Rethinking organizational cybersecurity strategy for corporations
“The fact that commercial companies have experienced such attacks casts doubt on the assumption that they don’t need to include nation state level attacks as one of the threats to be addressed,” writes Dr. Yaniv Harel, CSO at the Blavantnik Interdisciplinary Cyber Research Center
Many articles were written describing the practical steps companies should do to improve their cyber status. From the relevant technologies, to the main algorithms, following the concepts and concluding with the correct methodologies. Practical recommendations as well as long term efforts are described in detail in various documents and programs. Behind a program usually stands a deep strategy that represents the organizational priorities and philosophy.
The Cybersecurity Strategy is based on a definition of risks the organization aims to cope with, and the extent to which the organization plans to handle each one of these risks. Based on these definitions, as well as the business and operational attributes, the organization creates a Cybersecurity Program that includes concept, technologies, appropriate personnel, methodologies, incident response plan, insurance coverage and more. No less important than deciding which risks to address, is deciding which risks not to address. Over the years, most organizations take a calculated decision not to include nation state attacks in their defense program.
A nation state actor is characterized by the ability to focus on a single target in a way that doesn’t correlate with the financial benefit of the attack, to plan a complicated sequence of actions, and to use unique and destructive types of malwares. Such actors typically have a backend operation equipped with advanced control capabilities, moreover, they support their activities with various intelligence sources.
Cybercrime attack groups continuously get more sophisticated and much more business oriented. In most cases, their activities are planned, and their efforts are invested in correlation with potential financial gains. It has been observed that attack actors may abandon a target, even one in which they have invested significant effort once they cross a predefined threshold beyond which the potential gains cannot be justified. They may leave a ransomware negotiation if they realize that the potential target won’t pay.
It is common to divide threat actors into three groups - individual attackers, cybercrime groups, and nation state attackers. These days, organizations around the world allocate many millions to cybersecurity, with budgets reaching tens and even hundreds of millions of dollars in large enterprises. As part of the budget plan, organizations identify their priorities and the solutions chosen to protect themselves against the defined risks. A critical infrastructure company, for example, would put a different set of solutions in place than an educational institution.
Since the budget is finite, organizations should prioritize their investments, and many decide to exclude solutions for nation state attacks. As a security leader you have to decide what are the typical attacks that may challenge the organization and who are the most likely attackers that will choose the organization as a target. CISOs/CSOs are known to say: “If a nation decides to attack us – this is a scenario we are not going to cope with, and we have approved this with our Executive management”. Statements such as this are made under the assumption that solutions for nation-level threats are more complex and require a higher level of expertise.
There is also a common belief that national entities typically target governmental agencies and not private companies. These are their typical targets for intelligence collection purposes, and when escalated, their attack targets. This was true for many years in the intelligence and military arena. Nations follow other nations’ data, and not commercial organizations’ information.
In recent years, we have observed a change that should concern business entities. The supply chain attacks that started with SolarWinds have brought nation state methods into the business arena. The creation of complex infrastructure that enables access to companies via a legitimate platform and then selects them as targets for attack, is a significant state level approach. Therefore, it is not surprising that a few months later the Kaseya attack employed a similar technique, this time leveraging a managed security platform instead of an IT management platform.
Several specific cases that were exposed during the last few months describe dedicated efforts in which groups put a broad endeavor to build an infrastructure and to use strong components as the methodologies of nation state actors. In Praying Mantis for example, exposed by Signia’s team, the attackers used Zero-day malware in a sophisticated way. Moreover, while they are aware of advanced monitoring and detection techniques, they developed sporadic command and control channels to the attack tools providing more resiliency against popular cybersecurity detection systems. A more local example is the POLONIUM case that Microsoft Threat Intelligence Center has exposed. The attack group used OneDrive and AirVPN as part of their attack channels. In one of the cases a cloud service provider was compromised. POLONIUM pivoted through the service provider and gained access to a law firm and an aviation company. In other cases, POLONIUM has been observed deploying a series of custom implants that utilize cloud services for command and control as well as data exfiltration.
The fact that commercial companies have experienced such attacks casts doubt on the assumption that they don’t need to include nation state level attacks as one of the threats to be addressed. The question whether we are dealing with a nation state entity that targeted a commercial company, or a cybercrime organization that accomplished a nation-class attack array, is not important. What is significant is the conclusion that arises. The common assumption should be reconsidered, and different priorities and plans may emerge out of the new perspective.
Management teams and boards of directors should rethink the approved strategy that is the base for their cyber security organizational program. CISOs must revisit their resiliency programs, and insurance companies should evaluate the level of requirements they pose for large organizations.
This change shouldn’t land only on the CISOs’ tables. This assumption variation is a wake-up call for global governments as well. They should act at the legislation, enforcement, and collaboration levels that in the long term will help to prevent these types of attacks on top of expecting the companies to defend against them.
Dr. Yaniv Harel is the CSO at the Blavantnik Interdisciplinary Cyber Research Center