In our “Anticipating a cyber crisis” series, find the best advice and feedback from HarfangLab experts, as well as from CISOs and other players in the cyber ecosystem. The aim is to capitalize on experience in the field to enrich everyone’s knowledge. In this article, read the testimonials of Jean-Sylvain Chavanne, CISO at Brest Regional University Hospital, and Théo Plantier, CEO of OverSOC, a 3D management and visualization solution for cyber data.
What is information system mapping?
It’s hard to find a definition of IS mapping that meets with complete consensus. Mapping, whatever its form, is defined above all by the objective it serves. According to ANSSI, it is used to “represent an organization’s IS and its connections with the outside world. It provides information on all the components of the IS, and makes it easier to understand by presenting it from different angles. Mapping is an essential tool for managing an information system. “
An “essential tool”, in principle. But when you consider that 50% of a cyber expert’s time is spent on data manipulation and reporting (according to Forrester), mapping has become indispensable for transforming this data into a risk management plan. It’s often in times of crisis that we realize how important this tool is, and unfortunately, that’s when it’s already too late!
Jean-Sylvain Chavanne, CISO at Regional University Hospital in Brest, France, experienced this first-hand in March 2023 when his establishment was the victim of a computer intrusion.
“When I arrived at Brest Regional University Hospital, there was no IS mapping, nor any mapping of the detection tools that could be put in place. We were using security tools in a rather spartan way. With hindsight, once the stress of the crisis had passed, we took stock of what could have been improved.
For example, there’s something I wish I’d known before this incident: the communication systems like Cobalt Strike that had been used at our company operate on special ports. Had I known this beforehand, I could have put in place security measures that would have enabled me to detect the threat more quickly.
We could also have practiced logging. We wasted a lot of time during the crisis trying to find out where the logs of an RDS farm were stored. It sounds simple enough, but in the end we wasted a monstrous amount of time investigating, and then recovering.
Subsequently, with the help of the IT Department, and in particular the system and network administrators, we have been able to develop this detection capability within the IS, and ensure that it is as exhaustive as possible. Because there’s nothing worse than a blind spot, i.e. a blind spot through which attackers can gain access. So my advice is to take the time to map your IS.”
Why map your information systems?
Having an overview of your assets in the form of a map will enable you to derive concrete benefits in terms of 4 pillars: control, protection, defense and resilience.
- A shared vision of the IS
- Managing IS evolution
- Raising the maturity level of your organization
- Capitalize on experience
- Know your weak points
- Locate and secure sensitive data
- Determine which events are likely to have the greatest and most probable consequences, so that protection mechanisms can be put in place at the most exposed points.
- Identify and characterize the scope of compromise
- Quickly assess the impact on digital services and the continuity of the entity’s business activities
- Shorten the decision-making circuit
- Enable technical teams (cyber and IT) to carry out investigations
- Simplify and locate interventions
- Identify key activities to define your BCP
Théo Plantier, CEO OverSOC
“Information system mapping is very useful in times of crisis, but also when the situation is stable.
During a crisis, there’s often panic on board: the situation is stressful, responders are under pressure, and despite everything, many people have to coordinate under these difficult conditions.
In this context, there’s nothing more effective than a common medium for organizing and synchronizing actions. This visibility also enables us toidentify valuable assets that need to be protected as a priority.
Ideally, detection tools should be linked to IS mapping. During an incident, one of our customers was able to identify vulnerabilities in its information system in almost real time, thanks to the cross-referencing of data from its IS mapping and fromEDR. It was extremely effective.
When the situation is stable, mapping enables decision-makers to agree on priorities. It is therefore very useful for making the right decisions, for example, when planning IS restructuring, adding a patch, or deploying new tools.
Above all, it enables you to control the attack surface exposed on the Internet. When we ask CIOs to describe their attack surface, we often end up with answers that differ from reality. And yet, any unidentified attack surface is a potential entry point for attackers. ”
How to map your information systems?
Use the right tools
Today, there are a number of excellent tools available to help you map your information systems, saving you time and increasing efficiency. They give you an exhaustive overview of your attack surface, and facilitate risk prevention and crisis management. Some even offer gamified interfaces, inspired by the world of video games. Who said mapping was boring?
To choose your tool, ask yourself the following questions:
- What are the issues, the stakeholders and the scope to be mapped?
- What is the desired level of maturity?
Start with the most critical resources
ANSSI recommends a minimum number of elements to have an overview of your information systems. But if you rely on a tool customized to your organization’s needs (which we recommend), the elements to be mapped are likely to evolve and be refined.
Here are the ANSSI recommendations, at a minimum:
- Map the organization’s critical services, applications, activities and essential data.
- Identify the assets to be protected and monitored as a priority in the event of a crisis, based on a business impact assessment.
- Regularly update and save offline this list of critical resources for the organization.
- Map the main technological assets and their dependencies.
- When outsourcing digital services, map interconnections and list emergency contacts for service providers.
- Regularly update these elements and save them offline.
A word of advice: have you asked your organization’s IT department if an IS mapping exercise has been carried out? Work may already have been initiated to optimize costs and resolve shadow it issues. But this information may overlap with your needs. SomSMBmes the information is available, but we don’t always think to check what has been done in the past, especially if it was carried out in a department other than our own.
Make the link between business processes and IT perimeters in your cartography
Crisis management is closely linked to your organization’s business activities. In the event of a cyber-attack, the consequences will have a direct impact on them, and you’ll have to respond to their many requests to continue operating in degraded mode (e.g. business as usual without IT). The crisis will also have to be managed by players who are not necessarily used to working together, or who don’t always speak the same language: IT, communications, HR, legal teams…
That’s why it’s essential for IT mapping to provide an understanding of IT perimeters in relation to business processes.
Anticipating the crisis from this angle will enable you to :
- Qualify IT and business impacts
- Compose your crisis units according to these impacts
As Jean-Sylvain Chavanne explains, the incident at Brest’s Regional University Hospital was caused by a business process:
“A hospital intern had connected to the hospital IS from his personal workstation. But we can’t prevent interns and other hospital professionals from working remotely: it’s absolutely essential for them to do so. So we need to understand the challenges faced by business teams, adapt to them, and reinforce security at points of vulnerability.”
Protect your information systems with three-tier architecture
Are you familiar with the three-tier architecture method? Mapping your information systems is a good time to assess their robustness.
The aim of three-tier architecture is to organize your entire IT infrastructure into hermSMBcally-sealed layers, according to their level of importance.
The objective? If a layer of your infrastructure is compromised, you can activate a kill switch to avoid contaminating other layers of your infrastructure, and to prevent escalation. This three-tier system also enables you to quickly measure the impact of a potential attack.
To effectively separate your 3 different layers, you need to use different admin accounts for each of them, and set up GPOs and configuration to restrict access to lower or higher layers depending on the type of admin account used. This will potentially make 3 different admin accounts for the same collaborator, for example, who needs access to different layers of the infra.
TIER 0: critical assets used to manage corporate identity control (Active Directory, internal PKI, etc.).
TIER 1: company servers and applications (internal applications and components that enable IT asset management).
TIER 2: all workstations and mobile endpoints.
- Define the challenges, the scope to be mapped and the desired level of maturity
- Choose the right tool based on the above parameters
- Build your inventory and map views
- Share your map and update it regularly
Want to take your IT protection to the next level?