Keeping a notion of an “adversary” and more of an OODA-mindset lies at the core of managing human-made incidents whether they’re digital or physical. In the case of battling nature, I think that knowing physics and any kind of *science* is what can drive an advantage in how critical event managers think.
The strong interconnectedness of digital-to-digital and physical-to-physical and all the various ways they intersect is what results in complexity. I like to think that the goal of managing complexity is to reduce it to what’s truly just complicated (i.e. understandable) versus truly complex (i.e. not-understandable). And then tackle what’s complicated, first.
Lockheed Model: Cyber Kill Chain
Mental model of hacker
- Command and Control
- Actions on Objectives
Nodes in a graph structure
Mitre Model: ATT&CK (Adversarial Tactics, Techniques and Common Knowledge)
Mental model of hacker
- Initial access
- Privilege escalation
- Defense evasion
- Credential access
- Lateral movement
- Command and control
Zero Trust Model: ZTA (Zero Trust Architecture)
Removes the idea of protecting a castle with a moat, and assumes that the blurred boundaries of a network and service providers already has adversaries present. So the goal is to shrink trust zones around a specific role to minimize their potential negative impact. Core components of ZTA include:
- Enterprise identities and devices: First, let them in with authentication.
- Trust Verification Systems (Policy Decision Points (PDP) & Policy Enforcement Points (PEP) and policy engine): Second, determine your confidence level for them based on their device, time of day when connecting, and anything outside a normal pattern.
- Enterprise Resources: Anything to be protected like data, applications, devices, etc.
Seven basic tenets of ZTA:
- “All data sources and computing services are considered as ‘resources’
- All communication is secured (internal or external)
- All access is provided ‘per-session’
- Access is provided based on a dynamic risk-based policy
- All devices should be in the most secure state possible. They should be monitored for this
- Dynamic authentication and authorization is strictly enforced before granting access
- Collect as much information about the network and infrastructure as possible”**
References: https://csrc.nist.gov/publications/detail/sp/800-207/final and **https://cisomag.eccouncil.org/zero-trust-nist-800-207/