The discovery of the Volt Typhoon infiltration of hundreds of devices on US critical national infrastructure (CNI) networks made it clear that a new approach to exposure management is necessary. The emergence of adversaries not motivated by financial gain or data exfiltration, but by positioning themselves to cause maximum societal and economic damage and disruption in the future, highlighted that every industry operates in a unique threat landscape.

While some sectors face a heightened threat from ransomware, military and CNI organizations must adjust their security posture to protect against a new breed of state-sponsored adversaries. The fact that the Volt Typhoon infiltration went undetected for five years shows that existing security programs, solutions, and practices were ineffective, compromising CNI organizations’ operational readiness.

To assure operational readiness, Security Operations Center (SOC) and Network Operation Center (NOC) teams need to understand the attack vectors that are specific to their industry, their current exposure as a result of their vulnerability posture, and the critical areas of their network that must be prioritized for protection.

The US Department of Defense (DoD) is leading the way in this new, industry-specific approach with its Cyber Operational Readiness Assessment (CORA) program. While CORA is specific to the defense sector, there are many lessons that CNI organizations can draw from it, helping them build the resilience to avoid the significant operational, financial, and reputational impacts of network outages.

Shifting from periodic compliance to continuous operational readiness

CORA represents a major shift in mindset from the DoD’s former Command Cyber Readiness Inspection (CCRI) program, changing the focus from compliance at the point of inspection to demonstrating continuous operational readiness that underpins mission assurance.

The CORA program builds on the US Government’s Zero Trust architecture principles. It places a particular focus on macro segmentation to focus monitoring on high-priority cyber terrain, and least privilege access control to limit user and application access to data and resources. This aligns with a global move toward adopting Zero Trust principles that we have seen in the EU’s DORA legislation and NIS2 directive.

One of the most important developments introduced by CORA is a new emphasis on Key Indicators of Risk (KIORs) which highlight areas of vulnerability, enabling DAO commanders and directors to understand their exposure and proactively target their risk mitigation efforts. KIORs are based on the MITRE ATT&CK framework, so they continuously evolve to account for known adversarial tactics, techniques, and procedures (TTPs).

Although KIORs are a specific facet of the CORA program, a similar approach would prove equally beneficial in other CNI sectors. By moving beyond tick-box compliance and focusing on industry-specific attack vectors, organizations can adapt their security posture to mitigate risks from emerging TTPs and maintain operational readiness in an evolving threat landscape.

Operational readiness demands continuous visibility of risk exposure

The aim of CORA is to give DAO commanders and directors a greater understanding of their critical cyber terrain and security posture, helping enhance command and control and decision-making. However, without a continuous, consolidated view of network infrastructure, it is difficult to glean the actionable insights necessary to deploy operational and security resources effectively.

One of the challenges of tick-box compliance is that security posture often worsens between inspections, because teams lack the continuous visibility needed to maintain constant operational readiness. NOC and SOC teams need the visibility to accurately assess network infrastructure exposure, in a timely manner, so they can prioritize response and remediation actions.

Importantly, this visibility must extend throughout the network infrastructure rather than focusing purely on the boundary; it’s likely that a lack of monitoring in the network interior enabled the Volt Typhoon attack to remain undetected for so long.

By continuously monitoring configuration changes in network devices – the vast array of routers, switches, and firewalls that support massive networks in defense and CNI organizations – teams gain a clear understanding of their security and compliance posture and operational readiness.

Working with DoD teams to enhance CORA preparedness and operational readiness

For over a decade, Titania software has been trusted by Cyber Protection Teams to complement its assured compliance assessment solution (ACAS) with accurate analysis of the configurations of routers, switches and firewalls in critical parts of the network, in preparation for CCRIs. The findings determine precisely where configurations fail to comply with Security Technical Implementation Guides (STIGs) or are vulnerable according to the NIST National Vulnerability Database (NVD).

Our next-gen solution, Nipper Enterprise, has since been developed to scale assessment coverage and cadence to deliver the continuous, enterprise-wide STIG and Known Exploited Vulnerabilities (KEVs) monitoring now mandated. It also delivers additional layers of network change and risk visibility – including mapping STIGs and KEVs to TTPs, and TTPs to specific attack vectors used by the likes of Volt Typhoon and other such threat groups.

Additionally, Nipper Enterprise can report indicators of macro-segmentation and least privilege access compromise, on a segment-by-segment basis. This enables remediation teams to determine the exposure impact of addressing a CAT II or III risk in a critical part of the network over a CAT I in other administrative segments. It also enables Threat Hunting and Response teams to investigate and address mission-critical compromises efficiently and effectively.

As well as automating these critical operations, Nipper Enterprise gives DoD commanders assurance they remain mission-ready and resilient. And the solution continues to be developed specifically for DoD SOCs and NOCs to prepare for CORAs with confidence, whilst adhering to the DoD’s Comply to Connect and Zero Trust frameworks.

For example, the new version of the software, due for release later this year, will enable DoD teams to automatically visualize KIORs across their network infrastructure with a dedicated dashboard.

Developed by working with DoD stakeholders, the new dashboard will help them understand and automate reporting against constantly changing KIORs. As KIORs evolve over time, teams can either import a feed from the Joint Force Headquarters - Department of Defense Information Network (JFHQ-DODIN) or tag data points as KIORs. Nipper Enterprise then aggregates this data for visualization in a SIEM, enabling teams to quickly understand their KIOR and CORA compliance exposure at a network level, and then drill down to the underlying, device-specific reports.

Applying CORA principles in CNI industries

These advancements are part of Titania’s ongoing development work to help organizations in a range of critical sectors – from military, federal government, and financial services to energy and utilities – make their industry-specific threat intelligence relevant to their real-time vulnerability posture.

This work is closely aligned with Gartner’s recommendation that security operations must “go beyond vulnerability management and build a continuous threat exposure management program to more effectively scope and remediate exposures.”

With dashboards that visualize an organization’s vulnerability posture through the lens of industry-specific threats, SOC and NOC teams gain the visibility needed to enhance decision-making and risk-prioritize remediation activities. In this way, organizations can accelerate the shift from rigid compliance to a more proactive, agile approach that assures constant operational readiness.

To learn more about how Titania delivers continuous visibility of exposure risk across enterprise networks, take a Product Tour.