Think like an Attacker: A strategic risk-based approach to cyber security
Originally published in Computing Security Magazine, May 2019
On the last day of April 2019, financial data belonging to customers of Volkswagen, Airbus and Porsche was posted on a specially-created website. The data had been stolen from CITYCOMP, a German internet company that provided infrastructure to these firms. According to a company statement, CITYCOMP had suffered a targeted cyber-attack and had been blackmailed with threats to publish the stolen information should the company not respond to the attacker's demands. "Since CITYCOMP does not comply with blackmail the publication of customer data could not be prevented" (CITYCOMP, 2019).
So goes another story of data theft, corporate reputational damage, and future opportunities for cybercriminals, state sponsored actors and hacktivists alike to leverage the stolen data in attempted frauds or system breaches. Cyber-attacks are ubiquitous across industries and geographies. In the context of malware-as-a-service, open source offensive tools, and hackers-for-hire, even the strongest cyber defences are likely to – at some point – fall short.
Over one third of UK businesses have reported a cyber-attack in the past 12 months – and although this is a lower statistic than in previous years, companies suffering attacks are typically being affected more often and more severely (Department for Digital, Culture Media, and Sport 2019). It pays to be prepared.
STRATEGIC SECURITY FOR DIGITAL RESILIENCE
Signature-based antivirus, firewalls, and network monitoring are defensive tools for cyber security; essential – yet not by themselves a holistic approach to minimising the occurrence and impact of attacks. The strongest approaches to cyber security are strategic. The Shearwater Group is founded on the concept of digital resilience; the ability of an organisation to prosper and evolve in an all-pervasive digital environment that presents opportunity and risk in equal measure.
Digital resilience is not reducible to the resilience of an organisation's IT infrastructure nor their cyber security strategy. Yet a strategic approach to cyber security is an essential component, allowing organisations to prevent the most damaging attacks, mitigate impacts, and continuously learn from experience so that new digital technologies and systems can be leveraged for expansion and growth without introducing unforeseen and potentially catastrophic security vulnerabilities.
Strategic cyber security manages risk. By thinking like an attacker, organisations can assess their susceptibility to different forms of compromise, identify likely adversaries, and estimate the impacts of attacks so that resources can be concentrated most effectively.
KNOW YOUR WEAKNESSES
Assessing infrastructural and procedural security vulnerabilities is a continuous process. The Magecart cybercrime group, who redirected payment details from 380,000 British Airways customers to malicious websites, also stole credit card information from web payments processed by Ticketmaster and OXO. The Marriott Hotels data breach disclosed in November 2018 was traced back to a compromise of the guest reservation system in 2014. Opportunistic cybercriminals jump between targets as soon as new exploitation opportunities arise, while state sponsored actors operate on timeframes longer than the next deadline for regulatory compliance. Isolated and time-bounding security testing is at odds with this reality of constant threat.
Testing cycles may begin by identifying easy network access points through ports, authentication policies, and firewalls. Attackers may scan target networks with tools like Nmap (which is free) or Nessus (a proprietary tool that could disguise the scan as a security process), or search more opportunistically for exploitable devices on Shodan. Expert consultants or ethical hackers can undertake these same reconnaissance steps and reveal to organisations what avenues prospective attackers may try first. Network mapping can then highlight the location of strategic assets – payment servers, databases, email servers. Are there easy routes to these devices from employee computers or public websites?
Once obvious vulnerabilities have been patched, red teaming exercises can conduct full-scale, tailored attacks on the organisation – including dry-run social engineering exercises: phishing, vishing, pretexting and baiting. These exercises train employees and security teams in the identification, reporting, and response to cyber-attacks, and allow organisations to develop blame-free security cultures, promoted by the National Cyber Security Centre as the most effective means to lean from incidents and reduce their future severity and likelihood (National Cyber Security Centre, 2019).
KNOW YOUR ADVERSARIES
The newest attacks may not be the most threatening ones – for your organisation. The majority of cyber-attacks use social engineering to steal credentials or install malware on employee machines. This means that a tool detecting zero-days may provide a lower return on investment than an employee awareness seminar.It all depends on what currently active threat actors are out to get – and how they will try to get it.
Cyber Threat Intelligence (CTI) analysts can use information from attempted intrusions and incident responses to create tailored threat models of relevant adversaries and their tactics, techniques, and procedures. To be useful, these models must be specific to an organisation's size, industry, language of operation, and technology stack. Often misunderstood, Cyber Threat Intelligence is the foundation of a strategic approach to cyber security.
When threat feeds and signature-based defences flood security teams with thousands of alerts, CTI can produce a framework for filtering the most relevant and highest-priority indicators. When incident responders are pushing to contain an intrusion, CTI can identify related incidents, the attacker's likely target and modus operandi. When those who hold the purse strings are considering the next budget, expert analysts can present threat models that project attack scenarios across a sliding scale of likelihood and impact, giving strategic decision makers the information they need to authorise investments in technologies and processes based upon accepted levels of risk.
KNOW YOUR PRIORITIES
Earlier this month, Norsk Hydro, one of the world's largest producers of aluminium, suffered a targeted ransomware attack. This was a costly event – yet in its handling of the incident, Norsk Hydro demonstrated that the company's management had been well prepared and invested in technologies and processes that protected the business' most valuable assets. Operational data was restored from backups, production continued via manual controls, and communication with the outside world was facilitated via cloud email systems that employees could access via phones and tablets. Combined with honest and prompt communication about the incident, these investments minimised the financial and reputational impact of the ransomware attack.
Business Impact Assessment and Risk Analysis are two strategic tools that can assist organisations to prepare for the worst and justify investments necessary to restore functionality and retain customers. These tools can also identify regulatory implications of cyber-attacks, be it the requirement under GDPR to report certain personal data breaches within 72 hours or the most recent update to the Anti Money Laundering Directive that imposes sanctions and fines to organisations aiding or abetting financial crime. Consulting advisors on relevant regulations may lead to large shifts in an organisation's assessment of the impact of cyber-attacks and thus their risk appetite.
Cyber-attacks are a 'when' not an 'if' for many organisations. Whittling those 'ifs' down to their lowest possible rate is a matter of strategic cyber security; a highly tailored approach to pre-empting, defending against, and preparing for an attack. Strategic cyber security is risk-focussed, identifying vulnerabilities, threats and impacts. This then enhances an organisation's digital resilience, clearing the way for technology-powered innovation and growth.
As a digital resilience company, the Shearwater Group offers services and products for each step along this path. Pentest offers red teaming and social engineering services, delivered by an expert team of ethical hackers. GeoLang is the creator of ASCEMA Data Discovery, a tool for protecting intellectual property and business-critical communications. Xcina provides Cyber Threat Intelligence, network monitoring, and Business and Technology Risk Management services. These each have a part to play, laying the attacker's 'thought-process' bare and providing the tools organisations require to secure their future.
- CITYCOMP, April 30th 2019, 'Statement: On Cyber Attack at CITYCOMP Service GMBH', https://www.citycomp.de/English/enterprise/stellungnahme.html
- Department for Digital, Culture, Media and Sport, 'Cyber Security Breaches Survey for 2019: Statistical Release', https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/791940/Cyber_Security_Breaches_Survey_2019_-_Main_Report.PDF
- National Cyber Security Center, 12 February 2019, 'A Positive Security Culture' https://www.ncsc.gov.uk/collection/you-shape-security/a-positive-security-culture
- Cover Photo by JESHOOTS.COM on Unsplash