What is your most important line of business or function of your agency? What are your crown jewels (as another author here wrote)? What is the risk to those? What does the enemy want to achieve? This is the just the starting point of protecting your agency or business. Today, it is important to create a threat-aware proactive defense around your Cyber Key Terrain (C-KT) and manage the risk per line of business or agency function. There are people in every organization who look across the enterprise and worry about the security of everything. That isn't enough anymore. That is old school perimeter defense or defense-in-depth (all necessary but not sufficient). You need to create a defense strategy around your key terrain.
Many people believe that RISK = THREAT*VULNERABILITY but a better way to understand the risk to your organization and hence focus your defenses is to factor in the CRITICALITY of all assets supporting each function and the impact or loss of each asset when you include the RECOVERABILITY of that asset (e.g., do you have functional redundancy, a hot back up, restore capability). Risk = Criticality * Vulnerability * Recoverability * Threat, where THREAT considers both the enemy's intent and the access he has to each asset (e.g., is it in the DMZ or on a closed network).
Proactive Defense needs to be about each business area or agency function. This allows you to tailor your defenses and shape your network flow to what is needed, making it a lot harder for the adversary. Once you identify the top 1-5 functions, you can build a Mission Impact Model for each one that shows all the assets that function depends on (e.g., what Servers, data bases, routers, computers, users). Once you define the C-KT for your top priority business function or mission (as this applies to the military as well), you need to be able to find all of those assets on your network map. Then, you can develop a cyber protection strategy (e.g., risk mitigation strategy) for that function. For example, you limit access to certain types of users over limited protocols. You lock down certain databases or ensure encryption or create subnets on your network to protect key assets determined from the RISK = C*V*R*T analysis. You create special monitoring for deviation from the required flow that creates priority alerts.
Every agency or business should have Elite Cyber Protection Teams (ECPT) that rotate from one key function or line of business to another. The ECPT creates/revises the C-KT for that function, analyzes the risk for that function, develops the risk mitigation strategy for that function and works with the enterprise security team to implement it. The ECPT then moves onto the next function or line of business. This strategy maintains focus.
In training the military CPTs, we use this approach. We create realistic Virtual Clone Networks of an entire Joint Military Base with a synthetic internet, fake users who click on links, do email and whatever other job they normally do, and emulated adversaries. We create a list of prioritized missions and teach the elite CPTs to define the C-KT and develop risk mitigation strategies. Then we test the team (using metrics derived from the NIST Cybersecurity Framework) against emulations of real world threat actors. The teams can see how well their risk mitigation strategy would work against APT-28 or Deep Panda or Cyber Snake. They learn how important threat intelligence data is to guide their understanding of the enemy and fully contain and eradicate the adversary.
We need to take the next step in cyber defense by creating Elite Cyber Protection Teams that properly understand the "crown jewels" and focus on that using threat intelligence to guide them. Its not just about preventing a breach, it is about assuming a breach and defeating it by understanding the risk to your key terrain.