Cyber Attackers: If You Can’t Stop Them, Disrupt Them
For decades, companies have beefed up their cyber defenses to thwart intruders. But while this work will always continue, companies are increasingly faced with the reality that all it takes is a small mistake, or an unnoticed flaw, for hackers to get inside their systems. . And now what?
So, in a shift in approach, many companies are now focusing on how to mitigate cyberattacks – assuming a breach is unavoidable.
Some companies create internal “red teams” to probe their own systems for weaknesses, but Padraic O’Reilly, chief product officer and co-founder of cybersecurity group CyberSaint, says companies should do more “proactive or mitigating remediation “.
“You’ll plan budget cycles, consider risk, and make risk-based decisions, instead of just putting out fires.”
This change comes as several highly sophisticated cyber-campaigns by nation-states – such as the SolarWinds hack, which even hit government agencies – have demonstrated that companies can be unknowingly vulnerable if there is only one weak link in their supply chain.
Meanwhile, ransomware attacks – in which cybercriminals encrypt an organization’s data and demand money to distribute it – have escalated. Companies from all sectors were targeted. SonicWall data shows a 105% increase in ransomware attacks in 2021.
“The ransomware problem has become so pervasive,” warns Andrew Rubin, managing director of security group Illumio. “It proved to everyone that you are going to be hit almost no matter what, which is not a failure of your cyber strategy, it just means that you need to evolve your cyber strategy to both detect and stop the spread. .”
An emerging area for the protection of operational technologies – such as critical national infrastructure, manufacturing facilities, automotive plants and aerospace systems – is CCE or “consequence-oriented and cybernetically-informed engineering”.
According to Stuart McKenzie, senior vice president of Mandiant Services Europe, Middle East and Africa, the CCE methodology first requires companies to conduct a “crown jewel assessment” of their business from a from an operational standpoint – by establishing all the production elements that need to be operational 24/7.
“Consequence prioritization” is essential to ensure that power outages are avoided and water treatment can continue, for example.
McKenzie says it’s about asking the question, “How do we protect those critical assets, and then, once we get something around those, look at the next layer, then look at the next layer?”
The Idaho National Laboratory, which developed the framework, calls for a “system of systems analysis” – in other words, the identification of interdependencies between systems and their components.
After that, the next step is called “consequence-based targeting”: it’s basically mapping out the ways an attack might progress around a target’s computer systems and cause the most damage. This involves determining “where they need to be to carry out the attack and what information is needed to achieve these objectives”, explains the INL.
When this mapping of attack paths is done, it is up to the engineers to disrupt these digital attack paths, where they can.
Companies need to assess “threats and scenarios an organization faces, then interpret them across their systems, their processes, their business, to see where weaknesses would occur,” says Del Heppenstall, cybersecurity partner at KPMG.
This could include “more conceptual tabletop scenario-based exercises that go through the what-if’s.” If this happens, then what? “. Or it could involve more “hands-on” testing, he adds. “Some customers, ultimately, want to test the resilience of their live environments.”
Mitigation measures can take several forms. A key approach is “segmentation,” or dividing a network into smaller parts, according to Illumio’s Rubin.
He uses the metaphor of a submarine divided into several compartments: if a leak occurs, it will only affect a small compartment rather than flooding the whole submarine. “Segmentation is getting . . . a ton more attention than ever,” Rubin says.
System detection and visibility are also vital. This can be aided by tools that perform “anomaly hunting”, says Heppenstall. Another element is to prepare comprehensive incident responses.
“It pays to be prepared, to practice the ability to react, to validate that your controls and everything are working as intended,” says Joe McMann, head of global cybersecurity portfolio at Capgemini. That way, “when you have a problem, you know exactly what to do, you don’t get confused,” he notes.
However, McCann acknowledges that, for enterprises, there remains the age-old problem of trying to validate the return on investment in security.
Mitigation of cyberattacks becomes an integral part of the enterprise risk management process: “It is a risk and cost based decision that every business and enterprise must make to weigh the pros and cons of implementing a program that would prevent the impact of a certain risk in their business,” he says.