Cyber adversaries are constantly evolving their attack methods which requires private and public leaders to continually evaluate the effectiveness of their security strategies. In addition, over the last year, the threat environment has changed, specifically with the rise of more disruptive and destructive threat activity. Meanwhile, a heightened sense of concern remains across the globe as political tensions continue in some areas.
Jim Richberg, Fortinet’s Public Sector Field CISO discusses the current threat environment and strategies to combat evolving cyber threats.
Jim: The biggest risk is not looking at the threat environment holistically. No one is an island and partnership is necessary. Don't reinvent the wheel. When talking about the threat environment comes a recurrent topic of conversation with an organization’s leaders, which makes me wonder whether our discussion is actually a symptom of a bigger problem that the organization has in terms of cyber threat intelligence. Either they don't get enough of the intelligence they need, or they don't know what to do with it. Visibility and context are key.
In terms of threats, ransomware is still top of mind for many, certainly in the public sector. It is something that can bring an organization to its knees in an abrupt and public fashion. While no organization wants to pay a ransom, if they do not, they run the risk of essentially having the organization paralyzed for a long period of time.
Given what's happened this year in the geopolitical context, I hear organizations in both the public sector as well as the private sector ask, “Am I in the potential crosshairs of nation-state conflict?” And even if they don’t see themselves as likely targets, they still worry, “Am I going to get caught in the crossfire—will I be the casualty of collateral damage?” The reality is that the heightened threat environment is not just a temporary reality and unfortunately, cybercriminals and nation-states are using many of the same types of tactics and malware.
When we talk about nation-states, we often use the term APT, or advanced persistent threats, and one of the salient characteristics of these threat actors is that often they bring a lot of sophistication to bear. We're now starting to see APC, or advanced persistent crime. Revenues have been relatively constant from ransomware. This means the criminals who normally would go off and join other groups when the malicious cyber exploits they were engaged in became less productive now tend to remain together. This persistence allows these groups to become more specialized and more sophisticated. Some of these criminal groups are starting to take on the degrees of sophistication and speed we used to only associate with nation-state activity.
Jim: The overarching trend is more destructive malware than we saw a year ago. Given what's happening in Ukraine you could say this is potentially not surprising coming from the context of nation state activity. After all, when NotPetya in was launched into Ukraine but very predictably rapidly spread globally, it became one of the most costly and destructive piece of malware seen to date. But criminal ransomware is part of the cause, too. Having your data encrypted and finding your organization’s activities paralyzed is certainly disruptive, and unfortunately you don’t always get your data back even if you pay the ransom.
Some ransomware deletes data—it acts as wiperware—either intentionally or due to bad design or coding error. Plus, when it comes to ransomware today, sometimes cybercriminals are not only just looking for ransom, they'll take some or all of an organization’s data and publish it to cause reputational damage, share it with competitors, or sell it on the dark web. This is a nastier cyber environment than we were facing on the threat side a year ago.
Jim: Let me caveat this by saying proactive does not mean offensive. I am not advocating that organizations hack back!
The first strategy is planning exercises. You don't want the first time you think about a problem to be when you're dealing with a real threat and the clock is ticking. When we think of cyber exercises, we often think of sophisticated simulations involving computers and complicated scenarios managed by experts, but the reality is that even a simple a tabletop exercise or discussion can be invaluable. If you're in the private sector holding a structured discussion of both the most likely threat you face and the worst case one, can help an organization’s leaders realize, “We're missing a key stakeholder from these discussions, or who would we call if we needed external counsel or incident response capability?” Within government, running a structured discussion or simple exercise can lead to similar discoveries and realizations about the necessity and the value of cooperating with private as well as public sector partners.
The second activity is to network. For private sector companies, do things like join the local FBI InfraGard chapter; this is a nationwide network that focuses on providing practical advice and on helping organizations learn about local resources, including the local FBI Field Office. Within government, know who in CISA or the FBI to talk to, especially if you are in state and local government and you typically don’t deal directly with your Federal partners. You don't want the first time you have a conversation with someone to be when you tell them about a problem you have or ask them for help. Being able to put a face to a name, and getting to know your counterparts is a very important thing. Trust exists between people, and trust is built up through routine action. The number one need I hear from executives is the value of a trusted advisor, someone who can tell them about trends, issues, best practices, and even pitfalls they’ve discovered elsewhere—and hopefully, some ways to avoid them. How do you find these people? Well, it's not by Googling them. It's by getting out and collaborating. Interacting with groups like those I’ve mentioned will let you identify people who say things you find yourself listening to because they make sense.
And the final one, if you're an organization that's fairly sophisticated in its capability and reasonably well-resourced, would be to consider implementing deception technology. When we think of cyber deception, we think of honey pots and decoys. We look at their use as a ‘pass/fail’ exercise and a tool we put on our network that help us find an adversary who is stealthy and got past all our defenses. Yes, honeypots do this, but using deception technology also affects an intruder's behavior. It is like having a “this home protected by” sign outside your house. It doesn't matter whether you actually have an alarm system or not, a lot of people are still going to be deterred. And someone who does decide to break-in is going to behave and proceed differently and more slowly than if they just thought it was an unprotected home.
In cyberspace, intruders who think they may be facing deception technology start doubting what they are doing and even avoid the part of the network you forgot to fully protect. They assume that low hanging fruit is a honeypot. There's a placebo effect that kicks in if an adversary knows an organization has deception tools, even when they’re not using it. I look at this as an interesting intersection of computer science, behavioral science, and medical science because likely a herd immunity aspect to this too—you don’t have to use something 100% of the time to get the benefit, but there is likely some critical mass percentage at which the value really kicks in.
Those are the things that I would tell organizations to do that could be proactive in terms of helping them get ahead of a particular incident.
Jim: I’d lead with the perennial step of having timely off-line backups and of routinely patching software. The second step is to use multifactor authentication; this became table stakes for organizations during the pandemic-driven pivot to remote work, and its equally relevant now that we're in hybrid or work from anywhere operating postures. The third thing I'd recommend is look seriously at adopting zero trust architectures.
If you’re in the federal government, you don't even have the choice. Executive order 14028 basically said you're going to do it and gave you a timeline to do it. Zero trust becomes a good way to both minimize the likelihood of being compromised and also of minimizing the consequences if you are compromised.
I'll give you an extra credit piece of advice as well. Because while we have seen ransomware grow, we've also seen it morph. It not only encrypts your data but also now steals your data. So, look at encryption of data at rest. There's often a requirement to do it in many government organizations, but relatively few have universally implemented it. But it's poetic justice that when someone comes in to steal your data as part of ransomware, only to find that it's already encrypted and they can't do anything with it. There are a lot of commercial solutions that can help organizations implement that kind of capability.