2022 has been a particularly challenging year for security leaders and practitioners alike. Although cyber threats like ransomware and zero-day attacks have always been present, the ongoing conflict between Russia and Ukraine has shined a spotlight on the impact that nation state-sponsored attackers can have on our critical infrastructure.
No matter how small or large your organization is, nation state hackers pose a very real threat. What’s more, many of these groups understand that there is incredible value in targeting smaller, local organizations, especially those within critical infrastructure. As these highly targeted cyberattacks continue to happen, we, as an industry, must ask ourselves: “How prepared is my organization really?”
Recently, I had the unique experience of visiting the White House courtesy of eSentire’s CEO, Kerry Bailey. We were invited to discuss our commitment to fight this emerging wave of cybercrime with Amit Mital, the Special Assistant to the President & Senior Director of Cybersecurity. This opportunity was particularly special for me considering my own professional experience with the Canadian Federal government and the fact that Amit Mital was a Board Member for eSentire prior to his role at the White House.
The visit itself was nothing short of incredible, but more importantly, it allowed me to put some real thought to where the cybersecurity industry is heading, and what security leaders need to get right to protect their organizations.
Security leaders must be able to demonstrate financial consequences of a cyberattack
As an industry, we must collaborate closely with the federal government to adequately deal with the cyber threats and risks posed by state-sponsored cybercriminals. Ransomware groups are continuing to target organizations in North America, and that means that organizations are going to need to make sizeable investments in dedicated cybersecurity teams and arming them with the right tools and threat detection capabilities, not just IT teams doing cybersecurity on the side.
We are more than capable of conducting the necessary blue teaming necessary to protect organizations (assuming budget availability) and articulate the business risk to demonstrate the potential financial impact to the organization.
CISOs who can demonstrate the financial consequences of a cyberattack and business downtime to their executive teams are more than likely going to get the budget required to prevent business disruption and protect their customers’ sensitive data.
Digital Forensics and Incident Response plays a critical role in determining ‘true attribution’
Cyberattacks launched by state-sponsored actors pose a significant challenge for the government because these attacks can be viewed as acts of war. However, many business leaders, who are beholden to their shareholders, don’t share the same perspective. They will always prioritize business continuity over determining the who, what, why, and how of any cyberattacks. As a result, CISOs are caught in the middle because their priority is getting their network and systems online after eliminating the threat so that they can return to business operations as quickly as possible. The geostrategic consequences are not in the CISO’s purview.
The challenge here is determining ‘true attribution’ and the collection of Digital Forensics and Incident Response data to support attribution. In Threat Intelligence, we are often asked to provide an analysis of the threat actor(s) responsible for an attack. But this is challenging given the ability of one threat actor group to pose as another.
A great example is the 2018 Pyeongchang Olympics – initial assessments indicated that North Korean operators were responsible for the cyberattack that crippled the Olympics IT infrastructure. However, it was later determined that the likely culprit was ‘Sandworm Team’, a Russian Advanced Persistent Threat (APT).
There are three criterial we can use to gain true attribution for any cyberattack:
- Adversary Admission: Official disclosure by the responsible party
- Leak / Direct Access: An intrusion that results in the disclosure of documents that directly tie a nation state to an operation
- Intrusion Analysis: Threat Intelligence teams may use information collected during the Digital Forensics and Incident Response process to determine a responsible party based on previously observed cyberattacks.
The highest form of attribution is generally understood as Adversary Admission, and we typically want at least two of the above criteria before being almost certain in our attribution (e.g., Intrusion Analysis + Leak OR Leak + Adversary Admission).
The information collected during a Digital Forensics engagement is what supports Intrusion Analysis, but unfortunately, security leaders who are only concerned about business continuity typically remain unconcerned with these additional details.
Final thoughts
Unfortunately, nation-state adversaries have, and will continue to use our data against us, to manipulate our perceptions of reality, deny critical infrastructure, and steal our intellectual property so their organizations can prosper. Remember – the adversaries disrupting our society are no longer kids in their parents’ basement trying to figure out how to access servers and manipulate websites merely out of curiosity.
I think all organizations are going to be challenged over the next period as we continue to shore up our defenses from state sponsored threats. The most successful organizations will be those that have CISOs who are able to explain the financial risk associated with the potential damages of a cyberattack.
I do personally believe that the Canadian and U.S. federal governments are doing their part to create a more cyber resilient society. However, there should be more transparency and collaboration from the respective Federal governments with respect to attribution and the implications of these cyberattacks against our society.
To learn how eSentire can help put your business ahead of disruption and build a robust security operation, book a meeting with one of our cybersecurity specialists now.
