Why are businesses still getting hacked? How are cyber threats evolving? What can organisations do to strengthen their defences? These are some of the questions that Ed Amoroso, CEO of cyber security research, advisory and consulting firm TAG Cyber, put to a panel of cybersecurity practitioners convened online by HP Wolf Security earlier this month. Here are some edited highlights of the observations, recommendations and prognostications of Deneen DeFiore, Vice President & Chief Information Security Officer at United Airlines; Kurt John, Chief Cybersecurity Officer at Siemens USA; Joanna Burkey, Chief Information Security Officer at HP Inc.; and Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc.. The roundtable can be viewed in full at https://tinyurl.com/3yhy86kk
Know thy enemy
Business people like us?
Kurt John: I think we sometimes forget that threat actors have built a thriving enterprise. They innovate and collaborate and divvy up the work and share the spoils. We sometimes use the term threat when what we are really talking about are people, business-minded folks who are in it for money. Some are in it for social causes and social justice, but for the most part it’s a money-driven enterprise by people who are innovating and trying to come up with new and creative ways to get what they want.
Playing the long game
Ian Pratt: One of the things that’s changed over the years is that these criminal organisations are run like businesses and have their own R&D. Crucially, they’re now playing a long game. They no longer compromise a system and cash in as quickly as possible, but use it as a foothold, as a beachhead to move around, get to something more valuable and turn it into a much more expensive breach.
Knowledge is power
Joanna Burkey: As Kurt points out, attackers can be very good business people: they leverage each other’s expertise; they offer their specialty as a service, as a skill to augment what someone else is good at. This really parallels what businesses are doing, which is finding greater efficiency via automation and discovering where common platforms or standardised tools can lead to business efficiencies, speed and agility. We see the same things happening in the attacker landscape. Is that concerning? We’d rather they stayed still while we evolve, but if we understand that we’re all evolving in similar ways, which in my experience comes down to increased automation and increased commoditisation, it can help us understand how to protect ourselves as well.
From one-to-one to one-to-many
Joanna Burkey: What I’ve found interesting in the last two years is what I call the one-to-many attack. Over the years we’ve got used to a paradigm where there’s an attacker and there’s a victim and it’s generally very one-to-one – attacker targets victim and either succeeds or doesn’t; victim might be compromised; chaos ensues. We now see that one-to-many attack. SolarWinds was the first large scale version of this, even though we know it had happened before and it has certainly happened since, with Kaseya for example. Attackers have realised ‘We don’t need to go one-to-one all the time. We can find a commonality between hundreds or even thousands of victims. Let’s compromise that commonality. And then with the same amount of work, we now have thousands of people on the other end of this threat vector’. That has had two very interesting outcomes. For practitioners like us, it’s changed the calculus on how we need to think about our enterprise and the vectors we need to pay attention to; and it has forced many businesses, especially those that make products and services, to think ‘how could what we do be used in this oneto-many way and how do we avoid that’.
Plus ca change, plus c’est la meme chose
Ian Pratt: It’s worth remembering that at a tactics level, not very much has changed. The vast majority of breaches target the user, get the user to click on something that invites the attacker onto their machine – emails, malicious links. At a high level the user is still very much on the frontline for so many of these attacks.
M&A a risk in waiting
Kurt John: There are some interesting threats on the horizon. One, in M&A, is a variant of the supply chain attack. The market is saturated with start-ups that larger companies are snapping up, and there are hints that some of these smaller companies may be compromised by attackers who are hedging their bets and biding their time for an acquisition to give them a foothold into a larger organisation. Another is an evolution of the insider threat, where a threat actor calls an IT admin, say, and says ‘How about I shoot you an email, you just copy the file, deploy it and it’ll wipe your tracks, so no one knows you did it. We’re gonna ask for $6 million in bitcoin and you get 35% of that $6 million. What do you think?’ It’s a fascinating evolution of the insider threat. These are the kinds of threat we’re going to see more of.
Strengthening your defences
Build a team with all the talents
Joanna Burkey: We’ve said for years that cybersecurity is a team sport, and that’s very true. But in the last couple of years, there’s been a realisation we have to make the cybersecurity tent bigger in terms of the skills that we bring in and the people we bring in. Those of us in the field, especially those who got into it a long time ago, don’t really do ourselves a service in the way we talk about our field. It can be very obtuse, with a special lexicon; at times it almost feels as if you need a special handshake. I don’t think that has served us well, and there’s a realisation these days that we must make the cybersecurity tent bigger. There is talent out there if we think about it differently. We can bring in non-traditionally educated people – we don’t necessarily need college degrees for every role. We can target folks in their mid to late careers who have a lot of skills in things like risk management and communication, for example. There is a rich set of skills out there that absolutely will make cyber more resilient.
Ian Pratt: Reducing complexity and reducing the attack surface are key because so many problems are caused by legacy. Many of the systems we use and are probably sitting in front of right now have their roots in the 1980s and were built at a time when security was not front and centre of what people were worrying about. There’s this enormous legacy of vulnerable technology out there and pretty much an infinite supply of vulnerabilities for attackers to go after and exploit. As an industry we have done a good job over the last few years of clearing up mess faster than we’ve made new mess, but this is a battle that’s going to be waged for at least the next couple of decades until everything is replaced with technology in which security is built in from the beginning as a key design goal.
Minimise the blast surface
Ian Pratt: There’s a set of engineering techniques and principles that have stood the test of time and been used to build very secure systems – things like the principle of least privilege, reducing access rights to any given, whether it’s a person or a computer or an application running on that computer, and then isolation to ensure you limit what can happen, for example by putting things in a container so that even if something goes wrong inside that container, it’s not going to spread. You build to cope with failure, because there will inevitably be failure; it’s how you cope with it, how you remain resilient that matters. We have to look at how the new systems we build take advantage of these principles and how we retrofit them to existing systems.
A change of approach
Moving from data protection to cyber resiliency
Deneen DeFiore: Historically, people thought about cybersecurity in terms of data protection – let’s protect the PCI data or let’s protect the PII data – and we had strategies to do that. Now, the thinking is more around cyber resiliency, because something that can cause operational disruption has a cascading effect across the ecosystem, especially in aviation, where an issue with an operational system can mean not being able to get planes off the ground. I think there’s been a shift in mindset from just thinking about cybersecurity from a data protection standpoint to having a cyber resiliency strategy, because it does take everybody in the operation to understand the impact of and reduce the blast surface of an attack. And it’s not only within your own organisation, because of how connected we are to partners and third parties. In United’s case, our assets are mobile and we operate at airports across the world, and each one is different. All that variation in the ecosystem really makes it imperative to understand impacts and to have a resilient cybersecurity approach.
Cyber resilience is good corporate governance
Joanna Burkey: It’s interesting that we aren’t sitting here talking about IT infrastructure, but about broader business. We’re talking about understanding how certain threats can affect each of our businesses specifically, and that, I think, is a cause for optimism, because we’re maturing and evolving the conversation. The way I interpret this is it all comes down to good corporate governance in a way that is specific to your enterprise. At HP, we are setting very aspirational goals for ESG, and when you think about risk topics, like financial risk, privacy risks, cyber risk, making the right decisions for your enterprise is all about governance. That’s an interesting lens to look at threats and resilience through. Resilience is going to mean one thing to Deneen at United and a different thing to me at HP. And that’s a plus – a feature not a bug. When we start to make those connections, we can really start to understand how all of this is key to running your enterprise the right way.
Focus on the vector, not every threat
Ian Pratt: The key thing is to take the conversation up a level. If you’re trying to focus on individual techniques and procedures that people are exploiting, you’re always going to be behind the curve. There are so many vulnerabilities out there ready to be found and exploited that if you’re operating at that level, it’s going to be a case of trying to detect what’s happening and then catching up. You really need to look at approaches that deal with classes of issue, so you can deal with a whole vector of attack that might have 100 separate issues.
Deneen DeFiore: Keep in mind the business outcome you’re trying to achieve, rather than talking about every threat and trying to defend your organisation against everything that could happen.
Kurt John: Build strong, resilient, dynamic, diverse teams – not just cognitively diverse, but diverse across the board. That’s the number one way to drive creativity.
Joanna Burkey: Really think about how cyber strategy in your business emphasises and promotes good corporate governance. I really believe that’s the right way to make an enterprise-specific strategy. Make the G in ESG really mean something.
Ian Pratt: So many of these attacks end up leveraging privileged users, the sysadmins, even the security people. Often, they’re a link in the chain of how an attacker turns a simple breach of, say, an endpoint into an expensive enterprise compromise. Do all you can to make lateral movement and escalation hard.