Building Proactive Cyber Resilience for NIS2 and DORA

Written by

With cyber-attacks escalating, the news cycle is focused on discussing and dissecting the latest cybersecurity incident. But it’s clear we need to spend more time putting policies and processes in place to improve resilience.

Proactive is the New Resilient

All of us in enterprise security know that a cyber-attack is inevitable, which means it’s important to feel comfortable that we can respond appropriately once attacks materialize.

Up until now, that’s how we’ve all defined cyber resilience: having an idea of what’s coming and being prepared to deal with it. That approach is no longer adequate – to be truly resilient, we need to be proactive. This requires fast, actionable and up-to-date threat intelligence.

A Regulation-Driven Shift

New global cybersecurity regulations and frameworks have emerged focusing on resilience. The two major regulations in Europe are the Digital Operational Resilience Act (DORA) and the Network and Information Systems (NIS2) directive.

In the US, the Securities and Exchange Commission (SEC) has introduced new rules requiring publicly listed firms to disclose serious incidents within four days.

The DORA is focused on EU financial institutions and the information and communications technologies (ICT) they use as part of their day-to-day operations.

Enterprises now rely so heavily on ICT that, if it’s targeted, they run the risk of failing to deliver their critical goods and services. DORA makes it clear that financial institutions must focus on digital resilience in order to minimize that risk.

NIS2 is a legislative framework established by the EU to enhance the cybersecurity resilience of critical infrastructure and essential services. Initially adopted in 2016 to address the rising threats posed by cyber-attacks, the directive outlines key requirements for organizations in sectors vital to social functioning.

DORA, NIS2, and SEC regulations have a number of other elements in common. They all include reporting requirements and call for organizations’ leadership to be involved in cyber resilience efforts. They acknowledge that, in our interconnected landscape, the resilience of individual organisations is critical to the resilience of others.

Recognizing Supply Chain Risks

Additionally, all three regulations focus on the critical roles that supply chains and identity management play in creating successful resilience strategies.

When it comes to third parties, enterprises in every industry need to know when a particular supplier or partner has been affected by a cyber incident. In increasingly complex supply chains, the consequences of an attack on a single supplier can be enormous.

Understanding the risks of our third-parties and their suppliers, our fourth-parties, is critical to understanding our own overall resilience. For example, in early June 2024, major London hospitals had to cancel operations and send emergency patients elsewhere when a pathology partner, Synnovis, suffered a ransomware attack.

Additionally, the recent CrowdStrike outage highlighted the cascading impact of one mistake – demonstrating the lack of resilience our systems continue to suffer from. 

These regulations make it clear that we need to go beyond reporting – understanding who our supply chain partners are and which ones to monitor. We need to know whether suppliers and partners have access to our data and networks, and what data could be exposed in an attack.

With regard to identity management, the new frameworks show that it’s proving to be a new asset to consider in your security program. In the Snowflake event discovered in June 2024, the perpetrator gained access to a cloud-based storage solution via infostealer malware, and the stolen data has already been linked to breaches targeting a multitude of organizations and millions of people.

Intelligence is Critical to Resilience

The new regulations call for putting specific tools, controls, people and processes in place and using them effectively.

Threat intelligence helps us do just that. It provides the right information at the right time so we can move through the cycle of identifying, preventing, detecting, responding and recovering faster than ever before.

To build cyber resilience, start with the basics, including realistic policies, cyber hygiene, logging, use of EDR tools, and effective vulnerability patching. But as we mature, we want to understand who may be targeting us and why to better identify gaps in our current programs and understand what investments we need to make.

When we know the modus operandi of threat actors targeting our industry we’ll know precisely what to mitigate versus what to patch as opposed to making generic decisions based on unactionable intelligence.

Incorporating Intelligence Everywhere

In order to make the most of threat intelligence, we have to embed it in every step of our workflows. One such framework, focused on leaked credentials, might look like this:

Identify 

1. Understand Your Threat Landscape:

  • Analyze data on potential threats targeting your industry and organization
  • Identify key threat actors and TTPs that are relevant to you

2. Prioritize Threats:

  • Categorize threats based on their relevance and potential impact
  • Focus on high-priority threats that pose the greatest risk to your environment

Prevent 

1. Implement Security Controls:

  • Deploy security solutions that provide visibility into potential identity threats, such as MFA, IAM tools, and EDR systems

2. Utilize Intelligence-Driven Policies:

  • Update security policies and access controls based on the latest threat intelligence. For impacted credentials, which assets can these users log into?

Detect

1. Continuous Monitoring:

  • Set up continuous monitoring to detect newly stolen credentials from infostealer malware

2. Alert and Notification:

  • Configure alerts for high-priority threats, such as a credential that can log into a high-risk technology (e.g. VPN)

3. Incident Investigation:

  • Leverage threat intelligence to investigate and understand the context of detected threats
  • Correlate detected activities with related indicators of compromise (IoCs) of the infostealer

Respond and Recover

1. Integrate into IAM tools:

  • Automatically reset passwords of impacted employees when the stolen password matches password complexity

2. Integrate into SIEM or Automation Platforms:

  • Kick-off a playbook when there is an unusual login

Building Resilience Today and in the Future

Regulations are essential for establishing norms and expectations, but cyber threats evolve faster than regulations.

Having the right threat intelligence to proactively adjust our security posture is essential not only to meeting new regulations and requirements, but also to thriving now and in the future.

Only when business leaders take ownership of cybersecurity risk and address it with the same level of investment they bring to other critical business risks can they become truly resilient – driving continuity, inspiring customer confidence and moving the business forward. 

What’s hot on Infosecurity Magazine?