I’ve spent over 25 years working in the fields of cybersecurity and cyberconflict across a multitude of domains including government, corporate, think tank, and academic.  This article is the first in a two part series and serves as a foundational distillation of observations that can be applied in any organization. In Part Two of the series, we will look at lessons learned and actions that can be executed by management teams to help manage cyber risk.

If you would like to have your executive team or board briefed on these issues, please feel free to contact us.

Setting the Stage

“The invention of the ship was also the invention of the shipwreck” – Paul Virilio

I love this quote because it serves as such a useful analogy to describe the development of the Internet and network and information-bases societies, economies, and national security structures.  We didn’t have cybercrime before we had cyberspace as is the same for a whole spectrum of global cyber threats and risk. While the Internet has brought us so many societal advances it has also introduced new risks, much in the same way that sailing the oceans brought great exploratory and trade benefits, but also brought new risks in the form of remote conflicts, the spreading of disease, and yes…the inevitability of shipwrecks.

However, we learned to manage the risks of ship travel by developing detailed maps and through the introduction of new technologies that have advanced over time to the extent that ships can auto-pilot themselves using the Global Positioning Network and we’ve developed imperfect strategies and protection measures for old-fashioned pirates.  The same can be said for our taming of cyberspace. Risks can be reasonably managed with plans, policies, procedures, awareness, and technology.

The New Normal

“We cannot solve our problems with the same thinking we used when we created them.” – Albert Einstein

For a solid decade of my cybersecurity career, I encountered executives who were resistant to technological change.  While less common today, you still encounter resistance to the world as it is and the world is largely digital. How much cash do you have in your wallet?  Gold coins in your closet? Today, the primary representation of wealth is digital. Your net worth is stored as fields in a database. Our communications, critical infrastructure, and other aspects of our business and personal lives are also increasing digital.  Digital is the new normal.

We often hear homages to Digital Transformation, Digital First, and other enterprise technology strategies.  A core tenant of Digital First also requires a Security First mindset and as we discuss below, security should be baked into every strategy you have.  Cyberspace is the new normal and cybersecurity needs to be a foundational element.

Failure of Imagination

“When you can’t imagine how things are going to change, that doesn’t mean that nothing will change. It means that things will change in ways that are unimaginable.” – Bruce Sterling

Future Shock author and futurist Alvin Toffler first noted that the terrorist attacks of September 11 were rooted in what he described as  “failure of imagination”. A failure to understand that our perceptions could be hijacked just like airlines. A failure to imagine that a terrorist group could never build a high-precision missile with the incendiary and explosive impact they could achieve by using commercial airliners in an attack.

In the cyber domain I think we also must confront the failure of imagination regarding future cyber threats. Can a critical infrastructure be targeted in a sustained attack?  What does an AI-enabled cyberadversary look like? Will attackers always have the advantage in cyberspace?

While we don’t want our security programs to be anchored in fear, uncertainty, and doubt (FUD), it is also irresponsible to build architectures and strategies today without an eye towards future threats.  That requires research and awareness to stay diligently informed of where technology is going and the art of the possible over the near and long-term.

Macro not Micro Effects

“I don’t care what anything was designed to do. I care about what it can do.” Gene Kranz

A few years ago I was in a private meeting with CISOs from major electric power providers.  It was a high-powered event with special guests like former DHS Secretary Michael Chertoff and NSA/CYBERCOM Commander General Alexander.  At one point, the risk of IOT devices like home thermostats was raised and was immediately dismissed by a power company executive.  

“That risk is a red herring.” he said and noted that “an attacker breaks into my house and hacks my Nest.  That doesn’t impact anyone but me. No one else cares.”

I quickly pointed out that he was thinking in terms of micro, not macro level threats.  For example, it is correct that if someone breaks into my Nest it likely an inconvenience for me and my family, but no one else.  Perhaps there is an edge case where an ederly customer suffers from heat exposure, but it is hard to envision a national security threat in the hacking of a single Nest thermostat.  But…

What happens if two million thermostats get hacked at the same time?  What if that attack coincides with the compromise of smart grid and industrial HVAC meters in large commercial office buildings?  What if on the hottest day in August when the grid is already stretched thin, the compromised devices all call for maximum AC at the same time?  That type of attack compounds what we anticipate are micro-level attacks into a macro-level impact against the grid.

When thinking through security risks it is important to also think about the macro-level components and how several attacks might be coupled to create larger effects.

Threats Goals                

“Let’s be honest. Your network and intellectual property are not being attacked by a piece of software; they are being attacked by a living, breathing adversary.”  – Matt Devost & Tom Parker     

Many organizations develop robust threat matrices without giving consideration to actual threat actor intent.  Why is a threat actor targeting you and what goal or objective are they trying to achieve? Understanding the adversary decision making process will provide you with insight into how they will behave when targeting or compromising your networks.  If you’d like to learn more about how attackers view your networks, please check out this article on HACKthink.  Here is an overview of the most common threat actor goals we encounter.

IP Theft

Intellectual property (IP) comes in many forms.  It could include research and development findings used to drive new product development, blueprints and schematics to manufacture existing products, software source code, financial data, or merger and acquisition data.  It is important to understand what IP is valuable in your organization and how different threat actors might monetize or otherwise capitalize on compromising it.  

While widely targeted IP theft does ebb and flow based upon international economic and diplomatic initiatives, some industries remain persistent targets.  Those include the defense industrial base, advanced electronics manufacturers, pharmaceutical, and popular software platform infrastructures.

Cyber Crime

“Why do you rob banks?  Because it’s where the money is.”  Will Sutton.

Modern criminals are Sutton incarnates that look to steal money online because that is where the money is.  If your business involves monetary transactions in any form (e.g. you have a bank account and receive or make payments from it) you can be targeted by opportunistic cyber criminals.  While direct compromise of banking accounts is becoming less likely, it still negatively impacts many businesses each year.

In addition, modern attackers will utilize tactics like business email compromise and social engineering to engage in high-tech heists.  Over the past few years, we’ve actively seen criminals exploit business processes to steal millions of dollars from individuals and tens of millions of dollars from businesses.  While cybersecurity measures are an important mitigating factor, it is also important to ensure that proper procedures, authorities, and non-cyber verification policies are in place.

Cyber Espionage

In the same way that criminals have moved to cyberspace, so have the spies.  Why? Because it is where you are now.

With the prevalence of business and social networks, we are living an incredibly larger percentage of our lives online.  When subjected to big data analytics, these networks coupled with your purchasing habits and data taken in large scale hacks (e.g. OPM, credit bureaus, health insurance companies) present a very granular picture of your life.  This insight can be used to develop specific targeting campaigns designed to facilitate espionage objectives.

While we continue to conduct bug sweeps for some of our high-risk clients, it is important to point out that many of them carry eavesdropping devices around with them 24/7, namely in the microphone and cameras embedded in their laptop and mobile devices.  As we’ve proven through red teaming engagements over the years, many adversaries have the ability to compromise devices and listen in or watch your most sensitive conversations. In one engagement, we even remotely compromised the video conferencing system in the board room.  To that extent, the personal hygiene and security of those devices becomes extremely important and updates and patches should be applied as soon as they are released

Information Leakage

Some attackers and malicious insiders seek to extract non-public or sensitive information with the sole intent of disclosing it online.  In an era of Wikileaks and doxing, most organizations need to have a protection strategy for sensitive information, but also an incident response plan that can be executed in the event that information is leaked.  It is possible to think through many of the disclosure response options in advance so that executives have a trusted playbook to manage through the crisis. It is also important that executives and the board regularly test their response plans through table-tops and exercises.

Ransomware

One of the most lucrative current attack vectors for cybercriminals is through the utilization of ransomware. One week in June 2019, over $1m USD was paid to ransomware attackers by two cities in Florida. Imagine how many payments took place that were not disclosed.

Cyberdefense professionals have dealt with ransomware attacks over the past two decades, but the introduction of cryptocurrencies like Bitcoin has allowed ransomware to flourish as it creates a built-in payment ecosystem for successful attacks.  While early forms of ransomware did not differentiate between their victims, modern attacks take the time to evaluate the data they’ve encrypted to create custom ransomware demands that easily push into the six figure space. Some organizations are concerned that if they pay the ransomware the attackers will not decrypt their files, but that is rarely the case.  The ransomware market is only successful as long as the payments result in expected outcomes and the attackers often engage in self-policing to target criminals that don’t play by the rules.

At its core, ransomware is a resiliency and contingency planning problem for most organizations.  Having robust back-ups that are segmented from core data assets and established recovery procedures for impacted information is often the best mitigation strategy.  Barring that organizations will be faced with paying the ransom or engaging in elongated and expensive recovery projects that can often exceed the ransoms costs by a factor of 25x.

Cyber Conflict

Inevitably, cyber is also the domain of current and future conflict.  This is a complex issue and developing an organizational strategy for cyber conflict is often outside the constructs of traditional risk management, and rightly so.  Organizations with a nexus to traditional risk components like natural resources (e.g. oil) or regional exposure need to take additional measures to ensure cybersecurity due diligence.  That means that geo-political intelligence must be integrated into your cyber risk management strategy and your organization must maintain vigilance with regards to which international dynamics can increase your risk of being targeted in a cyberconflict-oriented attack.

As it relates to geo-political intelligence, there is no substitute for field research and regional collection.  As John Le Carre notes, “A desk is a dangerous place from which to watch the world.” and if your geo-political intelligence sourcing is relying on open source observations only, you’ll inevitably be caught by surprise.

Cyberterrorism

Currently, terrorist organizations have the intent, but not the capability to engage in sustained cyber attacks on critical infrastructure.  Eventually, capability will align with intent and we will have an act of true cyberterrorism. Until then, meaningful cyber attacks exist outside the realm of technical proficiency for traditional terrorist organizations. If you operate a critical infrastructure or are publicly connected with causes or issues that energize terrorist rhetoric, this needs to be a concern as current attacks might target business operations with denial of service or other low-level destructive attacks.  Otherwise, it is just a threat area you should be monitoring for future developments or manifestation of real cyber capability within these groups.

Strategic Penetration for Future Exploitation

I’ve written previously about Strategic Penetration for Future Exploitation, because it is important to remember that adversaries have different conceptions of time.  These conceptions of time can be cultural or strategic in nature, but most often they are focused on the long view while we are focused on the near-term. This short-term thinking creates an inherent risk.

Even in a fully cooperative international relations environment, some entities will be looking to gain advantage or plan for potential future conflicts.  During times of peace and prosperity, those with a long view develop contingency plans for regional, economic, or political disputes. I refer to this phenomena as time-shifted intent.

The ability to engage in cyber attacks provides a great advantage, so you must ask yourself “if an attacker were planning to target me in five years (e.g. take down my infrastructure), what would they need to do today?”  Most likely, they need to penetrate your systems and they will need to do so as clandestinely as possible. They need to establish persistence and resist the allure of engaging in non-related targeting of your enterprise.  They won’t read your email, exfiltrate a lot of data, or engage in financial fraud, thus avoiding common intrusion detection triggers. As a result, you need to think outside the box and engage in targeted threat hunting. Don’t think you can just kick the can down the road as the concept of time-shifted defense doesn’t align with a time-shifted attack.

Targeting Trust

While we have not seen cyberattackers engaging in sustained attacks against critical infrastructures as expected by a number of experts over the past two decades, we have seen one clear cyberadversarial pathway emerge; targeting trust. 

Diminishing the trust in our institutions and societal constructs has emerged as an attractive cyber tactic.  More aligned with traditional psychological operations than cyberwar, this targeting of trust looks to establish internal discord and reduce the resiliency of democratic societies.  As I’ve noted numerous times over the years, an attacker does not have to change election results to impact a western democracy, they just need to get the losing side to think that is a possibility and reduce trust in the institution of elections.  Other attractive trust targets would include the financial services sector, critical infrastructure, and human/government services.

My colleague Neal Pollard and I have written about this in several articles at War on the Rocks and Politico.

Conclusion

This overview was meant to provoke thought and provide observations that can be easily digested by cyber and non-cyber management teams.  In Part Two we will look at essential management strategies and actions that can be taken to reduce risk. As always, I welcome your feedback via email to [email protected] or to @mattdevost on Twitter.

Read Part Two – Management Lessons Learned and Essential Actions

Additional Reading:

https://oodaloop.com/ooda-original/2015/10/22/10-red-teaming-lessons-learned-over-20-years/

https://oodaloop.com/technology/2012/09/27/statecyber/

https://oodaloop.com/archive/2019/01/09/the-five-modes-of-hackthink/