The Destructive Cyberattack Resilience Maturity Model is now available to help organizations develop their resilience to destructive cyberattacks such as ransomware and wiper attacks. This model sets clear benchmarks and a structured roadmap for organizations to achieve effective and efficient operations resilient to cyberattacks.
The Cohesity model is aligned with the most common cybersecurity response and recovery frameworks such as the SANS Institute 6 Step Incident Response Process, RE&CT framework, MITRE D3FEND, and NIST SP800-61 Computer Security Incident Handling Guide, allowing organizations a path to adopt industry-wide best practices.
The maturity model allows organizations to assess their operational capability across the five stages required to achieve cyber resilience:
- Preparing for an incident
- Identifying and investigating the attack
- Containing the spread of the attack
- Eradicating threats and reducing attack surface to prevent future attacks
- Recovering systems to a secure state
The levels of maturity in the model are depicted in the table below:
| Maturity Level | Description |
|---|---|
| Non-resilient | The organization lacks the resilience to withstand a destructive cyberattack without significantly impacting the delivery of its products and services. |
| Recoverable | The organization has built disaster recovery and business continuity capabilities. But these may be subject to attack by adversaries and lack appropriate investigatory and remediation stages to prevent reinfection or reattack. |
| Strengthened | The organization has protected its ability to recover from attacks by adversaries. |
| Aware | The organization can hunt for the early stages of a destructive cyberattack that can’t be evaded and isn’t impacted by the containment stage of incident response. A shared responsibility model between IT and Security Operations to deal with incidents has also been developed. |
| Responsive | The organization can recover the tools needed to drive incident response and communications with stakeholders to a trusted state. It also has isolated environments that allow incident investigation, eradication of threats, and systems testing prior to recovery to production.The organization drives continuous improvements by conducting end-to-end attack drills of diverse attack situations, building muscle memory in incident responders to deal with any future situation, optimizing processes, and looking for opportunities for automation to increase effectiveness and efficiency. The organization can rapidly recover the infrastructure and resources needed to manage and respond to the incident should they be impacted by the attack. |
| Optimizing | The organization has metrics and telemetry to drive the continuous optimization of processes, people, and technology. Proactive discovery and classification of data ensures end-to-end governance and regulatory compliance. There is a capability to not just recover systems, but to rapidly rebuild infrastructure to a trusted state. Incident investigation, infrastructure rebuilding, and data recovery are optimized so these tasks can be done in parallel. |
The Destructive Cyberattack Resilience Model provides a vendor-agnostic roadmap. This approach allows its users to align with best practice response and recovery frameworks while achieving a state of cyber resilience and developing appropriate governance, people, and processes. The roadmap ensures that technology is supporting and optimizing operational outcomes, not driving them.
The five levels of the Destructive Cyberattack Resilience Maturity Model.
A closer look at the levels of maturity
Based on our years of experience, we’ve noticed common traits and behaviors at each level of maturity. Here are some of the ways to identify the maturity of your organization:
Recoverable
An organization at this level may have a mature level of disaster recovery and business continuity. They have conducted appropriate business impact assessments to identify critical services and the infrastructure that supports them and created Recovery Point and Time Objectives (RPO/RTOs). This organization will lack the needed protections on its data management platform to protect them from attack by an adversary. They will also typically treat a destructive cyber incident as a traditional disaster recovery and business continuity scenario, without considering the complicated factors of a cyberattack. At this level, a close working relationship between IT and Security Operations to deal with cyber incidents is lacking.
Strengthened
At this level, the organization has recognized that it will be attacked by an adversary and has put protections in place to mitigate the impact of this inevitability. It has implemented security principles such as least privilege access, immutability (to prevent the malicious changing or deletion of backups), separation of duties (to prevent a rogue or compromised administrator from making damaging changes), and vaulting (to put the ability to recover beyond the reach of the adversary). Vaulting also helps the organization adhere to secure backup conventions like the 3-2-1 principle.
Aware
Organizations at this level have adopted a well-defined shared responsibility model between IT and Security Operations. They have the ability to hunt for threats and conduct digital forensics even when adversaries evade endpoint security systems. Further, the organization can continue threat hunting during containment, when hosts and networks are isolated. Threat feeds are used, but are often stale, and don’t include regular updates to reflect the latest confirmed threats from ransomware-as-a-service platforms and vulnerabilities. Organizations also lack a defense-in-depth model for hunting for those early stages of an attack before systems are impacted.
Responsive
At this level, organizations take the incident investigation and threat remediation steps necessary before systems are recovered back into production to prevent reattack or reinfection from the same actor. Isolated investigation and remediation environments are in place to achieve the requirements of containment. This level of maturity also introduces continual improvement and practice, so the processes, people, and technology required to respond and securely recover from an incident are ready ahead of time. (You don’t want the first time your SOC analysts, incident responders, and senior executives to experience a ransomware or wiper attack to be the one where your data is being held to ransomware or all systems in the business have been wiped. Tabletop exercises are useful, but they don’t test the end-to-end workflow, skills, and technology required in a real scenario.)
Organizations also conduct realistic attack scenarios that prepare all components required for cyber resilience. No two incidents are ever the same. By varying aspects of the drills, the organization is better able to optimize processes. The organization regularly looks for opportunities for automation, and to build muscle memory in staff.
Finally, organizations in this stage can rapidly reestablish trust in their networks and security tooling—and have other resources on hand within minutes to start their response activities. They have a reliable way to coordinate, communicate, and investigate the attack in a worse-case scenario. In other words, they’re prepared for scenarios where security controls are evaded, door access systems are down, and there are no CMDB, ticketing systems, email, or voice-over-IP to talk to law enforcement, cyber insurers, the press, regulators, or impacted data subjects.
Optimizing
This level represents the pinnacle of cyber resilience. The organization has taken proactive measures to discover and classify that the data it uses can not only be recovered, but that appropriate risk management steps have been taken throughout its lifecycle. Workflows are optimized to align with regulations and impacted data subject notification requirements, so fines are avoided, and the organization can comply with DORA, NIS 2, HIPAA, the Prudential Regulatory Authority, and the Security and Exchange Commission as applicable. While the Responsive maturity level seeks opportunities for automation in workflows, Optimizing looks for overall governance, orchestration, and management of the entire end-to-end incident response and recovery process. This maturity level gives senior executives, boards, and third-parties stakeholders confidence that the organization is on the forefront of cyber resilience.
Take the next step: Apply for a maturity assessment
Preparing for and dealing with cyberattacks has made a model like this one critical. These attacks represent the greatest threat to the delivery of products and services by organizations today. Cohesity cybersecurity experts and practitioners—with decades of experience in cyber incident response and recovery—designed this model so organizations like yours can understand your current capabilities, benchmark your maturity against peers in your industry or geographical area, and have a roadmap for future improvements you can make and measure over time.
