No Cyber Silver Bullets: Security Strategies Must Widen in Scope

In the world of cybersecurity, legacy means obsolete, and a company with a static security strategy might as well be a wounded wildebeest on the savannah. The ever-increasing connected enterprise and internet of things is generating new data, and the numerous participants in supply chains each create the potential for infiltration. While “everyone” knows to update security software and patch outdated commercial products, a cyber criminal is just as happy to climb the digital trash chute as they are to pick the lock on the digital front door. Some cybercriminals are opportunists, going after any entity, while others are deliberative long-range operatives waiting and collecting. In the most nefarious cases, if you wait for evidence of their penetration of your networks, it’s already too late. DevSecOps culture is driving the best practices of cybersecurity, especially for critical infrastructure industries and government agencies; this approach entails constant vigilance and active defense. Let’s talk about the landscape of new cyber threats and how to stay ahead:

None are exempt 

The ramifications of the Solar Winds hack are still unknown. Over 18,000 clients of the company’s network management software were exposed to a piece of hacking code included with a software update that allowed malware to be installed under certain conditions. More than one hundred companies and about a dozen government agencies were infiltrated: Microsoft, Intel, and Cisco; the Treasury, Justice and Energy departments; and some Pentagon entities. Every business or entity is vulnerable to cyberattacks, from local libraries to the Department of Homeland Security, and it doesn’t really matter how much you spend on cybersecurity products. Everyone who depended on Solar Winds’ Orion product had/have a potential problem. Entities that want to be protected have to invest in holistic defense that reaches far beyond homebase operations and into dynamic supply chains and the digital fabric that connects them.

First, you still need to cover the basics. According to Chuck Speaks, Senior Program Advisor at Intuitive Research and Technology Corporation (INTUITIVE®) in Huntsville, “There is no fool-proof way to implement cybersecurity, but most would become a much harder target by simply implementing basic cyber hygiene: simple things like multi-factor authentication, installing the latest software patches, personnel training on identifying phishing emails, and strict remote access protocols, makes attacks much harder for your typical cybercriminal.” The Colonial Pipeline hack that caused a short-term fuel shortage on the east coast was actually caused by a compromised password to a VPN, likely preventable with a simple matter of cyber hygiene.

For those in the crosshairs of advanced cyber adversaries or nation-state hackers, however, overconfidence in legacy approaches can be devastating. Speaks explained, “These legacy approaches typically rely on looking for “known” threat indicators. That approach does provide a good amount of protection, but the more advanced adversaries typically utilize tactics that are unknown or use “zero day” vulnerabilities to compromise their targets.”

New context: Enemies and their opportunities

Industries with a lot to lose are targets for all varieties of cyber criminals. Ransomware, said Speaks, began as a problem in commercial fields and found its way to higher value targets: critical infrastructure industries. According to the CISA, the 16 sectors that make up critical infrastructure “are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety.”

Examples include chemical factories, utilities, defense, healthcare and finance. These targets have more to lose than revenue as they affect and/ or protect the nation’s ability to function. The costliest cyberattack in history was a malicious code known as NotPetya. Originally aimed at Ukrainian infrastructure, it shut down huge industrial operations globally including Maersk, a company that represents one-fifth of the world’s shipping capacity. NotPetya did $10 billion in damage.

Ransomware incidents or destructive attacks often get a couple of days of news coverage because they might immediately affect citizens. On the other hand, Speaks sees industrial espionage as an equally troubling trend that gets less attention. When the bad actor wants intelligence, there is no reason for the dramatics of a ransom note, no quid pro quo. He summarized,

Nation-state and organized crime threat actors conduct these campaigns much quieter, and they tend to stay resident in victim systems for much longer. The goal of these adversaries is to steal company proprietary or national security data to benefit their own commercial and government initiatives. Intellectual property theft is expected to result in losses measured in the trillions of dollars by 2025. These losses don’t just impact corporate bottom lines – the downstream impact of these thefts directly impacts employment levels at these organizations, creating an even greater economic impact. And clearly the theft of sensitive national defense or security data negatively impacts a country’s ability to defend itself or operate in the global community.

Further, he said to expect a growing number of supply-chain attacks. These types of attacks are common when an organization is building a complex system that requires software, hardware, or development help from multiple suppliers. Solar Winds is a perfect example. The hackers actually tested a line of code six months prior to the malicious lines as a proof of concept—it went undetected. It’s often much easier for a small subcontractor to be compromised and thus inject malicious code into a system to the “upstream” customer. This type of attack is of particular concern to DoD due to the complex nature of their system development and operational lifecycle.

New approaches to detecting and responding to cyber threats must continue to match adversarial capabilities. The most advanced adversaries such as nation-states have their own cyber intelligence teams that can find and leverage vulnerabilities in popular software and then leverage those vulnerabilities to conduct their campaigns. We need a way to defend when there are not traditionally defined “indicators of compromise,” and we need a way to anticipate new tactics.

The big shift in perception

The context above has prompted the shift from reactive to proactive cyber defense, widening the scope and moving cyber defense farther to the left in development and farther upstream in the supply chain. “New approaches must use the latest advances in artificial intelligence, machine learning, and data analytics to shift towards user and system behavioral analysis,” said Speaks. “Behavioral analysis, for instance, relies on cyber defense platforms to monitor and establish a pattern of “normal” or “nominal” behavior of users and systems on a network—and then detect “abnormal” or “off nominal” activity for further analysis.” This approach does not rely on defined indicators of compromise but looks for any activity that is unusual in an environment. By adding behavioral analysis to traditional threat indicator pattern matching, cyber defenders will be able to respond to new and novel threats.

Cyber awareness throughout product lifecycles: DevSecOps

In the past, there were distinct phases of large-scale products being developed, tested, released and then patched on a predictable schedule, before being retired. That has changed. Now, products are continuously developed and often in a decentralized or piecemeal way. According to Speaks, DevSecOps is a cultural shift to increase security in the development and operations process. “Security implemented during development is far more cost effective than security implemented after a system is built,” he said. Many of INTUITIVE’s Federal Civilian and Defense customers are beginning to implement this commercially borne technique for themselves.

Organizations generally need to identify critical or protected data and intellectual property early in the development process. Speaks always asks the following broad questions:

  • What would be the impact to the system’s confidentiality, integrity, and availability if protected data is compromised?
  • What are the potential attack vectors an adversary might use?
  • What are the mitigations to different attacks?
  • Can you establish expected or “nominal” baseline system behavior to support advanced behavioral analysis?

Seeing as security cannot be “solved,” Speaks noted that reviews should be part of an iterative process that aligns with DevSecOps culture: “This involves lessons learned and implemented process/procedure fixes as part of a continuous process. Formal exercises such as business continuity, disaster recovery, incident response, etc. should be executed on a regular basis”

New tools for ongoing monitoring

INTUITIVE, with more than 20 years of expertise in cyber issues in engineering, has developed the DECIDETM Platform and its Managed Cybersecurity Service to give its customers a generational leap forward in cybersecurity. This hybrid-cloud Platform allows them to collect and analyze Petabytes of historical and streaming data to find a needle in a stack of needles. According to Speaks, “Our DECIDETM Platform and Service leverages our customers’ current investments in cybersecurity while implementing next-generation predictive and behavioral analysis techniques crucial to fighting advanced cyber adversaries.” New tools, such as DECIDETM, will leverage human expertise and the ability of computing power to focus the field of analysis when dealing with incomprehensibly large amounts of data.

Addressing cost and fit

The expertise required for good cybersecurity costs money and requires difficult cultural transitions at workplaces where it has not been a priority. A shared services approach has been used by many large or decentralized entities. With shared services many operating units can benefit from the centralized talent of one centralized security operations center.

Another way to address the expense and expertise gap is to use managed security subscriptions from companies such as INTUITIVE. Specialized firms can help companies set and achieve operational and compliance standards. They also have proprietary products and an ever-growing knowledge of emerging threats and practices. Federal agencies have reduced costs of their SOCs dramatically with managed security services.

Whatever their solutions, large organizations and their suppliers need a new attitude toward security. The next attack may come from anywhere. Creative technical experts will have to interpret data patterns winnowed down by AI and behavioral analysis. One line of code caught early enough could save billions of dollars and preserve national security itself.

For more information on INTUITIVE’s dedicated approach to customer-focused strides in cyber security, please visit irtc-hq.com today.