Following a years-long effort to move away from a cybersecurity inspection mindset focused on compliance, the US Department of Defense (DoD) announced the formalization of this shift to a focus on operational readiness through the launch of the Cyber Operational Readiness Assessment (CORA) program.
A new model for mission assurance
The Joint Force Headquarters-Department of Defense Information Network (JFHQ-DoDIN), a subordinate headquarters under US Cyber Command (CYBERCOM), is responsible for protecting and defending the DoD’s network globally. By replacing the Command Cyber Readiness Inspections (CCRIs) that the DoD has used for more than a decade, JFHQ-DoDIN considers CORA a more agile program for measuring cyber readiness than its predecessor. For example, CORA will also use a multifactor risk calculus to determine which DoD organizations get assessed and when. This means that some bases and commands might undergo CORAs multiple times a year, whilst others might go for several years without being audited.
One of the biggest differences, though, is that under the CORA process site visits will no longer be pass-fail tests.
By focusing on operational mission assurance and less on tick box compliance, the CORA model provides commanders with a greater understanding of risk to the DoDIN, allowing them to focus their assessments and mitigation efforts based on existing threats.
“CORA assessment provides commanders and directors a more precise understanding of their high-priority cyber terrain and their overall cyber security and defensive posture.”
Lt. Gen. Robert Skinner, commander of JFHQ-DODIN
Using ATT&CK to focus remediation
To calculate vulnerability and risk of a specific DoD organization or network segment, CORA assessment teams will use a mix of intelligence data and cyber threat information based on MITRE ATT&CK. Used by cyber defenders world-wide to protect information systems and to hunt malicious actors, ATT&CK is a knowledge base of known tactics, techniques and procedures (TTPs) utilized by adversaries to attack networks and exploit vulnerabilities.
CORA prioritizes ATT&CK as a means of analyzing and determining a DoD organization’s risk exposure to TTPs that could enable an attacker to gain initial access or engage in privilege escalation, lateral movement and data exfiltration within the DoDIN.
By focusing on a network’s susceptibility and vulnerability to known and commonly employed exploits, CORA enables commanders to direct their remediation efforts towards those critical issues that represent the greatest risk to the mission.
Continuous monitoring as a cornerstone
Performing risk-based assessments is certainly a step in the right direction. But to ensure a true, ongoing state of operational mission assurance, it’s critical that continuous monitoring is a foundational element of the DoD’s cyber assessment strategy. This is why Lt Gen Skinner described CORA as being a cornerstone of the DoD’s goal of continuous holistic assessments. “CORA is a vital aspect of continually understanding our cyber readiness through fusing many risk factors including access control, detecting anomalies, adjusting to adversary threat information, and executing cyber orders,” Skinner said.
CORA will no doubt strengthen the cybersecurity foundation across all DoD networks. It will enhance the operational resilience of the DoDIN by informing commanders and directors of their risk exposure and highlighting where and how to harden their information systems based on extant threats.
From the perimeter to the interior
While much of the focus of CORA is on the boundary and securing perimeter devices that have a direct interface to external information systems, assessing and maintaining security in the network interior remains equally critical. This is where, once an adversary has gained access to a network, the attacker has the potential to evade detection, mask their presence as legitimate user activity, and potentially cause the most damage and havoc.
Underscoring the importance of assessing risk beyond the boundary, the Director of the FBI, Christopher Wray, announced during a recent hearing on Capitol Hill that they had identified hundreds of routers on critical infrastructure networks that had been compromised by an insidious Chinese state-sponsored hacking group who were prepositioning themselves to cause the most disruption possible at a later date.
“This is the cyberspace equivalent of placing bombs on American bridges, water treatment facilities, and power plants. There is no economic benefit for these actions. There is no intelligence gathering rationale. The sole purpose is to be ready to destroy American infrastructure.”
Congressman Mike Gallagher R-WI
So, to achieve comprehensive security and provide a holistic view of network risk posture, it’s imperative to adopt technologies that can provide continuous enterprise-wide monitoring from the perimeter to the interior.
Automating enterprise-wide risk posture analysis
This is why Titania developed a continuous solution for detecting in near real time any changes to device configurations – planned or unplanned. It then proactively assesses those changes to provide network owners with accurate and risk-based visibility of device-by-device security, compliance and segmentation posture. By quickly identifying configuration drift and discovering exploitable vulnerabilities (e.g., CISA KEVs), coupled with the provision of remediation guidance, Titania enables defensive resources to be risk-prioritized towards efficiently fixing issues and shutting down ATT&CK vectors/TTPs before they are discovered and exploited by the adversary.
For more information on how Titania delivers continuous security and risk posture analysis across the network enterprise visit www.titania.com/products/nipper-enterprise.
