Tag Archive for: cyber resilience

On the Internet We’re All in a War Zone: Why it’s Time to Prepare for the Worst

Sadly, once again we find ourselves watching war as it unfolds. More than any previous conflict, this one is being fought in cyberspace as well as on land and in the air. Many commentators raised their eyebrows when NATO officially added cyber to Article 5 of its founding treaty back in 2016. That now seems like a prescient move. But while the fighting, both online and off, has been largely confined to Ukrainian targets thus far, that’s unlikely to last for long.

The truth is that, by accident or design, we’re all in a war zone online, because online conflict does not respect country boundaries or even physical distance. Western targets must prepare accordingly, by understanding their attack surface in granular detail, and probing for weaknesses that could be exploited by adversaries in the days, weeks and months to come. Resilience is the name of the game here, and that will only come about by plugging the highest risk gaps now across cloud and on-premises infrastructure.

Upping the Stakes

We’ve already heard of multiple offensive cyber-campaigns traced back to the Kremlin. They began even before the invasion, when scores of Ukrainian government websites were defaced and wiper malware known as WhisperGate was discovered targeting multiple organizations in the region. More destructive malware variants, HermeticWiper and IsaacWiper were launched in the early days of the campaign, reportedly rendering hundreds of machines unusable. 

By targeting the Master Boot Record (MBR) and strategically important folders of the Windows OS, the malware is eerily reminiscent of NotPetya, another wiper variant disguised as ransomware and aimed at Ukrainian targets in 2017. NotPetya is important because it tells us something very important about destructive cyber-attacks: they can very easily “spill over” and impact organizations that weren’t originally intended as targets. It also happened with Stuxnet—a weapon that was designed with high precision to target Iranian uranium enrichment facilities, but still spilled over and infected other machines.

In short, war is never as clean and precise as Hollywood movies make it seem. In the case of NotPetya, multinationals in Ukraine found their networks impacted, and the worm-like threat eventually travelled down corporate VPNs to spread globally, causing billions of dollars’ worth of damage. One victim, US pharma giant Merck, was only recently awarded a $1.4B payout from its insurer to cover costs incurred during the attack.

That said, Western firms may also need to contend with genuine Russian state-backed cyber-attacks if tensions ratchet up further and economic sanctions begin to hit the Putin regime hard. Just what they’re capable of should be clear following the SolarWinds attacks which compromised nine US government agencies. Russia also has an ace in the hole: an ‘army’ of organized cybercrime groups prepared to turn their nefarious talents to hitting critical infrastructure and other strategically important Western sectors. With big budgets to spend on attack tools and exploits, plenty of know-how, and a sophisticated cybercrime supply chain in place, they could do significant damage.

Building Resilience

If geopolitical tensions remain high for an extended period of time, the chances increase significantly of innocent organizations being drawn into the online conflict. The lesson for defenders is to fix defensive gaps now, before they’re exposed—intentionally or otherwise. Just as First World War gas attacks spread indiscriminately, harming anyone without a well-fitted and sealed gas mask on, cyber-weapons will go anywhere, through whatever gaps are left open.

Finding these vulnerabilities and misconfigurations first requires a detailed understanding of the entire corporate network, which for most organizations will extend from on-premises servers and data centers across multiple public cloud environments. That means knowing and mapping every single network device, application, service and data pathway. From this position of enhanced visibility, it’s then possible to enforce security policy to minimize exposure, and continuously check for and correct any policy compliance drift. The “continuous” qualifier is particularly important given the dynamic and ephemeral nature of cloud assets.

Ultimately, war, in whatever theater it’s fought, is about resilience. So if it wasn’t already before, take some inspiration from the brave men and women protecting their Ukrainian homeland, and make cyber-resilience a priority for your organization today. 

Best Practices for Cyber Resilience: Step One, Walk the Terrain

 

You’ve been asked to defend your organization from a myriad of threats: state sponsored attacks, cyber criminals, insiders. But where do you start?

Many years ago, as a young Marine lieutenant I learned that the first step to establishing a defense is to understand what you’re defending. You must know the terrain. Walk the terrain. Understand the key parts of the terrain and all avenues of approach. Then ask yourself how you would attack the same terrain. You must understand your own terrain better than the enemy.

In information security, we haven’t been given the luxury of understanding what we have — but we need to understand what we have to effectively defend it. Our networks were built to optimize for performance and availability, not for security. Understanding our cyber terrain has become a daunting task – but one fundamental to security.

Today, we rely on current inventory management technologies, but they provide just part of the picture. You get an overwhelming amount of detail and yet still struggle to understand how everything interconnects.

Ideally, you’d like to be able to understand what you have, how it’s all connected, and what’s at risk. Specifically, you’ll want to:

  • Visualize each of your sites and the connectivity between them.
  • Locate and identify devices missing from your inventory management and NCCM solutions.
  • Rationalize data from multiple data sources, including vulnerability scanners, CMDBs and EDRs.
  • Quickly determine where an attacker can traverse to in your network — from any point.

Most organizations begin by trying to get their endpoint or host inventory. This seems logical, since that’s where your applications and data are housed. But without an overall picture of how your network is configured, you have a collection of data points that don’t tell a full story.

The first step needs to be organizing your cyber terrain at the highest level. Identify your sites, then group your assets by site or facility. For example, assign devices to your Austin data center, Denver data center, branch offices, and AWS. Next determine the conductivity within and between these sites. This requires an inventory of networking devices and their configurations. You’ll end up with a model of your network devices, security groups and VPCs and quickly be able to get a picture all the connections and interconnections — intentional and unintentional — in your network. Inevitably, you’ll discover unknown network devices.

Then, with this framework in place, you can add your host information.