By David Warshavski, VP of Enterprise Security at Sygnia
I recently joined world-renowned cyber security expert and Kaspersky CEO, Eugene Kaspersky, and PwC UK’s Cyber Security Chair, Richard Horne, for the Tortoise Cyber Summit. Fielding questions from a moderator, a live audience, and online participants, the panel resembled a meeting between war veterans to trade stories about their time in the trenches, defending organizations against every conceivable mode of cyber attack. Together, we dissected the motives, moves, and common characteristics of the “enemy”, touched on threat response and “hostage negotiations”, and discussed how we see the future of the battle terrain and how cyber security experts can best respond.
While the increasing prevalence and complexity of cybercrime suggests that predatory cyber threats will never be completely vanquished, the advances taking place in our field continue to pave effective paths for mitigation and better overall proactive defense. In this article, I share the insights I drew from my exchanges with Kaspersky and Horne and reflect on the summit’s central question of what it will take to stay ahead of cybercrime in the digital age - namely, intensive cross-border cooperation to advance technologies, know-how, and the development of best practices for counter measures.
White Hat by Day, Black Hat by Night - Why 2021 was a Hacker’s Paradise
Our group devoted much time covering the dramatic changes in cyber crime - in the nature of crime activity and the people who perpetrate these crimes - in the last decade. The strategies that threat actors employ to exploit vulnerabilities have become more diverse, and lamentably, more aggressive. 2021 had more exploits and malware (publicly available for anyone to download and use) than any previous year of record.
A number of factors contribute to the proliferation of cybercrime over the last ten years. Whereas threat actors formerly developed their own tools to breach networks and other local and remote barriers, the world of open-source code has put a bevy of cheap or free ready-made ransomware and hacking tools at the fingertips of black hat hackers. In fact, the consistent addition of code produced by the cyber security industry - written by white hackers for the defense of private and public databases - to the world’s open-source libraries provides crucial resources for threat actors to leverage. The regular publication of these tools for counteracting ransomware and complementary documentation has dramatically simplified the search for vulnerabilities by highlighting existing ones. It has also significantly lowered the bar in terms of the technical skills one needs to breach networks. With code and deployment instructions readily available, nearly anyone with basic coding knowledge and malicious intent can create a threat. Hence, the upswing in the number of cyber criminals.
The broad availability of information has also led to changes in how threat actors carry out attacks. In previous decades, hackers worked in groups, pooling their specific areas of expertise to break into complex systems. Today, we see that many elements of data breach have been outsourced, enabling threat actors to work alone. An entire black market has sprung up around penetration testing, wherein a so-called “initial access brokers” scan unsuspecting organizations for network vulnerabilities and then sell the foothold to the highest bidder. We see that in certain regions, namely those with highly educated populations and low median incomes like Russia and China, the powerful economic incentive for outsourced hacking has enticed even programmers with day jobs in cyber security to moonlight as cyber criminals. This fragmentation has diversified monetization channels, breeding more demand for illicit activity, and empowering lone wolf threat actors.
Perhaps chief among all growth factors for cybercrime is the influence and availability of cryptocurrency. Whereas threat actors once had to rely on mules or other schemes to cash out on their ransoms, today’s cryptocurrencies are easily traded for goods or tender, and notoriously hard to trace.
Cumulatively, these developments have significantly augmented the balance of risk versus reward for cybercrime. Increased feasibility, diverse options for monetization, and the confidential nature of most cryptocurrency has brought the prospect of reward to an all-time high. In short, there’s never been a more amazing time to be an attacker.
Manning the Battlefield: Best Practices for Mitigation and Response
Before summarizing best practices for incident response, it’s useful to frame the common issues that make organizations of all sizes vulnerable to attack in the first place.
In truth, even mature, security-focused organizations fall prey to threat actors. Often, the common pitfalls are the result of an organization’s success. When organizations expand their digital activities, they naturally incorporate more technologies - OT, IT, IoT, cloud, and more - into their offerings and operations. Unfortunately, without tight configuration, the addition of new systems leads to security gaps. Frequently, the more complex an organization becomes, and the more diverse its tools, the more vulnerable it becomes to threat actors.
Threat actors target growing companies because they know that implementing new technologies at the speed of business is bound to leave some holes in configuration. Companies tend to prioritize revenue-building activities over implementing safety measures, beyond standard regulatory requirements. The extra legwork required to perform a comprehensive cyber security coverage audit is often the determining factor in whether a breach attempt will be successful or not. At Sygnia, we take a proactive approach to security, applying threat-driven methods to uncover attack surfaces and create resilience. While it is ideal to implement proactive security measures before a breach occurs, such measures can still be deployed even when an incident is in progress.
There are five key workstreams that every successful incident response must include:
- Establish a war time cadence - We establish secure lines of communication within the organization, create response teams, and define their roles and responsibilities.
- Containment - We reach into every corner of the organization’s systems to detect and contain malware and ransomware deployments as they spread within the environment.
- Negotiations - We provide the organization with an accurate snapshot of the attack and its implications and provide recommendations to decision-makers. (As a veteran in the cyber security field, I should stress that negotiations with threat actors are best carried out through a third party rather than a representative of the organization under attack).
- Investigation - We understand if threat actors are still active in the environment and which vulnerabilities they leveraged to take over the estate.
- Securely recover systems - The investigation results are utilized to bring systems back online quickly, without reintroducing vulnerabilities or backdoored systems.
Borderless Crime Prevention for Crime without Borders
We’ve already established that 2021 was something of a threat actor’s paradise, and that isn't likely to change in 2022. To be sure, governmental regulations have not proven effective in answering the myriad of cyber security threats that organizations are facing. But that doesn’t mean that organizations should accept high-impact security breaches as an inevitability.
In many ways, the changing nature of digital business operations is levelling the playing field between threat actors and their targets. For example, businesses that are born on the cloud or have migrated to it have leveraged significant security benefits. SaaS based organizations gain from their hosts’ investment in cyber security, particularly in their efforts to achieve resilience to some of the more devastating attacks we see out there (e.g. Ransomware). Furthermore, when operational systems and data are housed on a cloud platform, compromised systems are generally easier to recover from the cloud than on-premise systems maintained by the organization, although that is not always the case.
While the open-source publication of cyber security tools and research provides cyber criminals with ready-made hacking tools that can easily cut through organizations defenses, the good guys are using this information to build more robust bulwarks against attacks. Information sharing and cooperation among white hat professionals across private and public sectors are essential for mapping developments in the threat terrain and creating the right tools to counteract them.
Beating Attackers at Their Own Game: Cyber Resilience in 2022 and Beyond
Beyond leveraging global understanding of attack trends, cyber security professionals are using a variety of novel mitigation techniques to reduce the “blast radius” of active attacks. Using what we know about the threat actor mindset and their favored paths for exploitation, today’s savvy cyber defenders employ hackers’ tactics against them, implementing diversions such as fake keys, or installing silent alarms that cordon off attackers in protected recesses of the network, away from sensitive information. Proactive defense methods are effective in reducing (and in some cases, entirely neutralizing) the spectre of data compromise. The low-input, high-impact techniques, drawn from understandings of what makes hackers tick, are invaluable in buying the necessary time to shore up defenses and help victims regain the upper hand, with minimal disturbance to their operations.
Achieving cyber resilience in the current hostile threat landscape comes down to an organization’s ability to flip the asymmetry between threat actors and defenders. Ultimately, you can beat these shaky odds by adopting the following strategies:
1. Leverage your control of the terrain - You don’t know where the attack will come from, but you know where the battle will happen - in your network. And the good news is, you can control it, bridging the gaps you have in understanding your
security posture and molding the terrain against the attackers.
2. Simulate how attackers will operate against your network - To establish a comprehensive view of your defenses and
identify vulnerabilities, simulate end-to-end targeted attacks within your network that mimic adversary TTPs that are
customized to your environment.
3. Preemptively hunt attacks within your network - Proactively identify and neutralize dormant and active threats at an early
4. Train and invest in incident response readiness - To enhance your ability to immediately respond to cyber incidents you must
strengthen your crisis management capabilities and have a mature response plan in place, including detailed processes that
cover remediation and recovery as well as all legal and public aspects.
Sygnia is a Team8 and Temasek company, part of the ISTARI Collective. Sygnia provides incident response and cyber security consulting services, helping organizations worldwide to quickly contain and remediate attacks and proactively enhance their cyber resilience. The proven track record, commitment, and discretion have earned Sygnia the trust of security teams, senior executives, and management boards at leading organizations worldwide including many of the Fortune 500 companies.
For more information on proactively building cyber resilience, please contact us.