Cyber Resilience - Definition & Explanation

Cyber Resilience expands on the traditional approach to security: While cybersecurity aims to prevent attacks, cyber resilience assumes that attacks will succeed ("Assume Breach"). The goal is then to minimize damage, detect incidents quickly, respond effectively, and maintain operations.

Cyber Resilience vs. Cybersecurity

Feature	Cybersecurity (Prevention)	Cyber Resilience (Absorption + Recovery)
Question	"How do we prevent attacks?"	"What do we do if an attack is successful?"
Focus	Firewall, AV, patch management, authentication	Backup, IR plan, communication, business continuity
Metric	"We have 0 incidents this year"	MTTD + MTTR
Mindset	Build a fortress	Assume breach – plan for an emergency

Both are necessary:

Prevention only: no plan for an emergency
Resilience only: why bother with prevention at all?
Combined: professional security strategy

Regulatory Framework

DORA (Digital Operational Resilience Act):

EU regulation for the financial sector (effective January 2025)
Explicitly requires cyber resilience, not just compliance
TLPT (Threat-Led Penetration Testing) for systemically important institutions
5 pillars: ICT Risk Management, Incident Reporting, TLPT, ICT Third-Party Risk, Information Sharing

NIS2 and Resilience:

Art. 21: "Business Continuity" as a mandatory measure
Backup strategies, crisis management, disaster recovery

The 5 Dimensions of Resilience (NIST SP 800-160)

1. Anticipate

Anticipate threats
Use threat intelligence
Red Team exercises
"What is likely to be the next target?"

2. Withstand

Attack underway – minimize impact
Redundancy: no single point of failure
Segmentation: stop propagation
Isolation: cut off compromised systems

3. Recover

Business continuity despite an incident
Backup and restore (tested!)
Disaster recovery plan
Internal and external communication

4. Adapt

Learn from incidents
Improve processes
Strengthen controls where gaps are found
Mandatory post-incident review

5. Prepare

Tabletop exercises (simulated incidents)
Regular backup tests
Keep IR plan up to date
Train employees for crises

Key Performance Indicators (KPIs) for Cyber Resilience

MTTD - Mean Time to Detect:

Time from incident to detection
Target: < 24 hours for critical systems
Industry average 2024: 207 days (IBM)!

MTTR - Mean Time to Respond/Recover:

Time from detection to recovery
Target: < 4 hours for critical systems, < 24 hours for important systems

Business Impact Targets by System Type:

System Type	RTO	RPO
ERP/Finance	4h	1h
Email	8h	4h
File Server	24h	4h
Website	8h	24h
Archives	72h	24h

Practical Resilience Measures

1. Immutable Backups

Ransomware cannot delete or encrypt these backups:

AWS S3 Object Lock (WORM: Write Once Read Many)
Azure Blob Storage Immutability Policy
Veeam Hardened Repository (Linux, ext4)
Air-Gap: physically isolated, no network access

2. Redundancy for Critical Services

Active Directory: at least 2 domain controllers
Email: MX failover server configured?
Internet: 2 ISPs (load balancing or failover)
Data Center: 2 locations (georedundancy)

3. Communication Plan for Incidents

Out-of-band communication (not via the affected IT systems!)
Emergency mobile contact list: CEO, CTO, CISO, Legal, PR
Crisis communication template: what do we tell customers?
BSI notification: 24 hours for NIS2-affected entities!
Data protection authority: 72 hours for GDPR-relevant incidents

4. Tabletop Exercises (Crisis Simulation)

Realistic scenarios: "Ransomware today at 8:00 a.m."
No technology—practice processes and decision-making
Participants: IT, Management, Legal, PR, Executive Management
Frequency: at least once a year

5. Recovery Tests

Backups are worthless if restoration doesn’t work!
Quarterly: File restoration from backup
Semi-annually: Server restoration in a test environment
Annually: Full DR test (rebuild everything from backups)