The recent Colonial Pipeline attack set off gasoline panic-buying on America’s East Coast and reportedly cost the company $90 million in ransom. An adversarial nation’s Sunburst hack penetrated major U.S. corporations and key government agencies with repercussions yet unknown. Looking at these and other incidents, friends and customers have asked me, “What’s the use? Why bother? If these powerful organizations can be held for ransom or lose key data, what chance does my organization have to defend itself?”
I understand the feelings of helplessness behind the question. It can sometimes seem cybersecurity experts are preaching fire safety while all around us the house is burning down.
The lesson of the Colonial Pipeline, Sunburst and other cyberattacks isn’t for companies to lose hope. It’s to realize that every business, no matter how modest, is sitting on highly inflammable assets and must invest in the best fire protection available.
By “invest,” I don’t mean “spend more money.” I mean work to understand the true nature of cyber attackers, cyber defense strategies, and the extent of business-critical data every organization has at risk.
The story of cybersecurity is overwhelmingly not one of superheroes battling super villains. The headline-grabbing hacks and ransomware attacks are merely the visible top layer of a grueling, relentless cyberwar between companies and government agencies trying to protect their network and data infrastructures versus criminal and political keyboard invaders trying to penetrate those infrastructures.
It’s rarely secret cyberattack weapons versus secret cybersecurity defenses. The vast majority of cyberattacks that succeed take advantage of known vulnerabilities that the victim could have defended against but didn’t. Many times, it comes down to organizations simply failing to patch vulnerable software for which patches are readily available.
The bad cyberguys aren’t mysterious apparitions. They appear on “WANTED” posters everywhere. Their faces are familiar. The U.S. National Security Agency (NSA) has emphasized the extreme rarity of zero day hacks, meaning most breaches are not the result of a zero day or undiscovered vulnerability. “Bad practice and human error” are generally the source of cybercrimes’ success.
Time, Motivation and Resources
The bad guys have to be right only once. Cybersecurity professionals have to be right all the time. In many organizations, the Chief Information Security Officer (CISO) doesn’t get to see the inside of the CEO’s office until the company is hacked or held for ransom. Then the CISO is ushered right to the CEO’s hot seat.
Just as the justice system must find motive, means, and opportunity to charge someone with a crime, cyber attackers must marshal time, motivation, and resources to execute a successful attack.
With enough time, attackers can send out sufficient spearphishing emails to find someone with sufficiently high-level access to network assets willing to open one.
One fascinating example was a North Korean hack-for-money operation that targeted a programmer in Chile who worked for the company that networks all the ATM machines in the country. The North Koreans first stole the identity of a bank executive in Antigua, and using that stolen identity, invited the Chilean programmer via LinkedIn to apply for a job.
The programmer had doubts, so the “banker” – an actor hired by the North Koreans – video-interviewed the programmer in Spanish, and at the end of the interview invited the programmer to download a program that generated a PDF résumé. When the programmer downloaded the program, it granted the hackers remote control of his computer, allowing the North Koreans to make lateral movements across the network.
Fortunately, a well-read cybersecurity expert at the Chilean ATM network found signs of compromise in the network similar to ones linked to North Korea’s FASTcash cybertheft program responsible for $1 billion in ATM thefts in 30 developing countries. (North Korea uses cybercrime to fund its military program.)
The Chilean ATM network shut down for a week and purged the North Korean malware.
Despite the investment of time and elaborate fakery, no secret cyberweapons or secret defenses were used on either side. Just motivation, time, and resources versus effective thinking, blocking, and tackling.
There are lessons here for all businesses and organizations, even those unlikely to be targeted by state cyber-invaders. One is to force would-be attackers to spend more time on penetration by strengthening defenses. Then, should an organization be penetrated, beefed up detection and response systems can identify and isolate compromised elements of the data infrastructure in time to avoid a ransom or data-loss incident.
It’s crucial not only to scan networks more often – some organizations, quite amazingly, do it just once per year – but to deploy solutions that rank which vulnerabilities and which attacks put an organization’s core data and systems at most risk. Even the largest companies don’t have sufficient resources to remediate everything. Focus first on threats being actively exploited in the wild.
The fact that no organization is invulnerable is not an excuse to be unprepared. The goal is to make penetration harder for attackers by making them spend more time and resources than they’re willing to. And if an organization is penetrated, it must focus remediation efforts on the most potentially harmful issues.