01732 759725 44 CYBER SCEURITY Why are businesses still getting hacked? How are cyber threats evolving? What can organisations do to strengthen their defences? These are some of the questions that Ed Amoroso, CEO of cyber security research, advisory and consulting firm TAG Cyber, put to a panel of cybersecurity practitioners convened online by HP Wolf Security earlier this month. Here are some edited highlights of the observations, recommendations and prognostications of Deneen DeFiore, Vice President & Chief Information Security Officer at United Airlines; Kurt John, Chief Cybersecurity Officer at Siemens USA; Joanna Burkey, Chief Information Security Officer at HP Inc.; and Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc.. The roundtable can be viewed in full at https://tinyurl.com/3yhy86kk people: they leverage each other’s expertise; they offer their specialty as a service, as a skill to augment what someone else is good at. This really parallels what businesses are doing, which is finding greater efficiency via automation and discovering where common platforms or standardised tools can lead to business efficiencies, speed and agility. We see the same things happening in the attacker landscape. Is that concerning? We’d rather they stayed still while we evolve, but if we understand that we’re all evolving in similar ways, which in my experience comes down to increased automation and increased commoditisation, it can help us understand how to protect ourselves as well. Evolving threats From one-to-one to one-to-many Joanna Burkey: What I’ve found interesting in the last two years is what I call the one-to-many attack. Over the years we’ve got used to a paradigm where there’s an attacker and there’s a victim and it’s generally very one-to-one – attacker targets victim and either succeeds or doesn’t; victim might be compromised; chaos ensues. We now see that one-to-many attack. SolarWinds was the first large scale version of this, even though we know it had happened before and it has certainly happened since, with Kaseya for example. Attackers have realised ‘We don’t need to go one-to-one all the time. We can find a commonality between hundreds or even thousands of victims. Let’s compromise that commonality. And then with the same amount of work, we now have thousands of people on the other end of this threat vector’. That has had two very interesting outcomes. For practitioners like us, it’s changed the calculus on how we need to think about our enterprise and the vectors we need to pay attention to; and it has forced many businesses, especially those that make products and services, to think ‘how could what we do be used in this oneto-many way and how do we avoid that’. Plus ca change, plus c’est la meme chose Ian Pratt: It’s worth remembering that at a tactics level, not very much has changed. The vast majority of breaches target the user, get the user to click on something that invites the attacker onto their machine – emails, malicious links. At a high level the user is still very much on the frontline for so many of these attacks. M&A a risk in waiting Kurt John: There are some interesting threats on the horizon. One, in M&A, is a variant of the supply chain attack. The market is saturated with start-ups that larger companies are snapping up, and there are hints that some of these smaller companies may be compromised by attackers who are hedging their bets and biding their time for an acquisition to give them a foothold into a larger organisation. Another is an evolution of the insider threat, where a threat actor calls an IT admin, say, and says ‘How about I shoot you an email, you just copy the file, deploy it and it’ll wipe your tracks, so no one knows you did it. We’re gonna ask for $6 million in bitcoin and you get 35% of that $6 million. What do you think?’ It’s a fascinating evolution of the insider threat. These are the kinds of threat we’re going to see more of. Strengthening your defences Build a team with all the talents Joanna Burkey: We’ve said for years that cybersecurity is a team sport, and that’s very true. But in the last couple of Know thy enemy Business people like us? Kurt John: I think we sometimes forget that threat actors have built a thriving enterprise. They innovate and collaborate and divvy up the work and share the spoils. We sometimes use the term threat when what we are really talking about are people, business-minded folks who are in it for money. Some are in it for social causes and social justice, but for the most part it’s a money-driven enterprise by people who are innovating and trying to come up with new and creative ways to get what they want. Playing the long game Ian Pratt: One of the things that’s changed over the years is that these criminal organisations are run like businesses and have their own R&D. Crucially, they’re now playing a long game. They no longer compromise a system and cash in as quickly as possible, but use it as a foothold, as a beachhead to move around, get to something more valuable and turn it into a much more expensive breach. Knowledge is power Joanna Burkey: As Kurt points out, attackers can be very good business Ask the experts Ed Amoroso Kurt John Joanna Burkey
RkJQdWJsaXNoZXIy NDUxNDM=