance (GRC)
Security Controls / Engineering and Architecture
Implementation of modern and effective security controls is the first discipline of any effective security program. As security operations, incident response and vulnerability management evolve, quality security controls will stop at least some intrusion attempts automatically, as other aspects of the program ramp up fully. Of course, even if properly deployed and configured, security products are not a complete solution. That said, they are a very powerful foundation that an organization can build upon while other processes reach full maturity, and a continuous edge even once full maturity is realized.
Web Application and Network Protection (edge defense)
GCE has implemented a robust and layered defensive strategy for stopping inbound web and network-based attacks. At the outer edge, a cloud-based Web Application Firewall (WAF) has been deployed that also mitigates Denial of Service (DDoS) attacks. There are then multiple layers of firewalls and detective controls to stop or at least identify intrusion attempts bypassing the WAF. Finally, internal segmentation has been scoped to introduce obstacles to propagating laterally within the environment.
Email Security (edge defense)
The email security strategy includes multiple layers, starting with reputation validation, sandboxing, link protection and automated response actions. Also, regular security awareness broadcasts and mock phishing campaigns are sent to help improve user behavior. Finally, robust processes are in place for reporting of suspicious messages and for abuse mailbox response and management.
Host and Account Protection (core defense)
A modern, multi-vendor defensive strategy has been implemented to protect endpoints and accounts against attacks via malware, scripting, or account compromise. These solutions include technologies such as Next Generation Anti-Virus, Endpoint Detection and Response, Scripting and Application Control, Multi-Factor Authentication, Conditional Access, Host Firewall, and Endpoint Threat Prevention, among other capabilities.
Security Intelligence and Advanced Detection
The notion that a capable adversary can be absolutely repelled from intruding upon even the most protected environments has become universally viewed as naïve. And the idea that advanced threats can be absolutely repelled from organizations that constitute the midmarket space is simply absurd. Success is not about where along the kill chain an attack is stopped, so much as it is a matter of stopping as many attacks as possible before they reach the phase of accomplishing their objectives. Once the foundational technologies and processes are in place, this comes down to a matter of excellence in the areas of Intelligence (CTI), Security Operations, and Incident Response. Sometimes forensics capabilities can also be very useful, on one hand to figure out when a battle is over, on the other to determine if you succeeded or not. In conventional warfare, it is often obvious who won a given battle; in cyber, even distinguishing success from failure can be a considerable undertaking.
At GCE, we view Security Intelligence (CTI), Purple Teaming, and Threat Hunting as critical functions that represent a cornerstone of our strategy. Considerable effort has been invested into log management, security intelligence and workflow prioritization for the SOC and Incident Response (IR) teams. The technologies underpinning these measures include an advanced security intelligence platform (SIEM+), a Network Detection and Response (NDR) technology stack and a User Entity Behavior Analytics product (UEBA). All of these technologies and corresponding response processes have been in place and evolving for 3-5 years, placing us above the clouds of the initial "figuring it out" phase all organizations undergo. While this puzzle is never completely solved, the team performing these functions at GCE has produced multiple publications and conference talks on related topics, showing an enthusiasm for helping contribute to the evolving thought process on how organizations should defend against an evolving threat landscape.
Vulnerability Management and Risk Mitigation (VM)
The most fundamental principles of Vulnerability Management indicate that we should continually scan/assess, update vulnerable software, and select/implement secure configurations. While this is optimal, no significant organization is known to have succeeded at these goals in an absolute sense. That is of course, where the Risk Management aspect comes into the equation. While there may be a myriad of things wrong, not all of them are of equal importance. What systems are most important, what vulnerabilities exist therein, and how can they be remediated?
There are a few layers where vulnerabilities can be found:
- Application Layer
- Infrastructure Layer
- Account and Access Layer
- Human Layer
GCE employs eight different technologies to find vulnerabilities, across the layers ranging from application, down to the system and account layers. These vulnerabilities are prioritized based upon metrics that feed into expected probability and impact, making it easier to prioritize key improvements and projects. The unified view of vulnerabilities across the layers, combined with SOC/IR/CTI metrics showing what is being attacked, provides a profound insight into the true level of risk an organization faces. At the most fundamental level, VM is about learning what is most vulnerable and facilitating conversations to make improvements and reduce the risk.
Security Operations and Incident Response (SOC/IR)
Once robust controls are in place, it really comes down to response capability. Going back to 2013, FireEye detected the malicious black-POS activities that lead to the groundbreaking Target breach; it was a lack of proper response capability that led to a massive breach. In any modern environment that is frequently targeted, it is safe to assume an initial foothold will be achieved on a regular basis. If the security controls aspect of a program has been successful, there should be many impediments to compromise expansion. And, if the intelligence process has been effective there should be many alerts as attackers try to expand their reach. If the response process is effective, a skilled team is investigating and containing attacker efforts at every step.
Our Security Operations (SOC) and Incident Response (IR) team has expanded reach and capability dramatically over the years from being quite basic, to being called on by many third parties for advice on incidents and strategy decisions on a regular basis. The continuous barrage of attacks we receive has helped to refine and sharpen our team with real-world data to inform our overall strategy. Our team also regularly participates in competitions to refine our capabilities, ranging from Splunk Boss of the SOC (BotS) to invite-only international CTF events.
Governance, Risk and Compliance (GRC)
Sometimes, the most effective way to improve a situation is to deal with the root causes for the most common failure modes. While security controls can stop many attacks, vulnerability management can reduce the attack surface and an effective response can avert many crises. At the end of the day, the highest returns are realized from preventing high risk situations before they materialize in the first place. A mature GRC program will ensure appropriate technology governance is in place, risks are appropriately managed, and compliance is maintained as a normal part of the technology lifecycle. These fundamental best-practices reduce technical debt, clean up an environment over time, and elevate visibility to risks facilitating their ultimate resolution.
At GCE there is a mature review process where GRC is a part of the initial procurement and project review process. If something deemed high risk is proposed or requested, the team is engaged, and everyone comes to the table to figure out a way to achieve business objectives in a way that is secure and compliant. As a security and risk team, it is counterproductive to be the "No" people. Instead, our approach is to understand the business objective and partner to find a way to accomplish key objectives in a safe and secure manner. The GRC team has facilitated some of the most important holistic risk reductions achieved in recent years.
Summary of Outcomes at GCE
While the threat landscape has unleashed a continuous barrage of attacks, we have been fortunate to not have any material breaches or compromises that we are aware of to-date. It is impossible to prove a negative and thus, we cannot ever know for certain our efforts have been completely successful. That said, we have been fortunate to detect and repel many intrusion-attempts without any reason to believe sensitive data or availability have been compromised.
While our security program has produced many exceptional outcomes, we are always striving to improve and will work to progress in response to the evolving threat landscape. Our commitment is to deploy superior solutions, implement adaptive response processes, and continually reduce risks to improve our resiliency to cyber-attack. Together we can collaborate to reduce the risk of Ransomware as a Service (RaaS) and other advanced threats.