This article is the fourth in a series of articles by NAV CANADA Vice-President and Chief Information Officer Claudio Silvestri about talking to your board about cybersecurity.
Identify and define your critical threat landscape and related trends
Knowing your adversary and your threat landscape is critical insight that informs what your overall plan, investment, and resource requirements and capabilities should be. This begs the question: Why are they targeting you?
And while you might be a target of value, it could simply be your turn to be targeted or just pure luck of the draw — in which case good basic cyber hygiene is important. Whatever the case, understanding your adversary may lead you to do more or different things.
Do you have digital assets of interest such as financial information, personal information, or intellectual property that would be of value? Do you run critical infrastructure that, if compromised, would be damaging to the public and harmful to your organization’s reputation?
Depending on the answers to these sorts of questions, you can then make a few safe assumptions in terms of who might be at the other end of the keyboard and what their intentions are.
In general, cyber criminals tend to be after things that can be monetized, like credit card information, data that can be held ransom or extorted, or intellectual property that can sold to the highest bidder. If this resembles your profile, then your countermeasures and priority of investments related to protecting these assets should reflect it.
Of course, you might be doing things already to protect these assets because you are in a regulated industry where there is a legal requirement to provide a reasonable level of protection. Despite this, you should still validate that your controls and protection of these assets reflect the defenses required to detect and thwart a cyber attack.
For example, if you are in health care and possess a high degree of private medical information, could you do something more with how your network is segmented or how the data is encrypted and isolated to provide a higher measure of security than perhaps would be called for by any legislation or regulator?
If your primary business is the management of critical infrastructure, then the likely adversary would be hacktivists or nation state operatives intent on disruption, reputational harm, or simply to send a message promoting their views. In this case, a denial of service (DOS) attack would be one of the strategies you should expect and therefore assess if your DOS countermeasures are sufficiently robust.
The other reality to consider is that your adversary may not always understand or know what opportunities you present to them. They may be just opportunistic and assessing what value you have as a target and developing attack strategies to provide them that information. On the surface, you may look like a good ransomware target but in the end they discover that they can better or more easily exploit you through a data extortion attack where there is a demand for money on a threat to release stolen information to the public.
This speaks, in part, to dwell time where attackers have parked themselves inside your infrastructure exploring, learning, and waiting for the right time to launch their attack. According to Mandiant, in 2017, the median dwell time in the Americas was 75 days. Globally, the median dwell time was 101 days. That’s a lot of time for your adversary to learn about how best to harm you, what your vulnerabilities are, or what other things you have for them to exploit.
At the same time, don’t overestimate your adversary. They don’t need to be sophisticated to do you harm. Simple vulnerabilities that are commonly known requiring very simple or even boring attack strategies can be just as damaging as very sophisticated attacks. In some ways, it can also be more embarrassing to be tripped up by a simple attack exploiting something that should have not been available to be exploited.
Also, remember that pride comes before a fall. Don’t be overly confident in the things you have done or plan to do. You should understand that if large and highly sophisticated organizations with lots of funding can be breached, most everyone else can as well. Broadcasting your confidence will only incent those that wish to do you harm — and they will do so with especial persistence for no other reason than you challenged them and they simply wish to oblige you.
Remember that cyber crime is a large market and economy unto its own. Some would estimate it’s larger than the global illicit drug trade. It operates exactly as any marketplace would. There are products, services, payment processing, and even “customer” support call centres that offer better service than some call centres you’ve had the pleasure of dealing with. It’s also a community that likes to share insights about their customers, either as part of a community service or for a fee.
This is evidenced by the fact that once you’ve fallen victim to an attack, the likelihood of being subsequently retargeted is significant. That likelihood is 44 per cent in the Americas, according to Mandiant. The message is that you should think about your adversary as a connected network of entities who share information about you — your weaknesses, your strengths, your technical environments, or whether you pay ransoms or demands for money.
Another reality is that, for the most part, cyber criminals of all kinds can operate with impunity. There exist very few risks or repercussions for attackers, and there is very little you can do about that. Government, intelligence, and law enforcement agencies are disadvantaged in many respects, especially outside of their own jurisdictions, despite having made good progress in recent years. However, advancements in cyber crime attack technologies have made it increasingly difficult for agencies to determine who is behind the attack.
For instance, cloud-based attack services using dynamic IP addressing not only obscure the source of the attack, they add technology and geographic layers between the victim and the attacker, making it all the more difficult to track down who you’re facing.
Another thing you must absolutely consider is the insider threat and if you haven’t already, you may not have heard of Edward Snowden (an extreme example, yes).
I would suggest the insider threat is equally difficult to defend against — if not more difficult in certain respects — because of the trust we impart on employees, especially those with privileged access to systems and data. Whether it’s from a deliberate and malicious act, a keyboard error, or a lack of judgement by a well-meaning employee, this is a real threat that most often gets overlooked.
Defending against the insider requires multiple layers of technology, awareness, behaviour analytics, and policy structures — all balanced against the need to trust employees and their right to expect reasonable privacy in the workplace.
If consideration of the insider threat is not part of your overall cybersecurity program, it will be an obvious gap and one you should expect to be asked about.
Next article in the series: “Cybersecurity essentials – Processes and technologies“