COVID-19 has dramatically altered the world of cybersecurity and gravened the threat poised to companies that are increasingly shifting assets online, beyond the safety of the firewall. In this new reality, where cyberattacks are constant and security barriers porous, the guarantee in keeping organisations safe now lies beyond simple prevention.
The pandemic has proven a heady time for threat actors, as companies have had to quickly stand-up remote working infrastructure to support their distributed workforces. This has left ample opportunity for new weaknesses to be discovered, while cybercriminals have additionally exploited the anxiety populations felt surrounding COVID-19, leaving them vulnerable to social engineering attack. Although the pandemic may be abating in certain regions, security teams are also now having to navigate how remote working devices are being brought back into company networks, while maintaining security.
With organisations as vulnerable to cyberattack as they have ever been, responsibility and expectations have been placed on technical leaders to keep their companies safe. No longer can cybersecurity be seen as a maintenance cost, but as an integral part of the company budget to maintain operations. CEOs and board members must now face the reality that a successful cyberattack may ruin their company’s entire upward trajectory.
In wake of this cybersecurity crisis, CISOs have been thrust into a pivotal role, acting as generals on the frontline of the cyber-battlefield. This is even true to the nation-state level, as corporate espionage, and other strategies of cyberattack against Western industries, are increasingly attributed to hostile foreign actors such as China, Russia, and Iran. Beyond geopolitics, well-organised criminal syndicates are conducting high-profile attacks against businesses for huge financial gain – using methods that are only growing in scale and sophistication as they search for weakness.
Whereas work has become harder for security teams amidst remote working environments, bad actors are spoilt for choice between vulnerable or misconfigured remote access points and cloud assets, as well as shadow IT stood up outside the purview of security teams. To protect their organisations throughout this climate, it is up to CISOs to become proactive in threat detection and incident investigation. Beyond this, it is now also pivotal to contextualise attacks and provide information further than just the time and date of an incident.
CISOs must be able to tell where the attack came from, who is responsible, and why the company was a target. Most importantly, they must know whether they are still under attack. It is this information upon which companies are now kept secure.
The art to this process lies in investigation. Investigations must now reveal the cause and nature of a threat, related indicators to prevent future attacks, and, where possible, the actors and motives behind the intrusion. CISOs that are unable to discover and provide this context will be unable to keep their organisations safe amidst an increasingly dangerous threat landscape. It is vital that security teams invest now in the resources they require to be able to find this information – be it new personnel or leading-edge technologies.
Business intelligence is key to investigation
Like physical burglaries, cyberattacks leave traces and it is in these traces that attackers can be identified. In a digital setting, this will be the footprints left upon the cyber-infrastructure – domains, IPs, certificates, and so on – will all have vital clues into the nature of an attack. These footprints provide a basis upon which the investigation can be built. However, these traces alone will not solely divine who has targeted an organisation.
Beyond cyber-infrastructural clues, security teams must expand beyond their traditional beat if they are attribute who has attacked their organisation. At present, security teams operate in siloed departments and only communicate with the wider company leadership when the organisation is under active threat.
This segmentation prevents security teams of building an encompassing view of an attack, which will always have contextualisation in the state of the company at large. Instead of the simple cause-and-effect reasoning that lies behind prevention, attribution calls for a wider understanding of an organisation’s circumstances. For example, security teams will need to find out why attackers chose this company to strike? What made this business such an attractive target in terms of value and vulnerability? Who identified those vulnerabilities first, and how did they see it before the company’s employees could patch the hole?
Hackers often target multiple organisations, so security teams will also need to look beyond their own company to understand where and how the attack might have originated.
Attribution installs confidence
As organisations are featured as unwilling pawns in the cyber-conflicts of nation states and cybercriminal groups become further sophisticated, the demands placed upon CISOs and their teams will only heighten. High-profile breaches will continue to hit the headlines at a steady pace and company leadership will look to the CISO to outline the organisation’s security footing in uncertain times.
While CISOs will have to establish themselves as reliable leaders in threat attribution, there will be variables that help determine their success. On the one hand, their team’s ability, the quality of staff they are afforded, and the technological solutions they employ. On the other, the willingness of company leadership to recognise the importance cybersecurity, and how well security teams can be integrated into the wider business picture.
As companies continue to digitalise and move their assets online, and cyber-environments become increasingly dangerous, these lessons will be learnt – the question is how painfully.
Contributed by Fabian Libeau, VP EMEA, RiskIQ